Mango Markets hacker proposes steep settlement

October 12, 2022 Coin Telegraph

bug bounty

The Solana DeFi protocol suffered a $117 million exploit on Oct. 11, and the hacker wants 70M USDC in "bug bounty."

On Oct. , one day after $117 million was drained from Solana DeFi platform Mango Markets via a price feed exploit, the hacker responsible for the attack demanded a settlement. The proposal was filed on the Mango Markets decentralized autonomous organization (DAO) governance forum.

If passed, the procedure would involve the hacker sending stolen Mango Markets (MNGO), Solana (SOL), and Marinade Staked SOL tokens to an address provided by the Mango DAO team. Users without bad debt will be remade whole. However, the hacker demands that any bad debt will be viewed as a bug bounty and insurance, to be paid out via the community treasury worth 70 million USD Coin (USDC).

Adding insult to injury, the hacker has voted for this proposal using millions of tokens stolen from the exploit. However, the proposal has not passed the required quorum to pass. In exchange for the settlement, the hacker requests that users who vote in favor of the proposal agree to pay the bounty, pay off the bad debt with the treasury, waive any potential claims against accounts with bad debt and will not pursue any criminal investigations or freezing of funds.

Reactions were, unsurprisingly, overwhelmingly negative, with one user writing:

"You're disgusting. What you did is wrong in every way possible. The responsible thing to do would have been to disclose the vulnerability to the team, NOT EXPLOIT IT. I hope the law enforcement community shows you ZERO MERCY."

Despite the tragic exploit, losses may be lower than previously estimated. For example, Solana stablecoin protocol UXD said that it had a total exposure of $20 million in Mango Markets. However, its insurance fund contains more than $53.5 million in assets and would be more than enough to cover the losses. The vote on the hacker's proposal is ongoing at the time of publication.

UXD Protocol has a total exposure of $19,986,133.9037 in @mangomarkets. Our insurance fund has more than enough capital to cover losses.
UXD is 100% backed and users will be able to redeem once Mango Markets recovers from the exploit.
— UXDΔ (@UXDProtocol) October 12, 2022

$100M drained from Solana DeFi platform Mango Markets, token plunges 52%

October 12, 2022 Coin Telegraph

Blockchain security

The platform’s treasury was drained of over $100 million worth of cryptocurrency after an attacker manipulated price data of its native token to take out loans against their holdings.

Solana (SOL) based decentralized finance (DeFi) exchange Mango Markets has been hit with a reported exploit of over $100 million through an attacker manipulating price oracle data, allowing them to take out under-collateralized cryptocurrency loans.

The exploit was first identified by blockchain security firm OtterSec which tweeted the exchange had been drained of over $100 million due to the attacker manipulating the value of their Mango (MNGO) native token collateral, then taking out “massive loans” from Mango’s treasury.

It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022

The Mango Markets team tweeted soon after warning users not to deposit funds until “the situation was more clear” and asked the attacker to contact them to discuss a bug bounty.

The team later confirmed the manipulation of a price oracle — a price data feed of the value of its MNGO token — and stated that it had disabled deposits whilst it continued investigations of the incident.

We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.

If you have any information, please contact blockworks@protonmail.com to discuss a bounty for the return of funds. 2/
— Mango (@mangomarkets) October 11, 2022

Due to news of the exploit, the price of the platforms’ MNGO token has fallen by around 52% in the last 24-hours at the time of writing according to data from CoinGecko.

The exploiters' account on the platform shows the three largest withdrawals were for $50 million worth of USD Coin (USDC), over $26.7 million worth of a Solana staking token called Marinade Staked SOL (mSOL), and nearly $24 million worth of SOL.

Over $14.7 million worth of MNGO was withdrawn and Mango said it’s “taking steps to have third parties freeze funds in flight.”

Meanwhile, the QANplatform blockchain also suffered from an exploit of its ownon Oct. 11, with its Ethereum (ETH) bridge drained of around $1.89 million worth of its native QANX token according to blockchain security company Beosin. QANplatform says it’s investigating the incident.

White hat finds huge vulnerability in ETH to Arbitrum bridge: Wen max bounty?

September 21, 2022 Coin Telegraph

Arbitrum

The ethical exploiter thanked Arbitrium for the 400 ETH payday, but said such a find should be eligible for the max bounty of nearly 1,500 ETH, or $2 million.

A self-described white hat hacker has uncovered a “multi-million dollar vulnerability” in the bridge linking Ethereum and Arbitrum Nitro and received a 400 Ether (ETH) bounty for their find.

Known as riptide on Twitter, the hacker described the exploit as the use of an initializing function to set their own bridge address, which would hijack all incoming ETH deposits from those trying to bridge funds from Ethereum to Arbitrum Nitro.

Riptide explained the exploit in a Medium post on Sept. 20:

“We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit.”

The hack could have potentially netted tens or even hundreds of millions worth of ETH, as the largest deposit riptide recorded in the inbox was 168,000 ETH worth over $225 million, and typical deposits ranged from 1000 to 5000 ETH in a 24-hour period, worth between $1.34 to $6.7 million.

Despite the earning potential from the ill-gotten gains, riptide was thankful that the “extremely based Arbitrum team” provided a 400 ETH bounty, worth over $536,500, however they added later on Twitter that such a find “should be eligible for a max bounty,” which is worth $2 million.

No big deal just bridging a cool $470mm through the same Inbox contract

Definitely should be eligible for a max bounty

https://t.co/w7S58QNQZu
— riptide (@0xriptide) September 20, 2022

Neither Arbitrum nor its creator company OffChain Labs have publicly commented on the exploit, Cointelegraph contacted OffChain Labs for comment but did not immediately hear back.

Arbitrum is a layer-2 Optimistic Rollup solution for Ethereum, clustering batches of transactions before submitting it to the Ethereum network in an effort to minimize network congestion and save on fees. Arbitrum Nitro launched on Aug. 31st, an upgrade aimed to simplify communication between Arbitrum and Ethereum as well as increasing its transaction throughput at lower fees.

Similar style bridge hacks have been successful for exploiters this year, notably the $100 million stolen from the Horizon Bridge in June and the recent Nomad token bridge incident in August which saw $190 million drained by the original and “copycat” hackers repeating the exploit.

Bug bounty quadruples for Ethereum network — Up to $1M payouts ahead of Merge

August 24, 2022 Coin Telegraph

bug bounty

According to the Ethereum Foundation, identifying “critical bugs” — those that have a high impact or likelihood of a high impact on the blockchain — will be worth up to $1 million.

The Ethereum Foundation has announced it will be increasing the network’s bug bounty payouts fourfold ahead of the blockchain’s transition to proof-of-stake.

In a Wednesday blog post, the Ethereum Foundation said between Aug. 24 and Sept. 8, all “Merge-related bounties for vulnerabilities” will be quadrupled for white hats testing the network. According to the foundation, identifying “critical bugs” — those that have a high impact or likelihood of a high impact on the blockchain — will be worth up to $1 million. The bounty program also allows submissions for low, medium and high-risk bugs.

• Merge Bug Bounty Bonus: There is a 4X MULTIPLIER between now and 08 September on all bounties and vulnerabilities, with critical bugs worth up to $1mm USD

• See full post for updated Execution Layer (EL) and Consensus Layer (CL) client links, more on The Merge, and an FAQ
— Joseph Schweitzer | (@JBSchweitzer) August 24, 2022

As part of the transition to proof-of-stake, the foundation said the Ethereum Network “must first be activated on the Beacon Chain with the Bellatrix upgrade,” an event expected to happen on Sept. 6, with the Merge likely following between Sept. 10 and 20. Core developers previously announced a tentative Merge date of Sept. 15 when the Total Terminal Difficulty, or TTD — the difficulty of the final mined block — will trigger the end of proof-of-work and the start of proof-of-stake.

“The incremental difficulty added per block is dependent on the network hash rate, which is volatile,” said the foundation. “If more hash rate joins the network, TTD will be reached sooner. Similarly, if hash rate leaves the network, TTD will be reached later."

The foundation added that Ether (ETH) holders and users largely did not need to take any action prior to the Merge other than to “be on the lookout for scams.” Mining will no longer be possible following the transition, while stakers and node operators will both need to run an execution layer client, with the latter doing so with a consensus layer client.

In July 2020, the Ethereum Foundation announced it had launched public “attack networks” for Ethereum 2.0 for white hats to attempt to exploit potential issues in the clients, offering a $5,000 bounty at the time. However, in August 2021, a vulnerability affecting earlier versions of one of Ethereum's software clients, Geth, caused more than half the network’s nodes to split. The Merge will require the latest version of Geth as an execution client.

Other projects have offered up to $1 million or more in bug bounties aimed at finding exploits resulting in the theft or risk of losing millions, as Sky Mavis did in April 2022 following a $600-million hack on the Ronin Network. In June, Ethereum bridging and scaling solution Aurora paid a $6-million bounty to a white hat hacker who discovered a critical bug.

Cardano Foundation Doubles Reward Offered to Hackers for Uncovering Bugs on Its Blockchain

February 18, 2022 Bitcoin.com

iOS jailbreak dev wins $2M bounty for finding critical Optimism bug

February 11, 2022 Coin Telegraph

iOS jailbreak dev wins M bounty for finding critical Optimism bug

$2 million bounty

Ethereum scaling startup Optimism disclosed a “critical bug” fix in the project’s Geth fork that would have allowed malicious hackers to create infinite ETH

Developers from the Ethereum Layer 2 scaling project Optimism announced that a “critical bug” had been identified and subsequently patched earlier this month.

The bug, which could have enabled hackers to create as much ‘ETH’ in a Optimism account balance as they wished, was first discovered by white hat hacker and iOS jailbreak software Cydia developer Jay Freeman.

Last week, I discovered (and reported) a critical bug (which has been fully patched) in @optimismPBC (a "layer 2 scaling solution" for Ethereum) that would have allowed an attacker to print arbitrary quantity of tokens, for which I won a $2,000,042 bounty. https://t.co/J6KOlU8aSW
— Jay Freeman (saurik) (@saurik) February 10, 2022

In a deep-dive blog post, Freeman explained that the bug, “would allow an attacker to replicate money on any chain using their ‘OVM 2.0’ fork of go-ethereum”. For his efforts Freeman was awarded one of largest bug bounties to date, netting a total reward amount of $2,000,042

According to the Optimism team, “The bug made it possible to create ETH on Optimism by repeatedly triggering the SELFDESTRUCT opcode on a contract that held an ETH balance.”

In a blog post, the Optimism team noted that its chain history showed that the bug had not been exploited, except for an accidental activation by a staffer at Ethereum data startup Etherscan, but “no usable excess was generated.”

“A fix for the issue was tested and deployed to Optimism’s Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation,” the team said, thanking Infura, QuickNode, and Alchemy for their fast response times.

“We also alerted multiple vulnerable Optimism forks and bridge providers to the presence of the issue. These projects have all applied the required fix.”

Late last year Optimism removed its whitelist, allowing for any developer to start building projects on the Optimism network. Prior to this, the network was only accessible to specific projects such as Uniswap and Synthetix. This limitation made it easier for developers to detect and resolve potential bugs

Optimism is a Layer 2 scaling solution for the Ethereum network, employing “optimistic rollups” that aggregate transactions outside of the Ethereum blockchain.

This provides the benefits of reducing slippage, decreasing transaction costs and vastly improving transaction speeds. However, as this bug has made clear, while Layer 2 protocols offer improvements in efficiency, security during ongoing development remains a common point of concern.

While this bounty is one the largest to have been paid out so far, MakerDAO has just announced that it will be offering a maximum bounty of $10M to anyone who can point out critical security threats in its smart contracts. This is the largest series of bug bounties ever to have been hosted on bug bounty platform Immunefi.

MakerDAO launches biggest ever bug bounty with $10M reward

February 11, 2022 Coin Telegraph

bug bounty

Immunefi’s largest bug bounty to date aims to help MakerDAO pinpoint potential vulnerabilities in its smart contracts and apps to prevent monetary losses.

MakerDAO has announced that it will begin offering a maximum of $10 million bounty to white hat hackers and cybersecurity specialists who point out legitimate security threats in its smart contracts.

Maker’s (MAKER) plan to front-run attacks on its smart contracts is the largest ever on the bug bounty platform Immunefi. In fact if someone claimed the lot, it would equal the total amount of $10 million that Immunefi has paid out to date from active and inactive events. Its website claims the bugs found have averted up to $20 billion in damages from hacks.

Whitehat hackers stand to gain payouts ranging from $1,000 for low-level vulnerabilities thought to a maximum of $10 million for critical issues found in Maker’s smart contracts and apps. The payouts will be made in DAI stablecoins. The next largest bug bounty on Immunefi is a $3.3 million bounty from Olympus DAO.

MakerDAO is the community that governs how DAI is collateralized and spent from Maker’s treasury. DAI is currently the fifth largest stablecoin with a $9.7 billion market cap according to CoinGecko.

The Maker Foundation had previously controlled aspects of governance on Maker before its CEO and founder Rune Christensen announced the dissolution of the foundation in July 2021, making the DAO “fully self-sufficient”.

Immunefi co-founder Travin Keith said in a Feb. 11 statement,

“We’re glad to announce one of the key pillars of our mandate, which is to launch and maintain a bug bounty program that will help MakerDAO ensure its safety.”

This new bug bounty comes at a time when smart contract exploits appear to be on the increase with hundreds of millions of dollars in losses over the past two weeks alone. Yesterday, hackers withdrew over $10 million from Dego Finance through a smart contract exploit.

On Feb. 7, token bridge Meter.io’s smart contracts were hacked, causing $4.4 million in losses. On Feb. 2, the Wormhole token bridge’s smart contracts on Solana (SOL) were exploited to the tune of $321 million, which is the largest single loss in a hack so far this year.

Aave Launches Web3, Smart Contracts-Based Social Media Platform Built on Polygon

February 9, 2022 Bitcoin.com

Polygon pays $2M bounty on bug which could have compromised $850M in user funds

October 22, 2021 Coin Telegraph

Polygon pays M bounty on bug which could have compromised 0M in user funds

bug bounty

The white hat hacker speculated that the bug might have been created from "using someone else’s code and not having a 100% understanding of what it does."

White hat hacker Gerhard Wagner has earned $2 million after reporting a solution to a potentially costly “double-spend” bug on the Polygon network.

In an Oct. 21 blog post from Immunefi, a security service that helps facilitate bug reports in decentralized finance projects, Polygon network’s Plasma Bridge was at risk of having $850 million removed by a knowledgeable hacker. According to the project, the vulnerability would have allowed attackers to exit their burn transaction from the bridge up to 223 times, quickly turning an amount like $4,500 into $1 million profi.

Immunefi reported the double-spend exploit worked by first depositing Ether (ETH) through the Plasma Bridge and starting the withdrawal process after the transaction was confirmed. A hacker could then wait a week and resubmit the same withdrawals with the exception of "a modified first byte of the branch mask." Provided the hacker was able to begin with $3.8 million, they could have potentially depleted all $850 funds from the bridge’s deposit manager at the time.

Polygon agreed to pay its maximum amount for a bug bounty report — $2 million — following Wagner’s initial report on Oct. 5. According to the platform, the bug has already been deployed on the mainnet after testing, Wagner has received the funds, claimed to be “the highest bounty ever paid out in history,” and no user funds were lost with the exploit.

Wagner speculated on his Medium page that the bug might be due to “using someone else’s code and not having a 100% understanding of what it does.” He added the solution was “not very elegant” but did fix the double-spend exploit.

Before this latest $2 million payout, the largest bounty for a white hat hacker had gone towards programmer Alexander Schlindwein, who in September discovered a vulnerability in Belt Finance’s protocol and was awarded $1.05 million. However, the U.S. Department of State may topple that record if a hacker is able pass on information on terrorist suspects, extremists and state-sponsored hackers — the government said it would be offering rewards of up to $10 million.

Binance Smart Chain Creates a $10 Million Bug Bounty Fund to Tighten Protocol Security

July 26, 2021 Bitcoin.com

bug bounty

Share this video