- LayerZero is the latest DeFi protocol to mandate identity verification for bug bounty payouts.
- Compulsory KYC for bug bounties is a polarising issue among crypto industry stakeholders.
LayerZero is spending $15 million on a quest to find vulnerabilities in its smart contracts codes but anonymous developers need not apply.
Last week, LayerZero, an on-chain communication protocol valued at $3 billion, released a bug bounty programme in conjunction with Immunefi, a platform that helps crypto projects discover vulnerabilities in their smart contract code.
It is the largest crypto bug bounty programme yet but participants will have to submit personal identifying information to qualify for payouts. This may augur a huge change in crypto.
Anonymous devs make up the backbone of the crypto coding space. Many top-shelf security researchers prefer to keep their identities under wraps. This is why big bounties didn’t ask devs to submit to know your customer checks. At least until now.
LayerZero’s decision is the latest sign that the drive to enforce so-called KYC practices in bug bounty programmes is picking up steam. Decentralised finance lender Maker and the Ethereum layer 2 project zkSync have also required KYC for their respective initiatives.
This, however, was not always the case as bug bounties used to be described as “anon-friendly.” This means participants were not required to disclose their identities.
‘In my case, the substantial bug bounties I’ve received have required my identity in one way or another, with one even having a [non-disclosure agreement] and not being disclosed to the public even to this day.’— Alphasoup
“In my case, the substantial bug bounties I’ve received have required my identity in one way or another, with one even having a [non-disclosure agreement] and not being disclosed to the public even to this day,” Alphasoup, a pseudonymous code auditor, told DL News.
Insistence on KYC for bug bounties is a polarising issue in the crypto space. For some, it violates core crypto values of privacy and trustlessness. Others counter that crypto projects have little choice but to require KYC for bug bounty payouts to comply with tax, anti-money laundering, and other regulatory demands.
“We strongly believe that KYC requirements should not be imposed on bug bounties,” said Oliver Hörr, director of operations at Hats Finance, a decentralised bug bounty protocol. “Not only is it unjust for anonymous developers, but it also poses significant risks for white hat hackers who aim to protect the crypto and DeFi space.”
Those on the other side of the argument say imposing KYC may be counterproductive.
Bug bounty payouts
“In our opinion, the potential harm caused by team members through other means outweighs the risks associated with them attempting to manipulate bug bounty payouts.” said Hörr.
Still, given the spate of scandals tarnishing crypto, there’s little surprise project leaders are concerned about team members committing fraud by using their knowledge of the protocol’s smart contracts to profit off bug bounty programmes.
“There have been instances where team members who are aware of critical bugs in the code submit them as bug bounties and cash out the payouts,” an anonymous DeFi developer told DL News.
DeFi projects are also concerned about paying bug bounties to hackers and people from sanctioned jurisdictions.
DeFi projects hacks amounted to $2.8 billion in losses last year, more than 80% of the $3.1 billion stolen by hackers in the entire crypto space. Bridges, protocols used to send crypto across blockchain networks, were the biggest victims.
North Korea-linked hackers were reportedly responsible for about half of these hacks, according to a report by blockchain forensics company Chainalysis earlier this year.
“All the money [the North Korean hackers] cash out goes to fund their missile programme,” Erin Plante, vice president of investigations at Chainalysis, told DL News at the time.
“Without KYC, crypto projects might be sending bug bounty payouts to North Korean hackers pretending to be whitehat,” the anonymous DeFi developer told DL News.
NOW READ: How hackers turn stolen crypto into cash
However, some argue that such measures discriminate against whitehats in sanctioned jurisdictions.
“What if a developer is a whitehat and wants to disclose an exploit, but he is in a sanctioned territory [like] Cuba or Russia?” Alphasoup said.
Proof of identity
Given the complexities, some stakeholders say the industry should introduce a “proof of identity” standard that does not compromise the identity of developers and security researchers who wish to remain anonymous.
To this end, there is a significant clamour for the adoption of zero-knowledge proofs for identity verification. Zero-knowledge proofs allow participants to prove the validity of a data set without having to reveal the data itself.
“Zero-Knowledge proofs for identity will be a game changer, and while it’s not really the kind of privacy I wish for in the future since that’s still tying you to a unique identity, even if the other person doesn’t know what that unique identity is — I think it will be the future,” Alphasoup said.
To share tips or information about bug bounties please contact the author at email@example.com.