Evmos pays $150K bounty for critical bug found in Cosmos documentation
A Web3 security researcher earned a bounty reward of $150,000 by reading Cosmos Network documentation and finding a critical bug that could halt the Evmos blockchain and all decentralized applications (DApps) built on it.
Pseudonymous Spearbit security researcher “jayjonah.eth” received $150,000 for identifying a vulnerability in the Evmos blockchain as part of the Evmos Bug Bounty Program, which has been active since November 2022.
In a blog post published on Oct. 28, he explained coming across the concept of “module accounts” in the Cosmos documentation, which read:
“If these addresses (module accounts) receive funds outside the expected rules of the state machine, invariants are likely to be broken and could result in a halted network.”
Crash-testing Evmos blockchain based on Cosmos documentation
The security researcher tried sending funds to the module account in a test environment to test the theory and reported:
“At this point, no more blocks are being produced and the chain has completely halted. This breaks the Evmos blockchain and all the DApps built on it.”
He said that the Evmos team fixed the bug before the information was made public.
Evmos bug bounty payout system. Source: Evmos
The researcher was awarded the highest tier payout for identifying a critical bug. On an end note, jayjonah.eth urged security researchers to read through project documents, adding that “sometimes the most critical bugs can be extremely simple.”
Source: jayjonah_eth
Related: Tapioca offers $1M to ‘social engineering’ attacker who stole $4.7M
In addition to helping projects alleviate the risk of cyberattacks, bug bounty programs are used as a tool to minimize losses in the event of a hack.
Hacker negotiates bug bounty with Shezmu protocol
In September, leveraging yield protocol, Shezmu recovered nearly $5 million in stolen crypto through negotiations with a hacker after agreeing to a higher bounty demand.
Shezmu had initially offered the hacker a 10% bounty reward via an onchain message and requested the return of 90% of the stolen funds within 24 hours.
Source: Shezmu
The hacker demanded 20% of the stolen funds as a bounty reward, which the protocol agreed to and received the remaining stolen funds.
Magazine: Most DePIN projects barely even use blockchain: True or false?
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
MicroStrategy Buys $1.5B in Bitcoin, Raising BTC Holdings at 439K
The company's BTC holdings are now worth over $46.7 billion at current prices
Bitcoin Hit a New ATH Above $107K, as BTC ETFs Recorded 13 Consecutive Inflow Days
Since November 27, BTC ETFs recorded almost $6 billion in inflows, amidst rising institutional interest
AAVE drops below $360
An address made a profit of $87,000 by adding $6 PENGU and $1,100 SOL to the liquidity pool