Record rewards for discovering information security vulnerabilities
In early February 2022, the development team from Optimism company received some dramatic news. Orchid Protocol Head of Technology Jay Freeman discovered a critical bug in the Ethereum Layer 2 scaling solution.
The security vulnerability was part of a fork of the Geth solution and could have allowed an attacker to create an unlimited amount of ether (ETH) cryptocurrency on the network.
In other words, if Jay Freeman had exploited his find, one of the world’s most popular cryptocurrencies could have been compromised. To understand the scale of the problem, ETH is capitalised at over $300 billion. That’s more than the annual budget of a country like Sweden.
According to the official report, an attacker could exploit the vulnerability in Ethereum L2 solutions by repeatedly triggering the SELFDESTRUCT code for a contract that had an ETH balance. However, Optimism developers immediately fixed the bug.
After checking the history of the blockchain, the Optimism team reported that the error was only triggered once by an accidental activation by an employee of Ethereum data startup Etherscan, but “no useful surplus was generated”.
Optimism paid Freeman a cash reward of over 2 million USD for his contribution to the Ethereum scaling solution. This is the record amount anyone has ever received for their work as a security researcher. At the same time, this amount is a tiny fraction of the cryptocurrency’s capitalisation at risk.
The company also noted in its announcement: “if you are a similar ‘white hacker’, we would love for you to review our bug bounty programme and help secure our protocol”.
To ensure secure development, use our security audit of source code and audit of smart contracts. These services minimise the risk of critical errors during the development phase. They thereby help to increase the security of applications, smart contracts, services, and software components.
Besides, proactively auditing solutions that are about to be released is much cheaper than the rewards paid for finding vulnerabilities when these solutions have already been published. Moreover, the cost of auditing is far less than the damage caused by breaches, data and asset leaks, and other security incidents.
Contact us today for more information on securing your application code, smart contracts, and configurations.