White hacker received a record bounty award from Wormhole

“To catch a criminal, you have to think like a criminal.”

Wormhole recently made history as a project with one of the largest and resounding exploits in the decentralized finance industry: criminals managed to loot the platform for more than $300 million. Therefore, although the team, unfortunately, has to follow the path of its own negative experience (and not “ahead of the curve” as it could be), the bounty bonuses they offer for white hat hackers are very generous. On February 11, the Immunefi platform, which specializes in finding errors in smart contracts, received a grant from Wormhole for $10 million (with payment in USDC). The bounty program had several levels of difficulty, from $2.5 million to $10 million, depending on the hacker’s ability to “empty” all the locked value from one or more chains. Participants were required to pass KYC verification, although the hackers used their nicknames for the program. The winner with the nickname satya0x solved the problem in less than two weeks. The hacker’s Twitter page was also created in February, from which it can be concluded that the account was opened specifically for the Wormhole contest. Already on February 24, he indicated a critical vulnerability in the main protocol bridge on Ethereum, which consisted of the possibility of proxy self-destruction at the time of the update. This could potentially lead to the blocking of user funds. Proxies allow making periodic changes to the code, which is a necessity even for seemingly unchanging things like smart contracts (in particular, to eliminate detected errors and bugs). Thus, these proxy contracts carry the main risks of external interference in the code (or exploitation of existing weaknesses in it). The project team said that the vulnerability found by the hacker was confirmed and fixed. Re-testing the error showed that the protocol could ensure the security of aggregated assets. This $10 million case was the largest bug bounty in history. For a project that lost more than $300 million, it cost 3% of the exploit to fix the problem. Wormhole bonus size may remain the largest for a long time due to clear signs of a recession and a possible bear market: many DeFi protocols may face liquidity problems, and users a significant “thinning” of their crypto portfolios.