If moral hacker pwning.eth had opted to behave in any other case as a substitute of reporting the vulnerability, person funds amounting to $200 million would have been in danger
by Shashank Bhardwaj
Aurora, a bridging and scaling answer for Ethereum (ETH), introduced on Tuesday that it had awarded a $6 million bug reward to an moral safety hacker by the title of pwning.eth for locating a vital vulnerability within the Aurora engine.
The bounty was paid for by Aurora in affiliation with Immunefi, a widely known platform for web3 bug bounties. The platform has over $145 million accessible in bug bounties and has paid out bounties price $45 million. The exploit put person funds price $200 million in danger.
The flaw, reported by pwning.eth to Immunefi on April 26, could possibly be vital to the safety of scaling options if exploited. The flaw within the Aurora engine would have allowed for infinite casting of ETH within the Aurora EVM (Ethereum Digital Machine) to ingest and take away the corresponding nested ETH (NETH) pool over the Close to protocol. On the time of discovery there have been 70,000 ETH with $200 million within the pool.
“Such vulnerability ought to have been found at an earlier stage” [defence] pipeline, and we now have begun to enhance our strategies to attain this sooner or later,” stated Frank Braun, Aurora’s chief of safety. “Nevertheless, this incident in the end proves that our protection mechanisms work.”
“We view the bug bounty program as the ultimate step in a layered protection strategy and can use this bug as a studying alternative to enhance upon earlier steps resembling inner evaluation and exterior audit,” he stated.
Immunefi’s founder and CEO, Michel Amador, praised Aurora, saying, “Salute to Aurora and pwning.eth for flawless total processing of reviews. The bug was rapidly fastened, with no person funds misplaced. was.”
The bounty fee is without doubt one of the largest bounty funds ever within the historical past of DeFi. One other main fee was a $10 million bounty paid to an moral safety hacker who found a bug within the Crypto Bridge wormhole. This reward was additionally paid by means of the Immunefi platform.
The Aurora bounty program was launched in April 2022 in collaboration with Immunofi and carries a reward of between $1,000 and $6 million, relying on the severity of the defect found. Immunefi’s Jonah Michels stated, “In occasions of mistrust in markets, it’s extra necessary than ever for Web3 initiatives to point out that they take safety significantly.”
The writer is the founding father of yMedia. He ventured into crypto in 2013 and is an ETH maximalist. Twitter: @bharadwajshash