Hack negotiations: Why do platforms with ineffective bounty programs pay a higher price
In April alone, at least three incidents of hackers returning exploited funds were witnessed in the decentralized finance (DeFi) space. On April 4, the Euler Finance team was able to recover $176.4 million after offering the hacker 10% of the stolen funds.
Similarly, lending protocol Sentiment was also able to recover almost a million dollars in stolen funds after negotiating with the hacker. More recently, the attacker who was able to take $8.9 million from the DeFi protocol SafeMoon agreed to return 80% of the funds.
Hacks remain common in the crypto space, with over $320 million in digital assets lost in the first quarter of 2023. However, recent hacks proved that some exploiters are willing to return assets in exchange for a prize, a process that some describe as a bug bounty program with a criminal twist.
While the recent hacks could’ve been avoided through safe and profitable bug bounty programs, it may be a result of bounty offers not being worth it from the perspective of a white hat or ethical hacker.
Steven Walbroehl, the co-founder of security firm Halborn, said that it's very common for companies to refuse to pay out bug bounties and not take vulnerabilities reported very seriously. As a former bounty hunter, Walbroehl said that some bounty programs have sometimes left him "feeling cheated" out of his time. He explained that:
Walbroehl also said that companies would often downplay the discoveries, saying that the bugs are not critical. Reporting bugs also sometimes leads to companies not paying up, claiming that their team has already located the bug by themselves according to Walbroehl.
Related: Hacker mints 1 quadrillion yUSDT after exploiting old Yearn.finance contract
Simon Zhu, the senior product
Read more on cointelegraph.com
