The Price of Being Earnest with Smart Contract Security

Author: Ariel Waissbein
Senior Researcher

Loss of funds is happening, oftentimes as an accident, other times as a result of direct action.
After a loss, victims may attempt to negotiate for these funds to be returned. This then poses the following question. What is a fair reward for returning currency?

Someone stole cryptocurrency worth 610 million US dollars from the Poly Network because “hacking is fun,” and weeks later after negotiations with the blockchain’s management returned all of the robbed funds. Poly Network allows crypto protocols to interoperate:

Poly Network works by facilitating exchange between several blockchains as users trade one cryptocurrency for another, such as trading Bitcoin for Ether. Currently, Poly Network implements interoperability between 11 heterogeneous chains including Bitcoin, Ethereum and so on. (see Wikipedia).

The stolen crypto (ETH, USDT, DOGE, BNB, WBTC) were restored to users and contracts-claims Poly Network (here). This anonymous hacker who performed the multimillion-dollar transfer said he had done it -basically- to bring awareness of the problem and published in Ethereum’s blockchain the following message depicted verbatim below.

Q & A, PART ONE:

Q: WHY HACKING?
A: FOR FUN :)

Q: WHY POLY NETWORK?
A: CROSS CHAIN HACKING IS HOT

Q: WHY TRANSFERRING TOKENS?
A: TO KEEP IT SAFE.

WHEN SPOTTING THE BUG, I HAD A MIXED FEELING. ASK YOURSELF WHAT TO DO HAD YOU FACING SO MUCH FORTUNE. ASKING THE PROJECT TEAM POLITELY SO THAT THEY CAN FIX IT? ANYONE COULD BE THE TRAITOR GIVEN ONE BILLION! I CAN TRUST NOBODY! THE ONLY SOLUTION I CAN COME UP WITH IS SAVING IT IN A _TRUSTED_ ACCOUNT WHILE KEEPING MYSELF _ANONYMOUS_ AND _SAFE_.

NOW EVERYONE SMELLS A SENSE OF CONSPIRACY. INSIDER? NOT ME, BUT WHO KNOWS? I TAKE THE RESPOSIBILITY TO EXPOSE THE VULNERABILITY BEFORE ANY INSIDERS HIDING AND EXPLOITING IT!

Q: WHY SO SOPHISTICATED?
A: THE POLY NETWORK IS DECENT SYSTEM. IT'S ONE OF THE MOST CHALLENGING ATTACKS THAT A HACKER CAN ENJOY. AND I HAD TO BE QUICK TO BEAT ANY INSIDERS OR HACKERS, I TOOK IT AS A BONUS CHALL :)

Q: ARE YOU EXPOSED?
A: NO. NEVER. I UNDERSTOOD THE RISK OF EXPOSING MYSELF EVEN IF I DON'T DO EVIL. SO I USED TEMPORARY EMAIL, IP OR _SO CALLED_ FINGERPRINT, WHICH WERE UNTRACEABLE. I PREFER TO STAY IN THE DARK AND SAVE THE WORLD.

Newsfeeds and public opinion have been analyzing the event from different perspectives. (such as the ones from BBC, The Guardian and Coindesk).

Another event occurred a few weeks ago. Compound is a DeFi protocol; the company characterizes the protocol as “an algorithmic, autonomous interest rate protocol built for developers, to unlock a universe of open financial application”.

Its CEO asked users who had received the extra compensation to return it while threatening to report these users to IRS and dox them. At the same time, Compound would allow them to “keep 10% as a white-hat”, meaning that their contribution to discovering and recovering from the problem would be rewarded with ten percent of the funds they had received. In other words: the company was happy to pay 9 million dollars as a reward for their contribution.

* The term ‘dox’ refers to the act of publicly revealing private personal information about these users.

Similarly, BXH got hacked losing $139M from their Binance account and offering the hacker a way out with an unspecified bonus:

In another event, Cream, the lending platform, was hacked and $130 million were stolen via as explained by BlockSecTeam here:

Last month, Immunefi paid a reward of $2M to a researcher for discovering and communicating a critical vulnerability in one of Polygon’s bridges. Polygon estimated that losses could have resulted in $22M for an investment of $100k, and that losses could have totaled $850M (see Immunefi’s postmorten analysis). This is the largest sum paid thus far as a reward for disclosing a security vulnerability.

The list goes on and on. Currency loss is happening, oftentimes as an accident and oftentimes as a result of a direct action. Following loss, victims may attempt to negotiate for these funds to be returned. This then poses the following question. What is a fair reward for returning currency? By fair we understand the minimum reward that the hacker is willing to accept in exchange for not executing the attack and sharing the information to prevent attacks exploiting the vulnerability he could/would have used.

That is, was the price of the service rendered by the Polynetwork hacker a fair reward, and what was a fair reward for the Compound users to return the ‘extra’ tokens? Moreover, in the case of Cream, was $130M a fair “price” for the problem discovered during the attack, e.g., would the hacker accept a reward of $130M to refrain from executing the attack and relay the vulnerability information to the CREAM team?

Our intuition is that this needs to be related to the risk associated with the threat. This includes the expected loss, and the probability of the attack being carried out successfully and the loot extracted. If we compare the two examples above:

- a 500k reward for a bounty of 610M, which is under 1% was cashed in by the whitehat hacker
- ‘fair’ users neglected to return the ‘gifts’ they obtained for a reward of %10.

One may conclude that 10% is not enough by the second example, and that the first example is simply a border case. The two cases are alike, hence the reward as a percentage of the loss does not suffice to motivate the ‘victimizers’ to return the bounty.

More generally, there is no consensus about, for example, rewarding the return of list items (see this reddit question/answer). The website Art Recovery offers rewards for tips leading to the recovery of stolen art, these offers come from the owners or other third parties and the amounts vary with no general rule.

Morality dilemmas aside, the victims start negotiating with their victimizers, who are often anonymous and do not need to respond. If these victimizers are actively looking for problems, and they are hackers that might be wearing a white or a black hat from time to time, what is the offer that may tempt them to refrain from continuing the attack, return their spoils, or decrypt files undoing a ransomware attack?

There’s a plethora of evidence coming from bug bounty programs. A bug bounty program rewards researchers producing exploits for specific software so that the companies maintaining the said software can fix vulnerabilities. Programs like Ruiu’s pioneering Pown2Own, and the later HackerOne , Zero Day Initiative and YesWeHack have existed for decades. Immunefi’s cryptos’ bug bounty program ups the stake enormously, and there’s some rewards that range in the millions of dollars. In that case, the would-be victim is clearly stating they would rather pay the bounty of $1M or even $2M for a critical vulnerability discovered rather than suffer an attack exploiting this vulnerability.)

Are DeFi platforms being more transparent than other enterprises about their risk management and the value of fixing security holes? The numbers shown throughout this article are unprecedented. Nevertheless, so is the volume of currency that is moved through these solutions daily. For example, DeFi Pulse estimates that there are at least four platforms that are locking each in excess to an equivalent in USD of $10B (Curve Finance, Compound, AAVE, InstaDApp). And $1M is just %0.01 of $10B.)

After this interlude about bug bounties we re-ask the question of what is a fair reward knowing there is not a simple answer that one can solve in a couple of minutes with a calculator. But also, knowing that one’s adversaries answer this question everyday.

Same as adversarial hackers, defenders have the opportunity to put in place multi-faceted strategies paying perhaps one price for a bug via a bug bounty program, ready to negotiate a ransomware attack, to offer a reward for returning stolen funds or rewarding collaboration to freeze and have the funds returned. A myriad of possibilities is available to reinforce the defense, and in these times using them may help manage otherwise unattended threats.

Contact us