Jay Freeman was just poking around when he stumbled on the biggest payday of his life.
Freeman is a security researcher known for delivering software for mobile phone operating systems that have been “jailbroken” (modified to allow users to customize their OS). One day, he happened to be checking out how “smart contracts” work to power transactions on Optimism, an Ethereum blockchain used by the open-source software company he co-founded, Orchid Labs. To Freeman’s surprise, he came across what looked like a critical software bug in a virtual machine that could allow a hacker to create—and steal—millions or even billions of dollars in digital currency.
After creating a “proof of concept” to check his work and detail the potential harm to a company, he became convinced he was onto something. He initially thought it would make a great topic for a speech he was scheduled to deliver at a security conference. Then he learned that Optimism had recently offered a huge bounty for anyone who found serious vulnerabilities in its code. Freeman submitted his findings. Optimism verified the flaw’s existence and, a short time later, Freeman received $2 million.
“I wasn’t looking for this,” he says. “This was like walking down the street, tripping over a pothole, thinking that pothole shouldn’t be there, asking myself who I should report the pothole to, then finding out there’s a multimillion-dollar reward for information about that pothole. Then I’m like, ‘Woo-hoo!’”
Bug bounties explode across Web 3.0
Bug bounties have been around for quite a while in the Web 2.0 world. But most individual payouts were limited to five or six figures. Now, with (at press time) an estimated $920.6 billion worth of cryptocurrency swirling around the blockchain-fueled Web 3.0 realm, vendors are paying more.
A whole lot more. In fact, the total bug bounty market—valued at $223.1 million in 2020—is expected to grow 54% per year and reach $5.5 billion by 2027, according to All the Research (ATR), a market research firm.
Security researcher and white hat hacker Gerhard Wagner won a $2 million bug bounty, reportedly one of the largest bounties paid last year. After noting the value of cryptocurrency related payouts “exploding,” he jumped into bounty hunting and found a critical vulnerability in Polygon’s Plasma Bridge last October. The bug in the cross-chain bridge—the connection used to facilitate transactions between blockchains—could have allowed an attacker to withdraw up to $224 million of cryptocurrency. If done repeatedly, it might have been possible to drain all of Polygon’s estimated $850 million in holdings.
“I was surprised,” he admits. “I did a proof of concept to see if the attack I was testing actually worked, and even when it did, I kept saying, ‘That can’t be right.’ But I submitted the bug to Polygon anyway to see what would happen. They responded, confirmed the issue, and things moved quickly after that.”
Blockchain companies are willing to pay more for bounties these days than software companies have in the past because they stand to lose so much more if they are attacked. They could forfeit not just their own money, but also the cryptocurrency that customers have placed in digital wallets. Indeed, nearly $2 billion was lost in the first part of 2022 to cryptocurrency hacks. Major hacks dating back to late 2021 include: Poly Network ($611 million), Ronin Network ($625 million), Wormhole ($325 million), Nomad ($200 million), and Harmony ($100 million).
Web 3.0 companies concerned about these novel kinds of threats commonly offer bounties in a number of ways. Their techniques could prove useful for security executives at companies experimenting with the Wild West of emerging technologies.
I kept saying, ‘That can’t be right.’ But I submitted the bug to Polygon anyway to see what would happen…and things moved quickly after that.
First, after deciding they lack the resources to do the work themselves, companies decide to ask so-called white hat hackers, who work on their side, to poke holes in their code. They estimate how much money they could lose and, as a rule of thumb, often land on bounty values that amount to about 10% of the potential loss.
Most companies will then make an offer on bug bounty platforms, such as Immunefi, HackerOne, and Intigriti. If researchers believe they’ve found something, they submit a proof of concept directly to a company or a bounty platform. Their work is evaluated, and they are rewarded if it’s validated.
The system works well in theory. But not all white hats are sold. Freeman says some researchers begrudge a crowdsourcing model in which they spend days or weeks reviewing code for no pay. Others worry about companies coming up with dubious excuses to deny bounties, even if they’ve clearly been earned.
Such concerns appear to be waning, though, as payouts continue to grow. Anecdotally, experts say, about 2,000 bug bounty hunters are working full-time. But Intigriti reports 50,000 researchers signed up for its services between April 2021 and April 2022, a 43% increase; and a recent Intigriti survey found that 66% of ethical hackers polled are considering full-time bug-hunting careers.
A cottage industry emerging?
Dane Sherrets, solutions architect for HackerOne, predicts that bug bounty momentum and payouts will continue to build for the foreseeable future, because blockchain companies can’t hire qualified security professionals fast enough and blockchain-based applications that interact with cryptocurrency platforms continue to be tempting black hat (criminal) targets.
“I don’t see it happening overnight, but I definitely see more people getting involved,” he says. “The open-source nature of these projects necessitates having a way to receive vulnerability reports from the community.”
Some involvement could include an unexpected segment of the security research community: black hats who recognize an opportunity to make more money by going straight or, at least, “gray.”
In some recent blockchain-related attacks, hackers gave most of what they’d taken back to the blockchain companies. Observers speculate that in some cases, they kept a portion of their take—with the apparent approval of their corporate victims—in what could be considered reverse bounty payouts. Wagner says he’s aware of “quite a few instances” of this.
Sherrets, meantime, says that while he doesn’t think hackers steal cryptocurrency intending to receive a reverse bounty, “it just seems to be the way things naturally unfold, especially when identifying information is uncovered about the hackers or they run into problems with moving the stolen cryptocurrency.”
Even though black hats could fence or launder stolen cryptocurrency on cryptocurrency mixer sites like Tornado Cash and Blender.io—which the U.S. Treasury Department recently sanctioned—it’s hard to do so because blockchain transactions are recorded and viewable by anyone, including law-enforcement.
“It’s a pain to turn cryptocurrency into real money,” Sherrets says.
Companies know this and often openly appeal to cybercriminals to return the money, using conciliatory language, offers to not seek prosecution, and hints at some sort of reward for their good behavior. When cryptocurrency platform Poly Network was hacked last year, for instance, it reportedly resorted to calling its attacker “Mr. White Hat,” offered a $500,000 bounty to release the stolen funds, and volunteered to make him its “chief security adviser.” Most of the funds were returned.
It’s a pain to turn cryptocurrency into real money.
Noting such behavior earlier this year, the U.S. Department of Justice held out an olive branch, stating it would not enforce the federal Computer Fraud and Abuse Act (CFAA) against hackers it determines to be acting in “good faith” while conducting “security research.”
Of course, none of this appeasement is likely to sway or deter hackers working for nation-states like North Korea, which U.S. officials allege was behind the attack of the Harmony blockchain network. Nation-states have different motives for launching cyberattacks.
HackerOne’s Sherrets notes that bug bounty processes and pricing are still in flux and are likely to change in the coming months and years. “What we’ll probably see in the future is more thought given to the potential for loss and what to pay for different kinds of impacts,” he says. “I think it stands to reason that bounties will continue rising. I just think what gets paid, and how it gets paid, will be different.”