DeFi
CertiK-Linked Platform Publishes Bug Reports. Researchers Say It’s “Incredibly Irresponsible” – DL News
- A bug bounty platform published bug reports publicly.
- It’s ‘incredibly irresponsible,’ says security researcher.
- The platform also lists bug bounties of projects without their permission.
Bug bounty platform OpenBounty is under fire from fellow security researchers after it was discovered that bug reports submitted by users are published on a public blockchain.
When OpenBounty receives reports, it automatically publishes their contents in transactions on Shentu, a blockchain managed by OpenBounty’s parent organization, the Shentu Foundation.
Details made public include the threat level of the bug, the location of the potentially vulnerable code, and comments from the report’s author.
“Publicly disclosing potential bugs is incredibly irresponsible,” said Pascal Caversaccio, an independent security researcher. first identified the problemsaid DL News“Any hacker could filter the reports for exploitation.”
Blackhat refers to hackers who exploit bugs for malicious purposes, including stealing money, passwords, or data.
OpenBounty lists bug bounties provided by over 30 different crypto projects with a combined deposit value of over $11 billion.
OpenBounty has not responded to DL News” requests for comments.
Bug bounties are rewards offered by crypto projects to those who successfully identify bugs in a project’s code.
Join the community to receive our latest stories and updates
Bug bounties are important because they provide an incentive for developers to find bugs in open source code and discourage those who find bugs from exploiting them for monetary gain.
Many crypto projects offer bounties of over $1 million to those who identify the most serious bugs.
Bug bounties in piggyback mode
Security researchers also complain that OpenBounty lists and accepts bug bounty reports provided by other security companies and crypto projects without their permission.
Bounties from leading decentralized exchange Uniswap and lending protocol Compound are among those listed on the OpenBounty website.
“As OpenZeppelin’s security advisor to the Compound DAO, I can say with authority that they are not allowed to run a bug bounty on behalf of the protocol,” said Michael Lewellen, head of solutions architecture at OpenZeppelin, a crypto security firm. DL News.
Listing bounties without permission could have legal consequences, said Dmytro Matviiv, CEO of bug bounty platform HackenProof. DL News.
Matviiv said that the bug bounty market operates under a well-thought-out legal process. According to him, under this system, it is mandatory to obtain permission from the bounty issuer before placing one’s bounty on a bug bounty platform.
OpenBounty acts as a middleman between bug finders and the projects that offer rewards, so it’s hard to know for sure whether it forwards all the bug reports it receives to the right people and fully credits those who find them.
Some bug bounty programs listed by OpenBounty, such as the one run by Uniswap, state that bug reports must be submitted directly to Uniswapand not through a third party.
The CertiK connection
The situation at OpenBounty is the latest controversy surrounding crypto auditor CertiK.
In June, CertiK was strongly criticized after using a bug to withdraw nearly $3 million from cryptocurrency exchange Kraken.
Although CertiK later returned the funds, on-chain records show that an address linked to CertiK sent some of the funds to sanctioned DeFi protocol Tornado Cash.
A spokesperson for CertiK confirmed DL News that Shentu, the entity that controls the OpenBounty platform, was formerly part of CertiK.
However, since 2020, Shentu has been operating autonomously as an independent entity.
Yet, four years after the split, the OpenBounty platform code always links to domains with CertiK in their name.
These domains are managed independently by Shentu, the CertiK spokesperson said.
Tim Craig is a DeFi correspondent at DL News. Got a tip? Email him at tim@dlnews.com.