ImmuneFi Launches Whitehat Leaderboard to Incentivize Web3 Hackers

ImmuneFi, one of the most notable Web3 bug bounty protocols has announced the launch of a new Leaderboard feature for ethical hackers in Web3. 


As announced by the outfit, the Leaderboard will pull 20 of the most versatile Whitehat hackers in the Web3 ecosystem and rank them in order of the critical bugs they report through the ImmuneFi platform.

“We’re proud to release the Immunefi Whitehat Leaderboard showing the top 20 whitehats in web3!” ImmuneFi shared the announcement via its Twitter page 

Bug bounties have become a thing in the web3 ecosystem as protocols incentivize experienced hackers to help scour through their codes to see if there are vulnerabilities therein. As the industry evolved, ImmuneFi emerged, helping to organize Whitehat events in a way that was easy for both the protocols and the participants.

Whitehats are typically rewarded for their participation, and with this new feature, ImmuneFi said it will be giving the top hackers additional benefits.

“Whitehats who earn their spot through genius and hard work are eligible for further rewards, exclusive merch, paid trips, speaking opportunities, and more,” ImmuneFi affirmed.

ImmuneFi said the ranking for whitehats who submit bug reports through its platform will be based on three crucial factors including, the number of paid reports, the severity of paid reports, and total earnings. 

While the new leaderboard feature may not be an extra motivation for Whitehats to intensify their activities in the space, it certainly creates room for respect amongst the most elite of solution providers to hacking problems in the industry.

The appreciation of Whitehats cannot be overemphasized, a move that was recently underscored by the ApeCoin DAO. The ApeCoin DAO recently passed a vote that will see 1 million APE tokens set aside as bug bounty on ImmuneFi to incentivize whitehats to pour through its forthcoming staking protocol in a bid to see if there is a weak leak that might cause fund drain in the near future.

Image source: Shutterstock


Tagged : / / / /

Transit Finance Convinces Hacker to Return $2m to Protocol

Earlier this month, Transit Finance, a Decentralized Finance (DeFi) protocol, unveiled it was hacked for $21 million, marking the sheet as one of the latest protocols to suffer exploitation this year.


In an unusual turn of events, the protocol has come out to announce that from its conversation with the biggest hacker, there is an agreement to return a significant portion of the funds.

With Transit Finance ready to take the hacking event as a White Hat, the protocol said its main hacker would return 6,500 BNB in the first tranche and return another 3,500 BNB when the protocol has come through with the payment reward promised.

“After friendly communication with white hat #1 (the biggest hacker), we have both reached a consensus. White hat #1 stated that he would refund the users’ 6,500BNB as soon as possible today and promised to refund another 3,500BNB when TransitFinance Official initiates the second phase of refunds. Ultimately white hat #1 will keep 2,500 BNB as a bounty for this event,” the protocol said in a Monday announcement. “TransitFinance Official expresses its gratitude to white hat #1 for the refund and promises that if white hat #1 returns the remaining 3500BNB as agreed, TransitFinance Official will no longer hold him any legal responsibility.”

The DeFi protocol said it has filed for legal proceedings, and while it will make good on its promise not to launch a lawsuit against Whitehat #1, the protocol said it would not hesitate if other hackers do not return the funds stolen.

Relying on whitehat-hinged refunds is not something that is uncommon and was made popular when the hacker who stole over $610 million from the interoperability network Poly Network returned the complete funds stolen last year.

When Poly Whitehat refunded the cash stolen, many protocols started appealing to the hackers, and a few, like Transit Finance, has recorded success in their moves.

Image source: Shutterstock


Tagged : / / / /

Whitehat Hacker Receives the Largest Bounty for Identifying Exploits in Polygon’s Codes

A Whitehat hacker, Gerhard Wagner, has received the largest bug bounty in history after he discovered a vulnerability in Polygon’s plasma bridge.

According to Immunefi, a bug bounty platform for smart contracts and DeFi projects, the identified bug would have cost the protocol as much as $850 million in losses if discovered by a knowledgeable hacker.

Immunefi said the report on the faulty codes in the plasma bridge was first reported on October 5, and the Immunefi triaging team verified the claims. The vulnerability allowed an attacker to exit their burn transaction from the bridge multiple times, up to 223 times. There was around $850M at risk. Having just $100k to launch the attack would result in $22.3M in losses! This means the DepositManager for the Plasma Bridge could be depleted with a sufficient amount.

The risk was then escalated to Polygon, who also confirmed it and promptly fixed the vulnerability. As its policy to reward such reports on faulty codes, Polygon agreed to pay its highest listed amount for such related bug bounties, and Wagner was notably paid a $2 million sum. 

The potential security of decentralized finance (DeFi) protocols became a subject of debate amongst experts following a series of hacks that were reported in the past months. Back in August, reported the Poly Network hack, which was credited for being the largest blockchain exploitation with over $610 million stolen. While the event behind this hack ended in the interoperable protocol’s favour as the Whitehat hacker returned all stolen funds, other projects have not been as lucky.

Despite the veracity of hacking in blockchain-related protocols surging in the past months, mainstream tech firms are also experiencing their fair share of the exploitations. Tech giant T-Mobile was also hacked for at least 6 BTC back in August, lending voice to the position that more Whitehat hackers are needed across every inch of the tech ecosystem. 

Image source: Shutterstock


Tagged : / / / /

As faith in audits falter, the DeFi community ponders security alternatives

As the attacks launched against popular decentralized finance (DeFi) protocols grow ever-more complex, the efficacy of audits from major security companies have in turn come under scrutiny — and some members of the DeFi community have already begun building homegrown alternatives.

“I think that now, after all the hacks we’ve had, we basically understand that if you have two audits, three audits, it doesn’t mean you’re safe,” said the co-founder of DeFi Italy Emiliano Bonassi in an interview with Cointelegraph. “This does not mean that audits have no value in this moment, but they are not silver bullets.”

This new reality is what pushed Bonassi to form ReviewsDAO. A simple forum for connecting security experts and projects looking for an extra set of eyes, in the three days since its launch ReviewsDAO has already attracted four volunteer reviewers (including Bonassi), and has matched two reviewers with a project.

Bonassi and ReviewsDAO aren’t alone, either. Code 423n4 is another project aiming to jumpstart a security movement within the ecosystem, leveraging an gamified, experimental twist on bug bounties. And likewise Immunefi, another DeFi bounty platform that launched in December last year, is overhauling the security disclosure model by pushing for upwards of 10% of vulnerable funds as a reward. 

Immunefi’s model in particular has already made waves, successfully netting a whitehat a $1.5 million reward.

Three new projects emerging in just two months, and each with their own incentive model — it’s an industry-wide effort Stani Kulechov, the founder of DeFi lending platform Aave, believes will be key to the health and security of the space moving forward.

“Auditors are not here to guarantee the security of a protocol, merely they help to spot something that the team itself wasn’t aware of. Eventually it’s about peer review and we need to find as a community incentives to empower more security experts into the space.”

“No silver bullets”

Bonassi should be a familiar name to anyone who has kept up with the recent spate of exploits. The Italian developer is one of the half-dozen or so white-hat hackers who frequently convene in the wake of an attack in an effort to replicate the exploit and help projects patch the vulnerabilities. 

Ask just about any DeFi founder about Bonassi and his fellow post-exploit “war room” whitehats, and they’ll be quick to sing their praises.

“The DeFi community is blessed to have whitehats such as Samczsun and Emiliano. Their efforts […] makes the space not only more secure but also highlights the narrative that there is lot of people within our ecosystem that cares for the success of the space,” said Kulechov.

While the whitehats’ response skills are widely appreciated, ReviewsDAO is in some ways an effort to cut back the frequency with which projects need them.

In Bonassi’s view, tension between the needs of projects and the limited resources of auditing firms is weakening the security of the Defi space writ large: auditors are always busy, but teams in the thick of the DeFi innovation race need to remain agile. While a project might want an audit on a few small changes, availability and costs often necessitate a larger order, leading to code “chunking.”

“Since they are not available, you usually prepare a bunch of stuff you want reviewed and ship it to them. The interaction is really, let’s say ‘snapshot-based,’ rather than having a continuous collaboration,” said Bonassi.

So, how to enable more frequent security reviews that better met the needs of projects? Bonassi says he initially considered a Gitcoin grant for a whitehat group as a solution, but ultimately determined that such a model would be overly-centralized and wouldn’t be able to scale. None of his whitehat peers had insight on how to solve the problem, either, so he opted for simplicity.

“If you don’t have any sort of idea, start from the basics: start a forum, let’s say a ‘market,’ where people can ask for reviews big or little, and also offer their expertise.”

He’s not aiming to replace audits and auditing companies entirely, Bonassi notes, and instead envisions the DAO as one that can help younger projects better prepare for an audit by providing “continuous review” and “liquid auditing.”

It’s a model that security expert Maurelian at OptimismPBC thinks leaves space for big auditing firms, while also acknowledging that there needs to be other security solutions as well. 

“IMO there is real value to an audit by a high quality firm, and nothing else really serves as an ‘alternative’, but I also think there is an issue of over-reliance on audits to provide security,” he said. 

Bonassi also believes ReviewsDAO could eventually become a kind of auditing “University,” where people with specialized knowledge can branch into other areas and young developers can grow into fully-fledged auditors — both taking stock of and bolstering the developer resources across DeFi.

“My goal is also to map people and projects — having a transparent place where people can exchange information, help us to understand how many people who are, basically, from a security perspective good enough, are present in the ecosystem.”

Skin in the game

While it meets a clear market need, Bonassi says there are no current plans for monetization or a ReviewsDAO token.

“I think that initiatives like this one should be community goods,” he argues.

This effort to avoid capital incentives is more than just idealism. These new auditing projects are arising because the current model isn’t fully sustainable, says Bonassi — a model that is “transactional,” meaning auditors don’t have as skin in the game that a more fully-engaged partner might. As a result the entire DeFi landscape (one which the auditors should ostensibly be securing) is suffering.

“They’re not a relationship. It’s not a partnership,” Bonassi says.

Nonetheless, even public good often have public funding, and it’s an open question whether developers  — who are often overworked to begin with — will be willing to donate time at what Andre Cronje calls the “Emiliano Bonassi Rate”: for no reward other than the recognition.

Bonsai notes that multiple major DeFi protocol founders have offered grants, which thusfar have been turned down. He’s stubborn to see if developers are willing to give back to the space that’s often given them so much, even when there’s other, potentially lucrative options available.

“What we really need in this ecosystem is more people who work on it — let’s say, someone may hate me but, less forks if they’re not adding value […] I don’t want to end up in the ICO era. I don’t want to go back to 2017.”

Early returns on the effort are promising. Coverage/insurance protocol Cover was the first project to be matched with a reviewer via ReviewsDAO.

“It was great,” says Pumpkin, a core dev for Cover Protocol and Ruler Protocol. “I was one of the few Emiliano shared the idea with right before release. I loved it immediately as it is what I have been looking for (to get external code reviews and more easily and quickly) […] I am not sure what will come out from the review, but the forum is certainly working well as intended.”

Maurelian also believes there’s hope for the perhaps-idealistic model — and that it may be more transactional than it seems at first blush.

“You get what you give. So participating in a project like this is probably a good idea if you’re planning to be in the space for the long haul,” he said.

Even if some developers donate time to curry future favors, Emiliano remains resolute is his vision that efforts secure the ecosystem should come from a place of altruism and love.

“That’s the ideal we should push. And since we have a lot of money, and this industry has a lot of money, you’re not supposed to need bounties, you’re supposed to do it because you love this industry. This is a call-out to all the people that want to grow the ecosystem.”