Why Your Web3 Project Needs A Bug Bounty Program
Crypto hacks are costing projects millions in user funds. Bug bounty programs can help prevent exploits and secure the Web3 ecosystem.
Bug bounties provide financial incentives for hackers and researchers to disclose flaws in applications to development teams. In the tech industry, where minor software errors can lead to catastrophic losses, bug bounties provide a cost-effective method for detecting vulnerabilities in code.
Bug bounties have a long history: In 1983, microprocessor manufacturer Hunter & Ready launched the “Bug for a Bug” program—finding flaws in its VRTX operating system earned the finder a Volkswagen Beetle, commonly called the “Bug”. And in 1995, Netscape offered a cash reward for discovering bugs in its Netscape Navigator 2.0 software, which operated on a dial-up Internet service at the time.
With the increasing complexity and scope of crypto exploits, having a well-organized bug bounty program is critical for any Web3 project. In this article we make the case for crypto bug bounties and highlight important considerations for developers looking to run a bug bounty program.
Specifically, we answer the following questions:
I. What is a bug bounty program?
II. Why does Web3 need bug bounties?
III. How Web3 projects can benefit from bug bounty programs?
IV. What are downsides to running a smart contract bug bounty?
V. How to run effective crypto bounty programs
What is a bug bounty program?
A bug bounty program rewards individuals for finding and disclosing vulnerabilities in an application to the development team. You can conduct a bug bounty program on a one-time basis or run it continuously—depending on the organization’s needs.
Most bug bounties follow the same pattern. The individual (commonly described as a “bug hunter” or “bounty hunter”) submits a report describing the vulnerability and exploit possibilities. The organization confirms that the bug exists, assesses the severity, and pays out a bounty to the hacker. Some bug bounty programs may offer to retest, allowing companies to invite hackers to test the code after patching the vulnerability.
With bug bounties, organizations rely on ethical hackers (“whitehats”) to discover vulnerabilities before malicious hackers (“blackhats”) beat them to it. Whitehat hackers can work with organizations to map the attack surface, develop fixes, and conduct rigorous post-deployment testing to ensure optimal safety. When conducted properly, a bug bounty program helps with detecting security risks and protecting against unforeseen zero-day exploits.
Why does Web3 need bug bounties?
Bug bounties are fast becoming the standard in Web3, with projects like MakerDAO offering up to $10M in payouts for bug bounty hunters. However, you may be skeptical about offering money to everyone who finds a bug in their system. So here are some reasons why Web3 needs bug bounties:
Massive incentives to steal
Decentralized finance (DeFi) has revolutionized the financial industry and unlocked new streams of value for both users and developers. But the boom in DeFi is also increasing incentives for malicious attackers to steal user funds. DeFi projects often hold valuable assets, making them attractive targets for hackers.
listing of the top DeFi projects based on Total Value Locked (TVL). [Source]
With DeFi, simple errors in contract code can lead to millions being wiped out from the total value locked (TVL) in a project. Worse, the blockchain’s ‘code is law’ property renders such funds effectively irrecoverable.
The ease of stealing DeFi funds is also partly due to crypto’s ethos of pseudonymity. Already user identities are pseudonymous (not linked to names), but criminals also rely on coin mixers, privacy coins, and other cutting-edge tools to further hide their tracks. A real-life example is the hacker behind the $100m hack on Harmony One’s token bridge laundering stolen funds using the Tornado Cash mixer.
Protecting smart contracts is difficult
Web3 thrives on open-source software ideals: smart contracts that power decentralized applications (dapps) live on public blockchains and are open to everyone. Everyone’s free to interact with your deployed contract, whether for benign reasons (purchasing tokens) or malicious reasons (finding exploitable bugs). This means that vulnerabilities are publicly visible, potentially increasing the possibility of a hack.
Blockchain technology is still evolving
Web3 technology is young, with tooling and security standards still in a developmental phase. For context, Solidity (the de facto programming language for Ethereum) has only been around for a little more than seven years.
While auditors, formal verification engineers, and tooling developers are working on improving Web3 security standards, previously undiscovered vulnerabilities will continue to surface in contracts. No amount of extensive auditing and code review before launching a Web3 project can rule out the possibility of bugs appearing in a smart contract once it’s live.
Composability risks
Composability refers to the interoperability of components within a particular system. A composable structure comprises distinct components that can be combined differently to achieve different results.
Composability in Web3 allows contracts to interact with each other, which increases the functionality available to users. But contract interactions open up newer attack vectors, such as re-entrancy attacks and flash loan market manipulation attacks.
Composability also makes it easy for new blockchain projects to incorporate code from existing libraries. “Forking”, as it is known in crypto, allows developers to take advantage of battle-tested code libraries and save time during development.
However, it is common for development teams to tweak forked code for different reasons—potentially introducing bugs in the process. This means projects running forks of another protocol are susceptible to attacks, even if the original codebase is seemingly secure.
Bug bounties don’t solve these problems but act as a proactive security measure for Web3 projects. Let’s see how having an active smart contract bug bounty program can better secure the funds locked in your Web3 project.
How Web3 projects can benefit from bug bounty programs
Provide higher incentives to disclose vulnerabilities responsibly
As explained previously, the incentives to exploit Web3 protocols are high. Solving this problem requires providing incentives to do the opposite: report vulnerabilities and assist development teams in patching defective code.
One method of incentivizing vulnerability disclosure is the “scaling bug bounty” proposed by Immunefi (a leading Web3 bug bounty coordination platform). Scaling crypto bug bounties means paying a percentage (ideally starting from 10 percent) of the funds at risk to the hacker who reported the bug. For example, if a vulnerability would have cost a project $200 million, then the appropriate smart contract bug bounty would be $20 million.
Two objections to this suggestion would be:
a. Why pay such a huge amount for a “simple” bug?
b. Why would a hacker accept 10 percent when they can steal the entire thing?
Answering the first question is easy: “simple bugs” have destroyed the reputation and viability of many Web3 projects in a flash. The website Rekt curates an ever-increasing list of crypto projects suffering devastation from both complex and deceptively simple exploits. With the size of funds at stake, paying a scaling bug bounty to prevent massive loss is a no-brainer.
A classification of top DeFi hacks according to the total amount of funds lost to hackers. [Source]
The second question has more to do with rational choice theory: individuals always choose actions that maximize their benefits. While stealing money from a DeFi project is easy, holding onto it is a tough business.
Advanced blockchain analysis tools, such as Chainalysis and Elliptic, are making it possible to de-anonymize blockchain users and trace transactions. This means the aspiring crypto-criminal has a harder job to do when laundering dirty money.
There’s also the fear of getting caught and jailed—a feeling every criminal knows too well. Why steal money if it means having to look over your shoulder for the rest of your life?
On the flip side, the 10 percent payout from a crypto bounty is clean money that a hacker can spend without paranoia. Disclosing vulnerabilities can also pave the way for a career in ethical hacking, leading to more prestige, societal recognition, and money for the hacker.
Put simply, prospective hackers have incentives to report a vulnerability instead of exploiting it for personal gain.
Flexible, cost-effective, and robust security
Compared to penetration testing, bug bounties are more flexible. On crypto bounty platforms like Immunefi and HackerOne, Web3 companies can decide how much to pay for specific classes of vulnerabilities. This contrasts with auditing, where costs are charged upfront.
As a rule, smart contract bug bounty programs pay out only if the hacker discloses a vulnerability, which developers can verify internally. With a bug bounty, you get exactly what you pay for—unlike regular testing which may not reveal any flaws in the contract.
Finally, a bug bounty program has the potential to provide continuous testing and vulnerability monitoring, depending on the bounty participants. Audits usually occur before a project launches or before significant upgrades, but a crypto bug bounty can run year-round.
Leverages the hacker community
Bug bounties are ideal because they give access to a diverse community of ethical hackers and independent security researchers with different backgrounds, experiences, and skill sets. Instead of relying on a single auditing team, you can have the most talented hackers poring over every line of your project’s code and racing to find vulnerabilities.
Downsides to running bug bounties
Of course, bug bounties are not without drawbacks. Below are some potential issues with launching a smart contract bug bounty program for your Web3 project:
- High costs: Pricing a Web3 bug bounty attractively matters because it influences interest in hacking on your project. This wouldn’t be a problem, except that well-funded projects are offering higher payouts—effectively putting pressure on other projects to pay competitive prices for vulnerability disclosure. We should also note that a crypto bug bounty program wouldn’t make much financial sense if you have to pay people to disclose bugs that auditors would have discovered in their security review.
- Compliance issues: A smart contract bug bounty is also not particularly viable for compliance purposes. Your project still needs to be independently audited before and after launch to give users and regulators assurances of its security.
- Administrative overhead: While the open nature of a bug bounty program makes it effective for attracting individuals with different skill sets, this can quickly become a disadvantage. Often, crypto bug bounty programs get a large number of bogus submissions where people flag tiny issues that wouldn’t be considered security-related.
This means you’ll need to have people responsible for validating bug reports and assessing the severity of disclosed vulnerabilities. This may be problematic for Web3 projects that favor lean teams and cannot spare manpower to handle low-level administrative tasks.
- Risks of dealing with hackers: Dealing with hackers hunting for bugs also has risks. For example, you may have to deal with shady personalities (e.g., ex-blackhats), greedy individuals wishing to hold out for more money than advertised, and anonymous hackers bent on keeping their identities private at all costs (e.g., by avoiding calls). Moreover, there’s no guarantee that a whitehat hacker will find the bug first—you might just lose your user’s funds to a blackhat.
How to run effective bug bounties
Running an effective Web3 bug bounty is easier with the existence of vulnerability disclosure platforms, although there are still a few things to keep in mind:
- Create channels for communication: Ideally, you should have a vulnerability disclosure policy on your website. This is a statement explaining how your team deals with vulnerability reports from ethical hackers. It should also specify communication channels for hackers who have a bug finding to submit.
- Set up a dedicated team for responding to bug reports: Having a team on hand to review bug reports promptly is important. Not only does it ease the validation of reported vulnerabilities, but it prevents developers from being overwhelmed with submissions.
- Be transparent and deal honestly: It is important to deal honestly and transparently with whitehat hackers who discover vulnerabilities. Attempts to play down the severity of a bug or haggle over pricing can discourage others from reporting vulnerabilities in the future (word will get out). Once the proof-of-concept for a bug has been verified, conduct the payout in good faith.
- Define project scope: Most Web3 bug bounty platforms advise properly defining the scope of the bounty program in advance. This includes details on what parts of the system to probe, what to look for (and what not to look for), how to prove the existence of a bug, and how much you intend to pay for bug reports.
Below is an example of a crypto bounty program page for MetaMask, a Web3 wallet service, on HackerOne:
A snapshot of details for MetaMask’s bug bounty program on HackerOne.
If conducted properly, bug bounties can be very beneficial in protecting blockchain projects from costly hacks. Here are a few real-life Web3 bug bounty success stories:
- Aurora: The EVM-compatible protocol built on NEAR paid out $6m to a whitehat hacker who discovered a vulnerability that would’ve resulted in the loss of 70,000 ETH and $200m in other assets.
- Polygon: Polygon, an Ethereum sidechain, paid Gerard Wagner, a former ConsenSys Diligence Auditor, $2.2m for discovering a vulnerability that would’ve put more than $850m at risk. The bug affected the protocol’s Plasma contract and allowed a would-be attacker to double their cryptocurrency withdrawals multiple times.
- Optimism: Ethereum Layer 2 project Optimism paid ethical hacker Jay Freeman $2m after he discovered a flaw that allowed for printing an infinite supply of ETH on the L2 chain. This was the max payout listed on Optimism’s Immunefi bug bounty dashboard, showing the seriousness of the vulnerability.
Bug bounties are not a silver bullet
Bug bounties provide a cost-effective means for detecting vulnerabilities in smart contracts and preventing exploits. An effective Web3 bug bounty program incentivizes responsible vulnerability disclosure and mitigates some of the security risks in blockchain technology.
That said, a smart contract bug bounty is not a silver bullet. Bug bounties are but one part of a larger Web3 security stack that includes independent and rigorous auditing and vulnerability scanning. For example, security tools such as Diligence Fuzzing continuously analyze your code to detect potential vulnerabilities.
A bug bounty program should only complement existing security activities: it isn’t a quick-and-dirty alternative to doing due diligence in security. If your blockchain project has implemented smart contract best practices, bug bounties can help catch those few security issues that slip past auditors and development teams.