1 year ago
80 In the long term, the Sector has to come together and step up its cybersecurity game in a major way instead of seeking out some temporary solutions.
Even as the continuing Binance-FTX saga seems to dominate the crypto airwaves, there has been another growing trend – an uneasy one at that – that has been gathering the Attention of many digital currency enthusiasts in recent months. Hackers are returning partial funds for discovering exploits within a protocol.
In that context, just recently, the criminals responsible for the $14.5 million Team Finance attack said that they would be allowed to remain with 10% of the stolen funds as a bounty.
Also, in the case of Mango Markets, a Solana-based decentralized finance (DeFi) network that was recently exploited to the tune of at least $110 million, said that its community of backers was striving to reach a consensus, one that would enable the hacker to be given $47 million as a reward for exposing the exploit.
As the trend continues to gather lots of traction, reporters reached out to multiple industry observers to determine whether such a practice is healthy for the continued growth of the digital asset market, mainly in the long term.
It Is A Good Practice, For Now
The co-founder and CEO of SynFutures, Rachel Lin, told reporters that on one hand, this habit of encouraging the “black hatters” to turn “white hat” encourages the Sector to raise its different standards of best practices, but it is still not uncommon for the popular protocols to get forked or just copied and pasted, leaving them replete with lots of hidden bugs. She said:
“We’d be remiss to say that this is healthy where in an ideal world, there’d be only white hat hackers. But the transition we’re seeing in which hackers are returning some of the funds, which wasn’t previously the case, is a strong step forward, particularly in sensitive times like these where it’s becoming clearer that many projects and exchanges are connected and could impact the ecosystem as a whole.”
On a somehow similar note, the chief technical officer for decentralized money market Fringe Finance, Brian Pasfield, told reporters that the idea of giving the hackers a fraction of the money that they steal for discovering loopholes is unhealthy and nearly unsustainable. The fact remains that eventually, the hacked projects do not have any choice but to use this approach. He added:
“This is a better alternative than resorting to law enforcement’s approach to nab the perpetrators and recover the funds, which takes a very long time, if successful at all.”
While speaking more technically, Slava Demchuk, the co-founder of crypto compliance firm AMLBot, said that since everything is on-chain, all of a hacker’s actions are traceable, so much so that the criminal has nearly a 0% chance of using the illegally acquired digital assets. He commented:
“When the hackers agree to return some of these stolen funds, not only does the project usually not prosecute the hacker, it even allows them to be able to use the remaining funds legally.”
Finally, Jasper Lee, audit tech lead at SOOHO.IO, a crypto auditing company for many Fortune 500 firms, said that this type of white hat behavior might be healthy for the blockchain sector in the long term because it offers the chance to identify vulnerabilities that exist within decentralized finance (DeFi) protocols before they become too big.
He also told reporters that out in non-blockchain sectors, even if a hacker finds some vulnerability in a given code, it is hard for them to try to go public with that information since it might result in severe legal issues:
“In traditional hacking, it is very rare that a hacker returns the funds they have taken, as doing so would likely reveal their identity.”
Not Everybody Agrees
The CEO at Naoris Protocol, a distributed cybersecurity network, David Carvalho, said in unequivocal terms that letting hackers keep funds in such a manner undermines the whole ethos of a decentralized finance system and promotes behavior that enhances distrust. He commented:
“It cannot continue to be seen as something to be tolerated on any level. The fundamentals of a safe and equitable financial system don’t change. The premise that the only way to solve the hacking issue is to make the problem part of the solution is fatally flawed. It may fix a small crack for a short period, but the crack will continue to grow under the weight of the flimsy fixes and result in a destabilized market.”
A similar sentiment is reiterated by Tim Bos, the co-founder, and chairman of ShareRing – a blockchain-based ecosystem offering digital identity solutions – who think that this is a terrible practice. He stated:
“It’s akin to paying criminals who hold people hostage. All this does is makes the hackers realize that they can commit a huge crime, be rewarded for it, and then there are no repercussions.”
Carvalho noted that just because a cybercriminal is nice enough to return some of the stolen funds does not make it a good practice because these episodes still result in people and decentralized finance platforms losing lots of money.
Related: Poly Network Hacker Returns All Funds Except $500K White Hat Bounty
He concluded:
“We can’t afford to associate decentralized finance with nefarious security fixes. For mass adoption by both enterprises and individuals, we need the security systems across the Web2 and Web3 ecosystems to be trusted and hackproof. Having a cohort of hackers ostensibly calling the shots in the cybersecurity space is crazy, to say the least, and does nothing to promote the industry.”
Is It Setting A Bad Precedent For The Sector?
Lin noted that even among the traditional Web2 firms – like Facebook, Apple, Amazon, Netflix, and Google – hackers are incentivized to discover any existing bugs and zero-day exploits in exchange for different incentives. Nevertheless, this mostly comes with strict requirements, and having white hat hackers discover the loopholes is believed to be healthy for the nascent ecosystem. She added:
“Major exploits or discoveries typically put the industry as a whole and in-house security teams on alert. But it’s a slippery slope. I’d argue we’d need to define what a ‘white hat’ hacker is. For example, could you consider a hacker who’s cornered and reluctantly returns only 10% of the funds a white hat hacker?”
Lee thinks that these huge paychecks can serve as a considerable impetus for white hats to conduct more such ploys. Nonetheless, he pointed out that instead of seeing 100% of a protocol’s funds getting hacked or disappearing forever, it is always great for the protocol’s users that some of the appropriated funds are recovered.
Another notable optimistic note, Demchuk noted that the DeFi market is entirely community-driven and, thus, such actions might be viewed positively, since hackers themselves are mostly asked to work for the projects that they exploited, making most of their operations real-life penetration tests.
What Is The Best Solution?
A chunk of the Web3 ecosystem and its associated cyber security solutions still run on outdated Web2 infrastructure. Thus, they are highly centralized. That, in Carvalho’s opinion, is the elephant in the room that a majority of the Web3 platforms do not want to talk about.
He thinks that if these pressing challenges are not resolved using decentralized solutions, the standards for smart contract execution and publishing will not be fundamentally changed or enhanced, adding:
“These types of breaches will continue to happen because there is no accountability or criminalization of hacking activity. I believe a ‘just pay the hacker’ approach is going to increase the risk for DeFi and other centralized/decentralized platforms because the fundamental weaknesses are not resolved.”
Related: Where Is The Crypto Industry In Canada Today, And Where Is It Heading?
Bos noted that the core challenge here is not the hacking or the fake bounties that are rewarding the hackers but a clear lack of audits, quality security processes and risk reviews, mostly from those projects that have in their coffers millions of dollars’ worth of crypto assets. He concluded:
“Established banks are virtually impossible to hack into because they spend a lot of money on security reviews, risk audits, etc. We need to see the same level of technical oversight in the crypto industry.”
Thus, as we go into a future driven majorly by decentralized technologies, one can say that these hackers are just demonstrating how much more work the crypto industry in general requires to put into its security practices.
