White hat hacker paid DeFi’s largest reported bounty fee

Published at: Sept. 30, 2021

Belt Finance, an automated market maker (AMM) protocol operating a yield optimization strategy on Binance Smart Chain (BSC), claims to have paid the largest bounty in the history of decentralized finance (DeFi) to a white hat hacker who averted a $10-million bug crisis. 

Industry white hat programmer Alexander Schlindwein discovered the vulnerability in Belt Finance’s protocol this week and reported the news to the team. For his efforts, Schlindwein received a generous compensation of $1.05 million, the majority of which ($1 million) was facilitated by Immunefi and granted by Belt Finance, with the additional $50,000 offered by Binance Smart Chain’s Priority One program.

Immunefi is one of the market leaders in software security for cryptocurrency projects. Since its inception, the platform has reportedly paid out in excess of $3 million to white hat hackers who have successfully identified technical infrastructure flaws in smart contracts and crypto platforms.

Priority One is a BSC initiative launched in July to enhance the security of decentralized applications (DApp) within the platform’s native ecosystem. Mirroring the structure of Immunefi, the service provides a $10-million incentive fund to blockchain bounty hunters who successfully contribute to the avoidance of security breaches across 100 DApps.

Schlindwein told Cointelegraph about how he discovered the vulnerability:

“I went through the list of bug bounties on Immunefi and picked Belt Finance as the next one to work on. While I was studying their smart contracts, I noticed a potential bug in the internal bookkeeping, which keeps track of each user’s deposited funds. Playing the attack through with pen and paper gave me more confidence in the existence of the bug. I continued by producing a proper proof-of-concept [PoC] which undoubtedly confirmed its validity and economic damage.”

“The next step was to create an official report on Immunefi including the PoC and an extensive description of the exploit,“ Schlindwein said, adding, “Immunefi reacted immediately to the critical report, and within three minutes after submission, it was escalated to the Belt team. Shortly after, Belt confirmed the validity of the report and began implementing a fix, which then patched the vulnerability.”

Related: The perfect storm: DeFi hacks will advance the crypto sector moving forward

Although DeFi’s security breaches remain a prevalent concern, it has been argued by some that the nascent ecosystem will benefit from such incidents in the long term, as areas of weaknesses are starkly highlighted.

Cointelegraph asked Schlindwein his perspective on the importance of bounty programs in supporting DeFi’s antifragile ambitions:

“I am strongly convinced of the importance of bug bounties and initiatives such as bounty funds. DeFi security consists of multiple layers, starting with peer review and unit testing to external audits and formal verification. Bug bounties are the last line of defense should an issue slip through the overlying layers with the potential to prevent a devastating hack while instead seriously fixing the issue and compensating the finder.”

“Bug bounties in DeFi have been a rare sight before Immunefi existed, only offered by the ‘Crème de la Crème’ of projects. It’s great to see hundreds of projects launching their bug bounty nowadays, which will certainly bring DeFi security forward in the long run,” Schlindwein concluded.

Tags
Related Posts
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Latest DeFi bridge exploit results in $4.4M losses for Meter
The Meter Passport token bridge platform has incurred $4.4 million in losses due to a smart contract hack which also caused Hundred Finance to lose $3.3 million through under-collateralized loans. Meter.io’s Meter Passport (MTRG) is a token bridge that is compatible with Ethereum and its sidechains. This attack affected the Moonriver side of the bridge. Moonriver is a smart contract platform based on Polkadot’s Kusama network. Hundred Finance is a crypto lending platform based on the code for Compound Finance. Starting at 2pm UTC on Feb. 5 and over the course of several transactions, about $4.4 million in Binance Coin …
Blockchain / Feb. 8, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
Crema hacker returns $8M, keeps $1.6M in deal with protocol
The hacker who exploited Solana-based liquidity protocol Crema Finance on July 2 returned most of the funds but was allowed to keep $1.6 million as a white hat bounty. The bounty, 45,455 Solana (SOL), is worth a generous 16.7% of the $9.6 million Crema lost initially, which forced the protocol to suspend services. Crema’s team began an investigation to identify the hacker by tracking their Discord handle and tracing the original gas source for the hacker’s address. Just as it seemed the team may have been onto the secret identity, it announced that it had been negotiating with the hacker. …
Blockchain / July 7, 2022
Hope Finance exploit results in $2M stolen from users' funds
Prospective users of an Arbitrum-based decentralized finance (DeFi) project have been left out of pocket following a $2 million exploit. Web3 security firm CertiK flagged the incident on Feb. 21, following an announcement from the Hope Finance Twitter account notifying users that they had been scammed. #CommunityAlert @hope_fin have announced the community has been scammed for ~$2m making this the largest #exitscam on Arbitrum in 2023. $1.86m was transferred to @TornadoCash. Hope_fin have posted steps for user's to withdraw their staked LPhttps://t.co/hJbFXiKujt — CertiK Alert (@CertiKAlert) February 21, 2023 Details of the project are difficult to come by. The platform’s …
Blockchain / Feb. 21, 2023