Anthropic launches $15K jailbreak bounty program for its unreleased next-gen AI

August 10, 2024 Coin Telegraph

Ronin Network Reclaims $12 Million in Stolen Digital Assets

August 7, 2024 Bitcoin.com

Ethereum Foundation Rolls Out ‘Attackathon’ To Bolster Blockchain Security, Plans To Raise Over $2,000,000 in Reward

July 10, 2024 The Daily Hodl

Blockchain Security Firm Certik Returns $3,000,000 in Exploited Funds to Crypto Exchange Kraken

June 20, 2024 The Daily Hodl

Kraken Calls Security Research Firm’s Demands ‘Criminal’; Certik Slams Threats Against Its Employees

June 19, 2024 Bitcoin.com

Crypto Exchange CoinEx Promises Generous Bug Bounty Reward to Hacker Following $70,000,000 Exploit

September 19, 2023 The Daily Hodl

Mango Markets exploiter seeks to keep disputed funds paid as ‘bug bounty’

February 16, 2023 Coin Telegraph

avi eisen

Attorneys representing Avraham Eisenberg argued he had already settled his dispute with Mango DAO and shouldn't have to pay back any more funds.

The alleged exploiter of the decentralized finance protocol Mango Markets, Avraham Eisenberg, is seeking to keep his share of crypto gained from his so-called “highly profitable trading strategy.”

On Feb. 15, attorneys for Eisenberg filed a motion in a New York District Court objecting to a lawsuit from Mango that asks for $47 million in damages plus interest starting from the time of Eisenberg’s October attack, whidrained around $117 million from the protocol.

The lawyers argued that Eisenberg shouldn’t need to pay back any more funds to the DeFi platform due to a settlement agreement that he reached with Mango DAO, arguing that the “matter was settled.”

*Eisenberg’s (right) last public appearance was on a podcast in late October, just weeks after his alleged exploit of the platform. Source:* *YouTube*

A governance proposal was passed by the Mango DAO following the draining of its treasury that saw Eisenberg keep a portion — $47 million — of the pilfered funds as a bug bounty along with a stipulation that Mango wouldn’t pursue legal action.

“Eisenberg transferred funds totaling approximately $67 million to Mango Markets,” the attorneys wrote, adding:

“Weeks later, eligible Mango Markets’ members received reimbursement from the Mango Markets treasury. At that point, all involved considered this matter closed and Mr. Eisenberg heard nothing further from Mango Markets.”

Mango, however, said in its suit that the settlement should be voided as it was made “under duress” and alleged Eisenberg “was not engaged in lawful bargaining.”

Eisenberg’s attorneys rebuffed these claims, saying the “improper three-month delay” for Mango filing its suit “undermines any alleged irreparable harm.” The lawsuit, they say, aimto “take advantage” of Eisenberg’s December arrest in Puerto Rico by United States authorities.

Eisenberg was charged by the Federal Bureau of Investigation with commodities fraud and manipulation.

He also faces a lawsuit from the U.S. Commodity Futures Trading Commission that alleges market manipulation and a suit from the Securities and Exchange Commission for violating securities laws relating to anti-fraud and market manipulation.

Eisenberg has previously stated his trades on Mango were “legal open market actions, using the protocol as designed,” and called his purported attack a “highly profitable trading strategy.”

Aave Launches Stablecoin GHO on Ethereum Goerli Testnet with Open Source Codebase and Audits

February 9, 2023 Bitcoin.com

DeFi auditor nets $40,000 for identifying Uniswap vulnerability

January 4, 2023 Coin Telegraph

DeFi auditor nets ,000 for identifying Uniswap vulnerability

Automated Market Maker

A security firm flagged a now-fixed vulnerability to Uniswap, highlighting the potential for reentrancy attacks on the protocol’s Universal Router smart contract.

Uniswap’s recently launched bug bounty program has led to the discovery of a now-fixed vulnerability of the protocol’s Universal Router smart contract.

The automated market maker released two new smart contracts to its platform in November 2022. Permit2 allows token approvals to be shared and managed across different applications, while Universal Router unifies ERC-20 and nonfungible tokens (NFTs) swapping into a single swap router.

Uniswap also advertised a lucrative bug bounty program to identify potential vulnerabilities in its smart contracts towards the end of 2022 as it looked to assure the safety and efficacy of its protocol.

Smart contract security and auditing firm Dedaub announced that it had received a bug bounty after flagging a vulnerability in the Universal Router smart contract that would have allowed reentrancy to drain user funds mid-transaction.

The Dedaub team has disclosed a Critical vulnerability to the Uniswap team!

Funds are safe - Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains

The vulnerability allows re-entertrancy to drain the user's funds, mid-tx.

pic.twitter.com/wFSFsohPvy
— Dedaub (@dedaub) January 2, 2023

According to Dedaub’s breakdown, the Universal Router allows users to perform diverse actions including swapping multiple tokens and NFTs in one transaction.

The router embeds a scripting language for a wide variety of token actions, which could include transfers to third party recipients. If correctly implemented, transfers would go to the recipient within specified parameters.

However, Dedaub identified a vulnerability in which a third-party code was invoked during the transfer, allowing the code to re-enter the Universal Router and claim any tokens that were temporarily in the contract.

Dedaub then suggested a straight-forward remedy, advising the Uniswap team to add a reentrancy lock to the core execution of the new router. Uniswap awarded the auditing firm a total of $40,000 for flagging the vulnerability. The amount included a 33% bonus for reporting the issue during Uniswap’s bonus period in November 2022.

Uniswap classified the issue as medium severity, while further assessment deemed the vulnerability to have high impact and low likelihood. According to Dedaub, the possibility of a user sending NFTs to an untrusted recipient directly was considered user error.

More complex and less likely scenarios were considered valid for reentrancy, which resulted in Uniswap deeming the vector to have a low likelihood. Cointelegraph has reached out to Uniswap to ascertain further details of its ongoing bounty program, amounts paid out and the number of bugs identified to date.

Bug bounties have become commonplace in the cryptocurrency and blockchain space as platforms and companies look to ensure the security of their software, systems and infrastructure.

Cryptocurrency exchange Coinbase recently clarified the terms of its bug bounty, while blockchain security firm Immunefi has facilitated over $65 million worth of bug bounties between ethical hackers and Web3 firms in 2022.

Moola Market attacker returns most of $9M looted for $500K bounty

October 19, 2022 Coin Telegraph

attacker

The attacker has scored about a half-million dollar “bug bounty” after choosing to return a majority of the cryptocurrency they exploited from the Celo-based lending protocol.

An attacker has returned just over 93% of the more than $9 million worth of cryptocurrencies they exploited from the Celo (CELO) blockchain-based decentralized finance (DeFi) lending protocol Moola Market.

At around 6PM UTC on Oct. 18 the Moola Market team tweeted it was investigating an incident and had paused all activity, adding it had contacted authorities and offered a bug bounty to the exploiter if funds were returned within 24 hours.

Analysis of the exploit by Web3 security company Hacken shows the attacker manipulated the price of the protocols’ low-liquidity native MOO token by initially purchasing around $45,000 worth and depositing it as collateral to borrow CELO.

The borrowed CELO, along with further CELO provided by the attacker, was then used as collateral to borrow more MOO, driving up the token’s price. The attacker continued repeating this until the MOO token price had increased by 6,400%.

With the inflated token price, the attacker was able to borrow $6.6 million worth of CELO, $1.2 million of MOO, along with $740,000 of Cello Euros (cEUR) and $644,000 Celo Dollars (cUSD) all worth multiples more than their initial posted collateral resulting in the protocol's loss of around $9.1 million.

Five hours after the initial confirmation of the exploit, Moola Market tweeted it had received just over 93% of the funds exploited, with the attacker seemingly keeping the rest making around $500,000 as a bug bounty.

Following today's incident, 93.1% of funds have been returned to the Moola governance multi-sig. We have continued to pause all activity on Moola, and will follow up with the community about next steps, and to safely restart operations of the Moola protocol. (1/2) https://t.co/UsdN44X70X
— Moola Market (@Moola_Market) October 18, 2022

Moola Market did not immediately respond to Cointelegraph’s request for comment.

The attack draws similarities to the $117 million exploit suffered by Mango Markets on Oct. 11 in which Avraham Eisenberg and his team manipulated the price of the Solana (SOL)-based DeFi protocols’ native token to borrow cryptocurrencies with an undercollateralized backing. Eisenberg negotiated to keep $47 million as a “bounty.”

Multi-chain cryptocurrency wallet BitKeep also suffered an exploit late on Oct. 17 with an attacker making off with $1 million worth of Binance Coin (BNB) through a service used to swap tokens, BitKeep says it will fully reimburse any affected users.

The attacks are the latest in a series of exploits to have taken place in October which has also shaped up to be the biggest month ever for hacking activity with the total hacked value reaching around $718 million up until Oct. 12 according to analytics firm Chanalysis.

bug bounty

Share this video