[HN Gopher] Sei pays out $2M bug bounty
___________________________________________________________________
Sei pays out $2M bug bounty
Author : sygma
Score : 165 points
Date : 2024-06-17 19:49 UTC (3 hours ago)
(HTM) web link (usmannkhan.com)
(TXT) w3m dump (usmannkhan.com)
| dheera wrote:
| Honest question: Was the $2M figure advertised in advance? Where
| does one go about discovering bug bounties of this size?
|
| It seems like it might be worth the gamble of taking 3-6 months
| off work to discover a bug of that size.
| nailer wrote:
| > Was the $2M figure advertised in advance?
|
| https://blog.sei.io/bug-bounty/
|
| > Where does one go about discovering bug bounties of this
| size?
|
| - SECURITY.txt for individual projects.
|
| - https://immunefi.com for blockchain in general.
|
| - BugCrowd and HackerOne for wider tech.
|
| I'm an infrastructure engineer though and may not be the best
| person to answer.
|
| > It seems like it might be worth the gamble of taking 3-6
| months off work to discover a bug of that size.
|
| https://www.hackerone.com/ethical-hacker/meet-six-hackers-ma...
|
| Note: I work at a foundation for another blockchain. This
| doesn't affect anything I wrote above, just disclosing
| potential CoI.
| danielvf wrote:
| You can see lots more here:
|
| https://immunefi.com/bug-bounty/
| consumer451 wrote:
| Yes, that is actually worth it. This seems comparable to what a
| third party might pay.
|
| I have always wondered why the payouts are capped at the
| trillion dollar corps at such low figures. It appears like $75k
| max and MS and $100k max at Apple. Meanwhile shady 3rd party
| groups will pay you 10x that, won't they?
| cge wrote:
| Cryptocurrency bug bounty programs perhaps have an advantage
| in that the risks of classes of bugs are often concrete,
| financially quantifiable, immediate, and catastrophic. A bad
| RCE in a mainstream OS could do untold damage to users,
| reputational damage to the company, and so on, but even if
| severe, those risks have to be estimated. But in this case,
| for example, it seems like the $2m bounty was for a bug that,
| if exploited, would have made $1b in market cap disappear. I
| expect it's just much simpler to convince a skeptic
| businessperson when the risks are so clear.
| consumer451 wrote:
| That's a very solid point, as sad as it is.
|
| I suppose the argument for OS makers to raise their rates
| might be that they are paying 10x below market rates, and
| the rates were set by the actual freaking market that
| exists.
|
| If I was a congressional aide, I would definitely write
| something up about this when my boss was going to drag a
| Microsoft exec across the coals in public. I would imagine
| that billions in gov contracts are at risk for MS right now
| due to lax security. A $2M bug bounty could have prevented
| that.
| stevage wrote:
| I wonder if very large bounties create incentives to create
| bugs...
| consumer451 wrote:
| Oh yeah, the old cobra effect. However, you could only pull
| it off once. I am sure a postmortem of all related design
| and commits would be done, correct?
|
| Also, FAANG level salaries are pretty high for anyone
| involved with that type of code, right?
| usmannk wrote:
| It was advertised in advance, but the real gamble is on if
| they'll pay. If you go to my other blogpost linked in OP, you
| can see a case where I was owed 500k and paid 60k.
|
| You're right though that it's a lot of risk. It's not something
| that most of the leaderboard works full time on, though some of
| us do. The immunefi homepage has a list of all the bounties on
| offer.
| teyc wrote:
| Couldn't there be a smart contract for this? I've no idea
| how.
| brcmthrowaway wrote:
| I worked nearly 10 years in tech and this is all gobbledygook to
| me. That's scary.
| jerf wrote:
| On the blockchain, accounts have a certain amount of currency.
|
| You can issue a command to transfer currency from your account
| to somebody else's, as that is a primary use case of a
| cryptocurrency. There was a code path where you could send
| someone negative amounts of the currency and it would happily
| pay them a negative amount of currency and charge you a
| negative amount of currency, thus transferring their account
| balance to your against their will.
|
| There were several transfer paths and I think not all of them
| were vulnerable, but only one has to be. There's a bit of
| indirection that made it somewhat less obvious than my
| description makes it sound, though it amounts to the same thing
| in the end.
| schoen wrote:
| > There was a code path where you could send someone negative
| amounts of the currency and it would happily pay them a
| negative amount of currency and charge you a negative amount
| of currency, thus transferring their account balance to your
| against their will.
|
| This is a bug I remember from the Apple II game "Taipan" (in
| which you play an 1800s opium-and-silk trader in East Asia).
| You could borrow negative amounts of money from a lender who
| charges extremely high interest. As a result, the lender
| would quickly end up owing _you_ tremendous sums, without
| your having to do anything else. Wikipedia mentions this:
|
| > Note: A bug in the original game allows the player to
| overpay the moneylender, acquiring "negative debt". This
| "negative debt" will accumulate interest very quickly, and
| will count towards the player's net worth. As the game's
| vocabulary of number words ends at "trillion", this can cause
| the game to display garbage instead of the player's correct
| net worth. This has been fixed in the online "for browsers"
| version of the game.
| pennybanks wrote:
| it really shouldnt be referred to as currency as a whole
| anymore.
|
| well i guess anything can be a currency but its too
| misleading even though that was by design.
|
| if its designed to be a stock then should be called so. poker
| chips? in game currency? money laundering token? reward
| points? purchase receipt? jpeg? just think it would help
| nailer wrote:
| 'Token' is the generic term people have settled on.
| 'Currency' is rare.
|
| A stock would be a 'tokenized equity', in the same way
| there's 'tokenised real estate', 'tokenised metals',
| 'tokenised bonds', whatever the real world asset is.
|
| 'In-game currency' is indeed used by gaming people, since
| that was their term from before blockchain.
| __jonas wrote:
| Not scary at all! The nice thing about blockchain stuff is that
| you can safely ignore it and it will have absolutely zero
| impact on your life now or at any point in the future.
| hoten wrote:
| Unless you're a security researcher, in which case by
| ignoring blockchain you may be missing out on some juicy
| bounties.
| brcmthrowaway wrote:
| Could suddenly come into the picture like LLMs
| theragra wrote:
| Not true. My father (71) always was the same, anti-bitcoin
| etc. Until he needed to pay for online TV (do nt ask, but it
| was impossible to pay w card)
| Vegenoid wrote:
| "Online TV" that requires payment in crypto, and doesn't
| take card... without more info, it's pretty safe to assume
| that service is not provided legally.
| danielvf wrote:
| The bounties in crypto are so big because the math is so clear on
| the cost vs benefits of the bounties. Paying two million to avoid
| losing a billion is not a bad deal. And there just aren't enough
| security people yet that market forces have commoditized bounty
| finding.
|
| Good companies use bounties as yet another security layer - after
| doing everything else, add a bug bounty!
|
| Almost all crypto bug bounties run through Immunefi. [1] There
| are lots of > one million dollar bounties. You can see SEI's
| current bounty page here.[2] The company I work (a different
| company) for has a one million dollar bounty listed on
| immunefi.com and median response time of six hours.
|
| [1] https://immunefi.com/bug-bounty/
|
| [2] https://immunefi.com/bug-bounty/sei/
| strictnein wrote:
| Everything in Crypto (for both meanings of the word) has a
| built in bug bounty. It's just whether or not the companies
| want to take part in it.
| j0hnyl wrote:
| You could say that about anything that is critical.
| wepple wrote:
| Not really - a bug bounty gives you some type of currency.
|
| Jacking a database and trying to sell it on a DLS or dark
| web is a massive process.
| tptacek wrote:
| No, you can't.
| yieldcrv wrote:
| > And there just aren't enough security people yet that market
| forces have commoditized bounty finding.
|
| I have the opposite conclusion there, crypto organization
| sponsored bug bounties are far more accurately valued than Web
| 2.0's arbitrary adversarial bug bounties, and have attracted
| tons of developer talent to crypto bug bounties and the crypto
| ecosystem as a whole
| j0hnyl wrote:
| Crypto bug bounties require specialized low level knowledge.
| Web 2 pentesting is akin to a qa checklist. Imo op is right
| that web2 bounties are commoditized.
| wslh wrote:
| The problem is that at certain level of TVL you cannot scale
| your security measures [1]. So, no silver bullet to security in
| crypto.
|
| [1] https://bittrap.com/resources/defis-growing-pains:-as-tvl-
| ra...
| malux85 wrote:
| Did they get paid 2M in USD, or did they get paid 2M in magic-
| bean tokens, where is so little market depth that selling 30k of
| it would tank the market, so they will have to bleed it out
| slowly and hope the price doesn't tank before they exit
| danielvf wrote:
| [I was wrong, see below]
| usmannk wrote:
| This one was actually USDC! Regulated, unmagic, dollar-backed
| beans.
| pennybanks wrote:
| congrats. take your mama out for a nice dinner. get some
| flowers as well you know she deserves it
| nobrains wrote:
| $8,333 monthly on a 5% return. Congrats!
| bangaladore wrote:
| Magic-bean tokens. I think most on that bug-bounty site are
| done like that.
| bangaladore wrote:
| Regarding the downvotes, the company says the below in their
| Immunefi page. It seems (as the OP responded) that they paid
| out differently in this case. I am unsure why that happened
| or if the page is outdated.
|
| "Payouts are handled by the Sei Foundation team directly and
| are denominated in USD. However, payments are done in SEI."
| [1]
|
| The other part of my comment is correct according to the
| various Immunefi listings. Again, I could be incorrect if
| they do something differently behind closed doors.
|
| [1] https://immunefi.com/bug-bounty/sei/
| zEddSH wrote:
| Daily volume is > $100m, there's liquidity and the payout
| is pegged to USD so trade quick and run.
|
| But OP was paid in USD anyway.
| bangaladore wrote:
| Sure, but we are talking about a token that (almost) had
| a bug that allowed people to steal from cold-wallets. No
| amount of fancy words makes that concern go away.
| usmannk wrote:
| Projects are free to change their terms and the page you
| link has been updated since I submitted my reports. The
| maximum was lowered to $1M and payment currency changed
| from USDC to SEI.
| ohy wrote:
| For whom it seems surprising, that's actually rather small,
| considering hacks can end up in an irreversible $100M+ transfer
| to the malicious party.
|
| You can check Immunefi's Bounty-Board for reference, currently
| paying up to $15M per find.
|
| Another good source is rekt.news, creating post-mortems about all
| the DEFI-hacks and an own leaderboard, $624M for #1.
| crest wrote:
| Sure, but you get to enjoy your bounty payout. Having $2M
| legally vs. having to become a money launderer?
| usmannk wrote:
| Right, yeah. I estimated that a savvy attacker might have
| been able to get out with 50 or even 100m from this, but they
| would also go to jail. So...
| Sephr wrote:
| What sort of crime are you envisioning that exploiting this
| would fall under? It's not always fraud to satisfy a poorly
| written contract, although that is commonly the case.
| avarun wrote:
| Everything is wire fraud / securities fraud
| usmannk wrote:
| Wire fraud, at minimum. This would constitute direct
| theft. Very similar cases have been tried and convicted
| several times now.
| htthbjk wrote:
| Despite what many programmers think, code is not law.
|
| Just like a bug in a smart lock does not allow you to
| enter a house because "you were allowed in".
| 0cf8612b2e1e wrote:
| Not so sure it is that clear cut. A few infamous stories of
| bug bounties not getting paid for even trivial amounts
|
| So it is $2 million x probability payment vs $100 million x
| probability escape without getting caught.
|
| Even with the threat of non-payment, not sure I could ever
| feel at ease with a multimillion bounty hanging over my head.
| l33t7332273 wrote:
| I think there is another factor that some people would pay
| every penny they have to not go to prison for a meaningful
| length of time.
| Vegenoid wrote:
| Yeah, I think stealing that kind of money pretty much
| guarantees that you'll need to be paranoid for the rest of
| your life. I wouldn't take that for any amount.
| htthbjk wrote:
| People keep saying that, but not even one case is
| documented.
|
| These chains are created by startups with VC money, they
| are not going to hire hitmans.
| 0cf8612b2e1e wrote:
| North Korea might. Silk Road went under due to attempting
| to hire one.
|
| The more likely concern is that someone will sell you out
| to any of the numerous governments who feel you wronged
| them. Leading to decades of life in prison.
| Sephr wrote:
| Taking advantage of bad contracts can be legal depending on
| various nuanced circumstances. If the potential payout is
| lucrative, then it makes sense to consult with legal counsel
| first.
|
| I am not making a judgement about this specific case.
| jaundicedave wrote:
| tell that to avraham eisenberg
| https://www.axios.com/2024/04/18/avi-eisenberg-convicted-
| cry...
| Sephr wrote:
| That person committed fraud. My point wasn't even about
| cryptocurrency or DeFi.
|
| Here's a simplified hypothetical example to help you
| understand the legal nuance: I offer all of my money to
| the first person that can solve 5x5, and I errantly
| believe that it's a difficult problem to solve.
| Vegenoid wrote:
| Can you provide a more real-world example? I don't
| understand what point you are making, if it isn't about
| making money via cryptocurrency. When you say "bad
| contracts", I assume you are talking about smart
| contracts. Is that not the case?
| bcherny wrote:
| Cool writeup! This has got to be one of the biggest security
| bounties ever paid out, right?
| usmannk wrote:
| It's up there but not singularly so. Twice there have been
| $10M! You can see the leaderboard where the majority of crypto
| bounties are represented here
| (https://immunefi.com/leaderboard/) but you have to search
| around for the actual reports.
| usmannk wrote:
| Hey OP here, thanks for posting. Happy to answer any questions.
| teschmitt wrote:
| What are you doing with all that dough?
| ayewo wrote:
| 1. For the 2nd issue you found, was the amount you redeemed
| after being paid really up to $2m USD?
|
| 2. From your other comments elsewhere in this thread, it sounds
| like you are a full-time bounty hunter, correct?
| usmannk wrote:
| 1. Yes, they sent me 2,000,000 USDC.
|
| 2. Well, I'm currently not employed full time and I do spend
| a lot of time bounty hunting. But I mix it in with other
| things as well, like competitive security reviews on
| https://sherlock.xyz or https://cantina.xyz and private
| contracted security reviews.
| ayewo wrote:
| > .. . and private contracted security reviews.
|
| How you find those? Or this type of work finds you based on
| your activity on competitive security review sites?
| usmannk wrote:
| Typically networking. I spent some time working at a
| reputable firm in this space as well.
|
| One way to do this is to show some chops on the
| competition sites and then move to one of the organized
| freelance firms like Spearbit or yAudit. In doing all of
| these things you'll inevitably meet more people, build a
| specialty, get some reputation, etc.
| kubb wrote:
| Congrats on your skills, enjoy not having to work on things you
| aren't passionate about.
| y-curious wrote:
| Did you have to specify that it was a critical bug or haggle
| with them? On the immunefi site, their max bounty is set at $1M
| but you clearly got 2x that.
| danielvf wrote:
| The project changed to a 1 million dollar bounty after
| usmannk's report on May 18th..
|
| There's an unofficial project that tracks bounty programs,
| you can see the change here: https://github.com/infosec-us-
| team/Immunefi-Bug-Bounty-Progr...
| rvz wrote:
| See. These crypto bounties pay as much or even more than big tech
| bug bounties.
|
| This bounty prize is the equivalent of finding a Chrome zero day
| bug or an iPhone zero day RCE jailbreak. There are lots of >$1M
| bug bounties in crypto.
|
| The question is, would you rather target Chrome/Safari or iPhones
| and find and chain-up 5 - 10 zero days for $1M+ or target crypto
| projects instead for $2M per project?
|
| You're _really_ missing out.
| yao420 wrote:
| I'm not a crypto hater (I used to work security at coinbase)
| but I think that while a chrome or iPhone zeroday might be
| worth less in bug bounty it's worth more for a security
| engineers career long term.
|
| Having the iPhone bug and the accompanying conference talk and
| blog post will allow you get hired by nearly any good security
| or tech company. No one cares about blockchain bugs except
| other crypto companies. When I and a bunch of other coinbase
| engineers were looking for jobs we were looked down at for even
| working in crypto. And weren't even in the blockchain team!
| Just regular engineers.
|
| I myself have dedicated a couple of months to testing gnosis
| and curve that each have $2 million bounties but turned up
| short. Last year I switched to a ML based fuzzing research and
| was able to speak at defcon and got crazy offers after
| publication.
| zEddSH wrote:
| Can you share more about ML based fuzzing? I do pretty basic
| fuzzing and that's been pretty useful at work for testing,
| and am keen to learn about better more modern approaches than
| mine!
| digital_sawzall wrote:
| Fuzzing is a massive field now. I don't know what you are
| doing specifically but this is a collection of good related
| papers: https://github.com/wcventure/FuzzingPaper.
|
| I would find what is most like your problem domain and dig
| in :).
| zEddSH wrote:
| I've been doing the simplest possible things to URL
| parameters and POST bodies but even that's been
| effective! Thanks for the link!
| tptacek wrote:
| Serious Chrome and iPhone bug chains can be worth this much
| on the market, but the amount of engineering effort that goes
| into supporting that kind of pricing (across all the buyers,
| aggregated) is extreme. The subthread that unfolds from this
| comment is about fuzzing, but _finding_ a vulnerability is a
| small part of actually selling it on the market.
|
| Vendor bounties for these kinds of vulnerabilities are going
| to tend to be sharply lower than this crypto bounty, which
| was for a directly monetizable vulnerability. But there's a
| lot going into that vendor bounty price point.
| 4hg4ufxhy wrote:
| I was impressed by the fast payouts. I almost couldn't believe
| how easy the second one was going to be, but it turned out a bit
| trickier than I thought. No wonder it flew under the radar.
___________________________________________________________________
(page generated 2024-06-17 23:00 UTC)