Crypto companies should put their blockchain code at first place. Not only should the network, data transfer, storage and transactions be tested appropriately, but white hat hackers should also be actively involved and rewarded for finding bugs in the blockchain and the software. Crypto companies should invest more time and money in debugging their code, as it’s the base of everything they do in this 120 billion dollar industry.
During this year crypto companies have paid white hat hackers a total of 878 thousand dollars in rewards, according to data from breach disclosure platform HackerOne, gathered by tech-website The Next Web. We’re not even talking about a million dollars, that’s very little. Especially considering the fact that we’re talking about a 120 billion dollar market with over two thousand companies involved. Obviously not every crypto company does these bug bounties through the HackerOne platform, but we’re still talking small numbers here.
For example, the European Union is now offering ‘bug bounties’ for hackers who find vulnerabilities in open source software. In this case it’s all about 7-zip, Apache Tomcat, Drupal, Filezilla, VLC, KeePass, Notepad++ and other tools that are being used by EU institutions. They are offering 851 thousand dollars, spread out over fifteen bug bounties during the first quarter of 2019. That’s almost the same amount of money that the entire blockchain business has spend in 2018 according to HackerOne.
On BugCrowd.com people who find bugs with a low technical severity are often rewarded $100 or $200. The more serious a bug is, the higher the reward. These bounties can go up to $5000.
Many blockchains have bugs
The world of crypto is full of vulnerabilities, and this is true for small and well-established projects. This year researchers found bugs in the Bitcoin blockchain, which influenced bitcoin and bitcoin cash. Earlier this year a report suggested that there are 34 thousand vulnerable smart contract on the Ethereum blockchain alone. Then there are dozens, if not hundreds, of blockchain projects forked from each other, which all have their own bugs.
A vulnerability in a blockchain project has serious consequences. Not only for the businesses involved, but also for the investors. Several masternode projects, including Bitcoin Green and DACH, have been hit by a vulnerability that allowed a third party to create an infinite amount of coins. This caused a devaluation of the coins and the entire network. A swap to a new blockchain is the only solution, but there will always be victims in these cases. Goodwill, faith, money, and investor loyalty might well be lost.
In recent weeks Bitcoin Private (BTCP) discovered someone made two million extra coins during the project’s forking period a few months ago. They are now shutting down a feature to hide money from the network, in an effort to destroy the stolen coins. Obviously this will also hurt investors who haven’t done anything wrong. BTCP, DACH, Bitcoin Green, they all continued to operate, but with a damaged ego. There are plenty of examples where developers simply gave up, or the security leak was part of an elaborate scam.
Hackers getting paid
According to HackerOne a white hat hacker earns $900 when he finds a bug in tech projects, and $1490 in blockchain projects. Crypto companies are already paying more than average, but at the same time not every crypto company is spending resources on having its code checked. A market so dependent in networking technology should have the quality of its source code as its utmost priority. Having your code checked, double-checked and triple-checked should be part of the development process and it should be budgeted.
HackerOne is being used by a variety of companies, including Spotify, General Motors and Starbucks. In the crypto business over 64 companies use HackerOne and its group of white hat hackers to improve their blockchain code, among them are major names like Cobinhood, Stellar, Coinmarketcap, Electroneum, Nano, EOS, Coinbase and Tron.
EOS was the company that paid the most rewards in 2018. Block.One, the founding company of the EOS blockchain, paid $534.500 in bug bounties. Coinbase was in second place with $290.381, but has been doing these types of rewards for multiple years already. While Tron came in third with only $76.200 in rewards.
Yes, that’s the same Tron that wanted to give a random person who made the one millionth Tron wallet $10.000. It’s also the same Coinbase that’s valued 8 billion dollars and recently put 5 billion dollars of crypto in cold storage.
You’ll understand that $1500 for finding a bug that might have destroyed an entire project, is nothing. Even double that amount would be a steal, especially if it can prevent a multi-million dollar project from collapsing. Shouldn’t every blockchain project consider investing in white hat hackers? Sometimes uploading a code to Github and having your Discord community take a look at it, simply isn’t enough.
Also published on Medium.