Difference between revisions of "Bug bounty"
0xBigDaddy (talk | contribs) |
|||
| Line 2: | Line 2: | ||
== Size == | == Size == | ||
A significant number of chains and protocols use bug bounties. These can range from a few thousand dollars to up to ten million dollars (at time of writing). Different bug bounties are listed on websites such [https://immunefi.com/ | A significant number of chains and protocols use bug bounties. These can range from a few thousand dollars to up to ten million dollars (at time of writing). Different bug bounties are listed on websites such as [https://immunefi.com/ immunefi.com]. By their count alone, some $135,000,000 are available for hackers to claim. | ||
== Effectiveness == | == Effectiveness == | ||
There are many cases of bug bounties successfully preventing exploits: | There are many cases of bug bounties successfully preventing exploits: | ||
* Trail of Bits disclosed a vulnerability in AAVE nearly launched version<ref>https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/</ref> | |||
* OpenZeppelin disclosed a multisig vulnerability in Convex<ref>https://blog.openzeppelin.com/15-billion-rugpull-vulnerability-in-convex-finance-protocol-uncovered-and-resolved/</ref>. | |||
== Issues == | == Issues == | ||
Sometimes anonymous developers do not have a way to verify their anonymous counter party will not simply exploit the code when disclosing it. This is the case with OpenZeppelin's recent attempt to disclose a 10 figure vulnerability in Convex. | Sometimes anonymous developers do not have a way to verify their anonymous counter party will not simply exploit the code when disclosing it. This is the case with OpenZeppelin's recent attempt to disclose a 10 figure vulnerability in [[Convex]]. | ||
== Providers == | == Providers == | ||
Immunefi lists and organises all bug bounties in a web2, centralised company way. Hats.finance provides a similar offering though it does this in a decentralised way. | Immunefi lists and organises all bug bounties in a web2, centralised company way. Hats.finance provides a similar offering though it does this in a decentralised way. | ||
== Sources == | |||
Revision as of 09:52, 20 April 2022
A bug bounty is a countermeasure developers can implement to drive white hat hackers to disclose exploits discreetly without actually triggering them. Generally speaking, bug bounties strictly apply to specified smart contract repositories.
Size
A significant number of chains and protocols use bug bounties. These can range from a few thousand dollars to up to ten million dollars (at time of writing). Different bug bounties are listed on websites such as immunefi.com. By their count alone, some $135,000,000 are available for hackers to claim.
Effectiveness
There are many cases of bug bounties successfully preventing exploits:
- Trail of Bits disclosed a vulnerability in AAVE nearly launched version[1]
- OpenZeppelin disclosed a multisig vulnerability in Convex[2].
Issues
Sometimes anonymous developers do not have a way to verify their anonymous counter party will not simply exploit the code when disclosing it. This is the case with OpenZeppelin's recent attempt to disclose a 10 figure vulnerability in Convex.
Providers
Immunefi lists and organises all bug bounties in a web2, centralised company way. Hats.finance provides a similar offering though it does this in a decentralised way.