Cointime

Download App
iOS & Android

A Grey Area: Retroactive Bug Bounty Negotiations

Validated Project

Between October 2020 and March 2023 there have been 25 exploits of Web3 projects where the impacted projects were later able to recover some or all of the funds lost. Across these 25 incidents approximately $1.35 billion was stolen, and $992 million (73%) was returned. This year, Euler Finance, Allbridge, and Sentiment Protocol have all conducted successful negotiations with their attackers. But this is an ongoing grey zone. These attackers are not white hats who approach vulnerable protocols with clearly defined bug bounty programs, nor are they black hats who make off with all of the funds stolen. They’re grey hats, and they deserve analysis.

Exploits have plagued the Web3 industry for years, targeting protocols, smart contracts, and software-based applications like self-custody wallets. The outcome of these incidents largely resulted in bad actors stealing assets from their targets and disappearing off the map. However, a number of protocols have been able to successfully negotiate with their attackers to return funds. CertiK identified 25 protocols exploited between October 2020 and March 2023 that had some or all of their funds returned following negotiations with attackers.

  • Approximately $1.35 billion in funds were stolen
  • Approximately $992 million in funds were returned (73%)
  • Approximately $314.5 million was kept by attackers (23.1%)
  • The reamining 3.9% of funds were either lost or frozen during the process

So far in 2023, eight major exploits – totaling approximately $221.5 million in losses – saw around $188 million returned (84.8%).

Some funds that were not returned were kept as white hat bounties for bringing attention to protocol vulnerabilities. Other unreturned funds were surrendered by protocols in order to meet demands from attackers.

Of these 25 protocols, four saw all their funds returned.

Attackers have approached the return of stolen funds differently. Some returned all stolen funds, while others returned partial amounts or none at all. Due to the initial malicious nature of the exploits, and the subsequent change of heart for some attackers after opening negotiations with their victims, we have categorized these incidents as grey-hat scenarios.

After Cashio.App experienced an exploit where the attacker stole $50 million, they eventually returned funds to investors who had less than $100,000 in their accounts with the remaining money allegedly being sent to charity.

Mango Markets serves as another example, where exploiter Avraham Eisenberg returned approximately $67 million out of the $117 million dollars stolen from the project claiming that his actions were legal and that they were a “highly profitable trading strategy.” Despite reaching an agreement with the protocol, Avraham Eisenberg was later prosecuted by the SEC for orchestrating the attack on Mango Markets.

The cryptocurrency industry has been suffering from increasing exploits and hacks over the past few years. With that said, protocols appear to be engaging in more negotiations with their attackers and getting significant funds returned.

Oftentimes, these negotiations take place in public spaces like social media or in on-chain messages between attackers and their victims. Leaving a note in a transaction to an anonymous hacker is often the only way to get in contact with them.

This could indicate a a growing shift in the industry that leads to less risk and greater security for protocols and investors, especially where projects create market incentives that push attackers to negotiate. To further explore this possibility, we wanted to examine how victims are pursuing different negotiation strategies by analyzing these public negotiations and their end results.

We have chosen to look at how four different protocols (Poly Network, Allbridge, Euler Finance, and Sentiment Protocol) have conducted their negotiations. These protocols were picked since they were large attacks, were mostly successful in their funds being returned, and aside from Poly Network, all of these just took place over the past month. Although these four protocols have different strategies, they also all used a bounty as an incentive for the hacker to return the funds.

Poly Network

On 10 August, 2021, a hacker exploited a vulnerability in Poly Network’s code, allowing them to steal funds in more than 12 different cryptocurrencies for a total loss of more than $610 million. That same day, Poly Network reached out directly to the hacker using an on-chain message asking them to get in touch.

Eventually, they offered a bounty if funds were returned. Poly Network also tweeted an open letter to the hacker saying that “law enforcement in any country will regard this as a major economic crime and you will be pursued.” Finally, Poly Network went as far as flattering the hacker, saying that they “hope it will be remembered as the biggest white hat hack in the [sic] history.”

In response, the hacker said that Poly urged investors and others to blame them before they even had a chance to reply and that they had no intentions of laundering the money. The attacker also communicated with Poly Network via transaction notes during this process, stating their intention to start by returning altcoins and asking if their stolen USDT could be unfrozen in return for returning stolen USDC. Poly Network did not respond to the attacker’s question, which seems to have worked in their favor as the hacker started returning funds to three Poly Network addresses the next day.

The hacker later followed up with a message saying they would provide the final secret key to a multi-sig wallet they would use to return the funds.

Poly Network’s combination of strategies seems to have worked as the hacker eventually returned all the stolen assets that were sent to the multi-sig account. Most of the lost funds were returned to Poly Network except $33 million worth of USDT which were frozen by Tether. In response, Poly Network paid a 160 ETH (approximately $486,000) bug bounty to a separate account created by the hacker. The hacker then returned the bug bounty to Poly Network and asked for that sum to be distributed amongst the impacted investors.

A complete transcript of negotiations between the Poly Network and the hacker can be found here.

Allbridge

On 1 April, 2023, Allbridge suffered an attack targeting their BUSD/USDT pools on BNB Chain. The project originally said that the attack only affected those BNB Chain pools but that the exploit could extend to other pools. To prevent this, the project halted their bridge platform and created a web interface for liquidity pool operators to withdraw their balances.

Just like Poly Network, shortly after the attack, Allbridge announced that the hacker would be offered a white hat bounty and added that they would get immunity from any legal consequences if the stolen funds were returned. On April 3, the team announced that it had received a message from the attacker and 1,500 BNB (approximately $465,000) was returned to the project. This left the hacker with approximately $108,000 worth of assets.

Allbridge also mentioned in the thread that there was another hacker that had used the same technique as the first attacker, but who had not contacted the team yet. Allbridge urged the second hacker to come forward and discuss terms for returning the funds. At the time of writing, there is no indication that the second hacker has reached out to the platform.

Euler Finance

The Euler Finance hack is the largest crypto exploit so far in 2023. On 13 March, 2023, Euler Finance was targeted with a flash loan exploit that drained the protocol of $197 million. Just like in the Poly Network and Allbridge instances, Euler Finance offered the attacker a 10% bounty if they returned the remaining assets. However, the project also took a more aggressive approach with their negotiation strategy and issued a warning that they would give a $1 million reward for information on the attacker if the remaining 90% of the funds were not returned. Despite this warning, the hacker moved approximately $1.78 million to Tornado Cash.

The hacker then messaged Euler Finance via an on-chain message, aiming to set up a secure line of communication.

On March 21, Euler Finance acted on their warning and launched a $1 million bounty against the hacker after the attacker stopped responding. Four days later, the hacker started returning the funds back to Euler along with an apology:

On 3 April, Euler Finance announced on their Twitter account that they recuperated all of their “recoverable funds" after negotiating with the hacker.

They added that since the hacker “did the right thing” they would no longer be accepting new information that would lead to their arrest, meaning the $1 million reward would no longer be available.

Sentiment Protocol

On 4 April, 2023, Sentiment Protocol was hacked for close to $1 million. The hacker used a read-only reentrancy bug to exploit an integration between Sentiment and the decentralized exchange Balancer. On 5 April, Sentiment Protocol announced the exploit on their Twitter account and paused the main contract to only enable withdrawals in order to mitigate the loss of further funds.

Sentiment Protocol offered to negotiate with the hacker, giving them a bounty and also threatening that if funds were not returned before 6 April, the bounty’s money would be given to anyone who could provide information on the hacker. Like Allbridge, the protocol also promised they wouldn’t be pursuing legal actions against the attacker. They sent an on-chain message stating:

The next day they offered the hacker a $95,000 bounty if the funds were returned by 8:00 UTC on 6 April. On 6 April, the team announced that the hacker had returned 90% of all funds.

Summary of Grey Hat Negotiation Strategies

As we have seen in all four cases, all of the protocols issued an ex post facto bounty in return for the stolen assets. Euler Finance and Sentiment Protocol both threatened to hand the bounty to anyone who would come forward with information on the hacker. Both Allbridge and Sentiment also announced that they would not be pursuing legal action against the hacker if funds were returned, while Poly Network made it clear that law enforcement would be contacted. Out of these four protocols, two saw their “recoverable” funds fully returned, while Allbridge is still in the process of negotiations with the second hacker. Sentiment Protocol successfully recuperated 90% of their funds after only two days of negotiations. It appears that the appeal of a bounty is essential in negotiations, though Euler Finance and Poly Network both demonstrated that threatening their attackers with law enforcement or giving bounties to community members for information on the hacker can also be effective strategies.

Protect yourself and your assets by following @CertiK, @CertiKCommunity, and @CertiKAlert on Twitter to stay up to date on all the latest Web3 security news.

Read more: https://www.certik.com/resources/blog/4wD02hUnaJlHPfAi0TPHdK-a-grey-area-retroactive-bug-bounty-negotiations

Comments

All Comments

Recommended for you

  • OpenTrade announces $4 million seed extension round led by AlbionVC

    OpenTrade has announced the completion of a $4 million seed extension financing round to build RWA-supported loan and stablecoin yield products. This round of financing was led by AlbionVC, with participation from a16z Crypto and CMCC Global. OpenTrade plans to use the funds to expand its operations and enhance its product capabilities.

  • BNB Chain Ecosystem Re-staking Infrastructure Kernel Receives Investment from Binance Labs

    BNB Chain's ecological re-staking infrastructure Kernel has announced that it has received investment from Binance Labs. As of now, its total financing amount has reached 10 million US dollars, with main investors including: SCB Limited, Laser Digital, Bankless Ventures, Hypersphere, Draper Dragon, DACM, CYPHER, ArkStream Capital, HTX Ventures, Avid VC, GSR, Cluster Capital, Longhash Ventures, Via BTC, Side Door Ventures, NOIA, and DWF Labs. It is reported that Kernel's mainnet is about to be launched. Kelp provides users with support for Ethereum liquidity re-staking services based on rsETH, while Gain provides DeFi, CeDeFi, and RWA income products. KERNEL tokens are designed to unify the governance and incentive mechanisms of Kelp, Kernel, and Gain, while providing rewards for early supporters of ecosystem development.

  • Morgan Stanley: The U.S. dollar will peak before the end of the year and enter a "bear market pattern" in 2025

    Morgan Stanley predicts that the strong US dollar will peak before the end of the year and then enter a "bearish market trend", slowly declining until 2025. The bank believes that due to the Bank of Japan's rate hikes and gradual easing actions by the Reserve Bank of Australia, the potential for the yen and Australian dollar to rise next year is the greatest.

  • Equation News calls out Binance for "insider trading": You are destroying the sentiment of the trading market

    On November 25th, Formula News reported that to those insider traders who participated in the listing of Binance perpetual contracts, please slow down when selling your chips next time. The WHY and CHEEMS crashes you caused resulted in a 100% negative return for everyone involved in the trade, and you are destroying the emotions of the trade. Earlier today, Binance announced the listing of 1000WHYUSDT and 1000CHEEMSUSDT perpetual contracts, which caused a short-term crash in WHY and CHEEMS and sparked intense discussion within the community.

  • U.S. Congressman Mike Flood: Looking forward to working with the next SEC Chairman to revoke the anti-crypto banking policy SAB 121

     US House of Representatives will investigate Representative Mike Flood's recent statement: "Despite widespread opposition, SAB 121 is still operating as a regulation, even though it has never gone through the normal Administrative Procedure Act process." Flood said, "I look forward to working with the next SEC chairman to revoke SAB 121. Whether Chairman Gary Gensler resigns on his own or President Trump fulfills his promise to dismiss Gensler, the new government has an excellent opportunity to usher in a new era after Gensler's departure." He added, "It's not surprising that Gensler opposed the digital asset regulatory framework passed by the House on a bipartisan basis earlier this year. 71 Democrats and House Republicans passed this common-sense framework together. Although the Democratic-led Senate rejected it, it represented a breakthrough moment for cryptocurrency and may provide information for the work of the unified Republican government when the next Congress begins in January next year."

  • Indian billionaire Adani summoned by US SEC to explain position on bribery case

    Indian billionaire Gautam Adani and his nephew, Sahil Adani, have been subpoenaed by the US Securities and Exchange Commission (SEC) to explain allegations of paying over $250 million in bribes to win solar power contracts. According to the Press Trust of India (PTI), the subpoena has been delivered to the Adani family's residence in Ahmedabad, a city in western India, and they have been given 21 days to respond. The notice, issued on November 21 by the Eastern District Court of New York, states that if the Adani family fails to respond on time, a default judgment will be made against them.

  • U.S. Congressman: SEC Commissioner Hester Peirce may become the new acting chairman of the SEC

    US Congressman French Hill revealed at the North American Blockchain Summit (NABS) that Republican SEC Commissioner Hester Peirce is "likely" to become the new acting chair of the US Securities and Exchange Commission (SEC). He noted that current chair Gary Gensler will step down on January 20, 2025, and the Republican Party will take over the SEC, with Peirce expected to succeed him.

  • Tether spokesperson: The relationship with Cantor is purely business, and the claim that Lutnick influenced regulatory actions is pure nonsense

     a spokesperson for Tether stated: "The relationship between Tether and Cantor Fitzgerald is purely a business relationship based on managing reserves. Claims that Howard Lutnick's joining the transition team in some way implies an influence on regulatory actions are baseless."

  • Bitwise CEO warns that ETHW is not suitable for all investors and has high risks and high volatility

    Hunter Horsley, CEO of Bitwise, posted on X platform that he was happy to see capital inflows into Bitwise's Ethereum exchange-traded fund ETHW, iShares, and Fidelity this Friday. He reminded that ETHW is not a registered investment company under the U.S. Investment Company Act of 1940 and therefore is not protected by the law. ETHW is not suitable for all investors due to its high risk and volatility.

  • Web3 data and AI company Validation Cloud completes $10 million in new round of financing

     Web3 data and AI company Validation Cloud announced a $10 million financing round from True Global Ventures. The company plans to use the funds to expand its AI products and achieve seamless access to Web3 data.