August 2021 was not kind to decentralized finance, at least from a security perspective.
There were a number of headline-grabbing hacks — some of which made international news.
And although such exploits can be devastating for a protocol’s credibility, at least two projects that fell victim to hackers are counting themselves lucky. Very lucky indeed.
That’s because they were taken to the cleaners by ethical hackers — also known as white hats — who could have stolen $1 billion after detecting fatal flaws in their systems. Instead of cashing in, they merely wanted to highlight that vulnerabilities existed.
The first and highest-profile incident was on 10 August, when $612 million was — briefly — stolen from the cross-chain protocol Poly Network. The audacious attack attracted coverage from the likes of the BBC, CNN and CNBC.
A week later, a white hat announced that he’d found and helped close a $350 million hole in decentralized exchange SushiSwap.
The SushiSwap incident largely drew attention inside the cryptocurrency industry. After all, no money was actually stolen. But, it was found by a white hat turned blockchain security researcher who did what most white hats do — informed the DEX of the flaw and helped them fix it.
Not every project was so lucky. On 19 August 2021, Japanese cryptocurrency exchange Liquid saw $80 million drained from its warm wallets. This attack was by a black hat hacker — a thief — and no givebacks were forthcoming.
The terms “white hat” and “black hat” come from the golden age of Hollywood Westerns, when the good guy and the bad guy were easily identifiable to the audience by the color of their hats.
Black hats are no-gooders who will steal anything and everything from anyone — note the rising number of ransomware attacks on hospital systems during the pandemic. White hats, by contrast, work to protect companies, projects and individuals.
However, white hats operate in a decidedly grey area, both ethically and legally. While the open nature of blockchain technology means most protocols and smart contracts are accessible without breaking into a corporate network to look for weaknesses, even testing that a vulnerability actually exists can be something the law frowns upon.
White hats have a number of motivations, beginning with making a living by doing something they love and showing off their skills while doing good. Others are largely doing it for fun or for rewards — the “bug bounties” many tech companies offer for bringing security flaws to their attention.
It may not have been the biggest headline in August, but the SushiSwap exploit discovered by a blockchain security expert employed by venture capital firm Paradigm may have saved a lot of small cryptocurrency investors from ruin.
On 17 August 2021, news broke that a professional white hat who goes by the name Samczsun on Twitter had found a massive flaw in decentralized exchange SushiSwap, saving the DEX from a potential loss of $350 million.
“Just pulled off maybe the biggest whitehat rescue ever,” Samczsun tweeted that day. In a minute-by-minute blog post later that day he described how a discussion on a Telegram group led him to — quite legally — dig into the smart contract governing SushiSwap’s MISO Dutch auctions. There he found an access control flaw he called “an obvious misstep” that could have let a black hat reuse the same Ether to bid over and over — essentially bidding “for free”.
That’s when he tested the flaw by exploiting it, and found an even worse one. “I wasn’t dealing with a bug that would let you outbid other participants,” he wrote. “I was looking at a 350 million dollar bug.”
Within minutes, he was on a panicked Zoom call with Sushi developers — and five hours after his discovery, a rescue plan had been formulated, tested and implemented.
The previous Tuesday — 10 August — started out a lot worse for Poly Network’s developers. It began with a tweet: “We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses… .”
A few hours later, the Poly Network team tried what must have felt like a Hail Mary pass, tweeting “Dear Hacker… We want to establish communication with you and urge you to return the hacked assets.”
Saying the “amount of money you hacked is one of the biggest in DeFi history,” they threatened criminal charges while simultaneously appealing to his conscience — noting that “tens of thousands of crypto community members” were the ones who lost their money.
Surprisingly, it worked. In a series of communications carried out both privately and via messages on Ether transactions, the hacker said he did it “for fun” and to teach Poly Network a lesson — adding that he’d “always” planned to return the stolen crypto.
Poly Network assured “Mr. White Hat” that they would not pursue criminal charges — offering a $500,000 bug bounty if all the funds were returned. They even offered a job: chief security adviser.
A couple of tense weeks ensued as the cantankerous “Mr. White Hat” returned the funds in dribs and drabs. On August 26, the cross-chain protocol was able to tweet “Yay!” after all the funds were returned and it was finally able to begin restoring access to its platform.
Even before the $612 million had been returned, Poly Network launched its first formal bug bounty program, funded to the tune of another $500,000, with rewards of up to $100,000 depending on the severity of the exploit. There’s another condition: funds can’t be stolen first.
“Companies are catching up to the idea that [hackers] can be a benefit to them,” according to Illinois Technology Association CEO Julia Kanouse. But, she added, the programs can “go off the rails” without very clear guidelines about what conduct and level of access is acceptable.
Bug bounties vary widely, from as little as $5 to six-figure payouts based on the severity and potential damage of the flaw discovered.
In the crypto world, many exchanges and protocols offer them. Kraken, for example, offers a minimum of $500 with no set limit, although the highest amount paid out was $6,400. Binance offers $200 to $10,000, with the possibility of up to $100,000 for extraordinary finds. The Ethereum Foundation’s Eth2 bug bounties top out at $50,000, and EOS paid one researcher $120,000 for 10 critical bugs found in just one week. All three have extensive rules and guidelines.
Mr. White Hat may have earned $500,000 via Poly Network’s bug bounty, but his claim that he “always” planned to give the money back doesn’t exactly make him a typical white hat.
Tens of thousands of platform users lost access to their funds for weeks, and Poly Network had to close up shop for that time. And even if you give it back, stealing more than a half a billion dollars is a crime any way you look at it.
Most white hats act more like Samczsun, who researched the problem, ran only a brief test exploit, and then worked hard to fix the problem.
“You feel like a detective, going in rooting around and saying, ‘That looks interesting’, and having a stream of clues,” Katie Paxton-Fear told ZDNet at a bug hunting event in London last year. “And, when you get all the pieces neatly together, and it works and there’s a bug there – it’s the most thrilling experience ever.”
Enticing white hat hackers with bug bounties is good, but it is only one piece of the cybersecurity puzzle. For one thing, white hats are hit and miss, with no guarantee that good researchers are looking at a specific company or its top security needs at the right time.
“Often, you’ll find that the best hackers don’t want to work for a bank,” Kanouse said. “They tend to have a little bit of a rogue, independent, ‘do it on my own’ mindset. So, the people who are really good at [hacking] don’t want to work in an internal team.”
Indeed, Kanouse noted that bug bounty programs can be a good way to find people with a skillset that is in very short supply.
That said, the main benefit of a white hat hacker isn’t developing and maintaining the cybersecurity of a protocol. White hats stress test those systems by bringing in someone with a different perspective.
Of course, another important part of crypto security is being able to protect against and track hacked funds, whether going out or coming in. This requires partners like analytics platform Crystal Blockchain, which can build and monitor a risk management system, monitor potential compliance problems, and investigate and track digital assets with a powerful and easy-to-use visualization tool.