ApeCoin DAO Signs Off on a $4.4M Bug Bounty

ApeCoin DAO, the Decentralized Autonomous Organization that is in charge of overseeing the development of APE, the native token of the Bored Ape Yacht Club (BAYC) ecosystem, has approved the allocation of $4.4 million to conduct a bug bounty program on ImmuneFi.


According to the snapshot of the votes cast which ended today, as many as 3.9 million APE tokens were cast in favor of the proposal, dubbed AIP-134.

The votes in favor ended at 57.92% as compared to 42.08% for those who committed 2.9 million APE against the proposal. 

The essence of the bug bounty is to carve out an extra security layer for the much anticipated ApeCoin staking service that is billed to go live in December. The ApeCoin DAO wants experienced hackers to help search out the loopholes or any porous avenues in the staking smart contract that may cause headaches later on.

The bounty, now that it has been approved can be launched on ImmuneFi with the 1 million APE tokens earmarked for the bounty set to be drafted from the protocol’s treasury.

“As we near the launch of the ApeCoin staking system outlined in AIP-21 and AIP-22, we propose taking additional measures to ensure the DAO is following smart contract security best practices. This proposal uses treasury assets to fund a 1 million $APE bug bounty program with Immunefi, and partners with Llama to help design, implement, and run operations of these initiatives,” a snapshot from the proposal reads.

The DeFi ecosystem has not been spared from the wranglings and inconveniences caused by hackers this year. That there is a security loophole in most emerging smart contracts is not a question up for debate, whether founding teams have the right model to prevent exploitation remains a major bone of contention.

As one of the most prestigious NFT collections, Bored Ape users have been a major target of cybercriminals, and hopefully, the bug bounty will help tighten all loose ends ahead of the launch of the staking product.

Image source: Shutterstock


Tagged : / / / / /

Wormhole DeFi Bridge Rewards $10m Bug Bounty

WormHole, a Decentralized Finance (DeFi) bridge protocol, has paid out $10 million in Whitehat bounty.

Webp.net-resizeimage (18).jpg

As announced by ImmuneFi, the platform that helped organize the bounty program, the cash reward was paid out to a programmer known as satya0x as he was able to identify a bug that would have or resulting in the exploitation of the Wormhole Bridge.

“A whitehat who goes by the pseudonym satya0x responsibly disclosed a critical bug in the Wormhole core bridge contract on Ethereum. This bug was an upgradeable proxy implementation self-destruct bug that helped prevent a potential lockup of user funds,” ImmuneFi said in its update about the entire event.

DeFi protocols have been at the mercy of hackers recently, and Wormhole as a bridge has suffered a massive exploit that led to the loss of over $320 million. 

Besides Wormhole, the Ronin Bridge, solely used by the Axie Infinity protocol, has also been exploited by what is suspected to be a group of North Korea-backed Lazarus Group. The Ronin hack drew $625 million away from the protocol, a sum that has notably impacted the bridge’s operations.

In a bid to wade off these attacks, the first required caution is to eliminate any inherent bugs that can be a gateway for cybercriminals. While bugs are notably ubiquitous and difficult to detect, the bug bounty organized by ImmuneFi on behalf of Wormhole has notably achieved its goal. 

Immunefi said no funds were lost before the bug was flagged, verified, and fixed. The stakeholders involved believe related bug bounties of this nature with the whitehat community could help prevent many more attacks on DeFi protocols across the board.

“Wormhole paid satya0x a record bug bounty of $10 million for the find. It’s one thing to create a program with a really high top payout, but Wormhole has proven that they are very serious about paying top-dollar to help mitigate security issues in partnership with the whitehat community,” the ImmuneFi statement reads.

Image source: Shutterstock


Tagged : / / / /

iOS jailbreak dev wins $2M bounty for finding critical Optimism bug

Developers from the Ethereum Layer 2 scaling project Optimism announced that a “critical bug” had been identified and subsequently patched earlier this month.

The bug, which could have enabled hackers to create as much ‘ETH’ in a Optimism account balance as they wished, was first discovered by white hat hacker and iOS jailbreak software Cydia developer Jay Freeman.

In a deep-dive blog post, Freeman explained that the bug, “would allow an attacker to replicate money on any chain using their ‘OVM 2.0’ fork of go-ethereum”. For his efforts Freeman was awarded one of largest bug bounties to date, netting a total reward amount of $2,000,042

According to the Optimism team, “The bug made it possible to create ETH on Optimism by repeatedly triggering the SELFDESTRUCT opcode on a contract that held an ETH balance.”

In a blog post, the Optimism team noted that its chain history showed that the bug had not been exploited, except for an accidental activation by a staffer at Ethereum data startup Etherscan, but “no usable excess was generated.”

“A fix for the issue was tested and deployed to Optimism’s Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation,” the team said, thanking Infura, QuickNode, and Alchemy for their fast response times.

“We also alerted multiple vulnerable Optimism forks and bridge providers to the presence of the issue. These projects have all applied the required fix.”

Late last year Optimism removed its whitelist, allowing for any developer to start building projects on the Optimism network. Prior to this, the network was only accessible to specific projects such as Uniswap and Synthetix. This limitation made it easier for developers to detect and resolve potential bugs

Related: MakerDAO launches biggest ever bug bounty with $10M reward

Optimism is a Layer 2 scaling solution for the Ethereum network, employing “optimistic rollups” that aggregate transactions outside of the Ethereum blockchain.

This provides the benefits of reducing slippage, decreasing transaction costs and vastly improving transaction speeds. However, as this bug has made clear, while Layer 2 protocols offer improvements in efficiency, security during ongoing development remains a common point of concern.

While this bounty is one the largest to have been paid out so far, MakerDAO has just announced that it will be offering a maximum bounty of $10M to anyone who can point out critical security threats in its smart contracts. This is the largest series of bug bounties ever to have been hosted on bug bounty platform Immunefi.