This article is more than nine months old

DeFi whitehats spotted a bug that risked $5.2m. They were offered a $500 bounty

DeFi whitehats spotted a bug that risked $5.2m. They were offered a $500 bounty
DeFi
Decurity rejected $500 from DxSale, a 'surprise and a disappointment' for finding a bug that put $5.2m in user funds at risk
  • Blockchain security company Decurity discovered a vulnerability that impacted $5.2 million in DxSale’s user funds.
  • DxSale responded by offering a $500 reward for the company’s efforts.
  • “It was certainly a surprise and a disappointment,” Decurity CEO Omar Ganiev said.

DeFi security outfit Decurity said that it alerted crypto launchpad platform DxSale last month about a security vulnerability in one of its smart contracts. The bug potentially put at least $5.2 million at risk of being stolen by hackers.

“Even ‘thanks’ without monetary compensation would be a better response, but our researcher didn’t receive that.”

In response, DxSale offered the so-called whitehats — security researchers who discover and report security vulnerabilities to affected projects— a $500 bounty for their troubles, but not before trying to downplay the magnitude of the security loophole, according to Decurity’s statement.

“It was certainly a surprise and a disappointment not only to receive such a low offer but also to hear attempts to deny that there was a potential impact at all,” Decurity CEO Omar Ganiev told DL News.

“Even ‘thanks’ without monetary compensation would be a better response, but our researcher didn’t receive that,” Ganiev said.

NOW READ: Indexed Finance hacker now says he’s a whitehat

Decurity’s CEO told DL News that a comparatively smaller project like DxSale could not be expected to match bounty payments like the ones doled out by major DeFi protocols.

However, he stated that in a project like DxSale, the funds at stake do not belong to the protocol but to the users. As such, it should make adequate provisions to reward whitehats who discover security issues that put those funds at risk.

“There must be a fair compensation amount pre-allocated, at least remotely comparable with the possible losses,” Ganiev said. “If that’s not the case, the project’s risk management strategy was flawed in the first place.”

Join the community to get our latest stories and updates

NOW READ: A 20-year-old Argentinian behind the $200m Euler hack says he’s now in a Paris jail

Crypto security researchers have complained that lowball bounty offers serve to disincentivise whitehats. Meanwhile, malicious actors target DeFi protocols, syphon funds and end up being able to keep a portion of the loot as bounties.

DxSale did not respond to requests for comment.

No thank you

Ganiev told DL News that the company decided not to accept the bug bounty as it was not a commensurate compensation for its researcher’s efforts. He added that the firm does not seek bounties but instead routinely does on-chain monitoring and security audits.

It was during one of these routine checks that one of its researchers discovered the security vulnerability affecting DxSale on June 28.

The loophole concerned a smart contract responsible for locking liquidity during token launches on DxSale on the BNB blockchain.

As a token launchpad, project owners launching their tokens should be able to lock the liquidity generated during their sale events on DxSale.

Decurity, however, discovered that the smart contract did not include some vital sanity checks — components of a smart contract’s logic that ensure everything works as expected.

NOW READ: LayerZero demands anonymous devs reveal identities to work on new bug bounty effort

The vulnerability would have allowed a hacker to drain the liquidity that was supposed to be locked in the smart contract.

Anyone attacking this vulnerability could unlock the contract up to 100 times, possibly draining the entire pool, according to a proof of concept designed by Decurity researchers.

DxSale’s vulnerable code held 21,600 wrapped BNB tokens worth $5.2 million at the time.

The losses are not restricted to this figure, according to Decurity who stated that the launchpad platform had locking contracts on several chains that could have the same vulnerability.

“We watched them submitting mitigation transactions to other similar smart contracts on different chains, which suggests the impact may potentially be higher,” Ganiev said

DxSale developers have reportedly shipped a fix for the problem by making a possible exploit expensive on the part of would-be hackers.

NOW READ: Hackers exploit smart contract to raid AzukiDAO airdrop

While this solution might work for external threat actors, Decurity said it does little to prevent project owners who launch token sales on the DxSale platform from “rug pulling” — where project owners remove all of the liquidity leaving token holders left with worthless crypto “coins.”

Decurity criticised the team’s approach to safety during the mitigation process that ensued after it was alerted of the vulnerability.

The blockchain security firm said that it was happy to have helped secure user funds from being stolen in any case.

To share tips or information about DeFi hacks and smart contract vulnerabilities, please contact me at osato@dlnews.com.

Related Topics