Even as the ongoing Binance-FTX saga continues to dominate the crypto airwaves, there has been a growing trend — an uneasy one at that — that has been garnering the attention of many digital currency enthusiasts in recent months, i.e., hackers returning partial funds for discovering exploits within a protocol.
In this regard, just recently, the bad actors behind the $14.5 million Team Finance attack revealed that they would be allowed to stay in possession of 10% of the stolen funds as a bounty. Similarly, Mango Markets, a Solana-based decentralized finance (DeFi) network that was recently exploited to the tune of over $110 million, revealed that its community of backers was working toward reaching a consensus, one that would allow the hacker to be awarded $47 million as a reward for exposing the exploit.
As this trend continues to garner more and more traction, Cointelegraph reached out to several industry observers to examine whether such a practice is healthy for the continued growth of the digital asset market, especially in the long run.
A good practice, for now
Rachel Lin, co-founder and CEO of SynFutures — a decentralized crypto derivatives exchange — told Cointelegraph that on one hand, the habit of encouraging “black hatters” to turn “white hat” encourages the industry to raise its standards of best practices, but it’s still not uncommon for popular protocols to be forked or simply copied and pasted, leaving them replete with hidden bugs. She added:
“We’d be remiss to say that this is healthy where in an ideal world, there’d be only white hat hackers. But the transition we’re seeing in which hackers are returning some of the funds, which wasn’t previously the case, is a strong step forward, particularly in sensitive times like these where it’s becoming clearer that many projects and exchanges are connected and could impact the ecosystem as a whole.”
On a somewhat similar note, Brian Pasfield, chief technical officer for decentralized money market Fringe Finance, told Cointelegraph that while the idea of giving hackers a fraction of the money they cart away for discovering loopholes can be seen as unhealthy and almost unsustainable, the fact of the matter remains that ultimately the hacked projects have no choice but to utilize this approach. “This is a better alternative than resorting to law enforcement’s approach to nab the perpetrators and recover the funds, which takes a very long time, if successful at all,” he added.
Speaking more technically, Slava Demchuk, co-founder of crypto compliance firm AMLBot, told Cointelegraph that since everything is on-chain, all of a hacker’s actions are traceable, so much so that the hacker has almost a 0% chance of using the illegally obtained digital assets. He added:
“When the hackers agree to return some of these stolen funds, not only does the project usually not prosecute the hacker, it even allows them to be able to use the remaining funds legally.”
Lastly, Jasper Lee, audit tech lead at SOOHO.IO, a crypto auditing firm for several Fortune 500 companies, said that this kind of white hat behavior could be healthy for the blockchain industry in the long run since it provides the opportunity to identify vulnerabilities within DeFi protocols before they become too large.
He further told Cointelegraph that out in non-blockchain industries, even if a hacker finds a vulnerability in a given code, it is difficult for them to go public with that information because it could cause severe legal issues. “In traditional hacking, it is very rare that a hacker returns the funds they have taken, as doing so would likely reveal their identity,” Lee said.
Not everyone agrees
David Carvalho, CEO at Naoris Protocol, a distributed cybersecurity ecosystem, stated in unequivocal terms that allowing hackers to keep funds in such a way not only undermines the entire ethos of a decentralized financial system but it promotes behavior that fosters distrust.
“It cannot continue to be seen as something to be tolerated on any level. The fundamentals of a safe and equitable financial system don’t change,” he told Cointelegraph, adding, “The premise that the only way to solve the hacking issue is to make the problem part of the solution is fatally flawed. It may fix a small crack for a short period of time, but the crack will continue to grow under the weight of the flimsy fixes and result in a destabilized market.”
A similar sentiment is echoed by Tim Bos, co-founder and chairman of ShareRing — a blockchain-based ecosystem providing digital identity solutions — who believes that this is a terrible practice. “It’s akin to paying criminals who hold people hostage. All this does is makes the hackers realize that they can commit a huge crime, be rewarded for it, and then there are no repercussions,” he told Cointelegraph.
Carvalho noted that just because a hacker is nice enough to return part of the funds doesn’t make it a good practice since these episodes still result in people and DeFi platforms losing a lot of money.
“We can’t afford to associate decentralized finance with nefarious security fixes. For mass adoption by both enterprises and individuals, we need the security systems across the Web2 and Web3 ecosystems to be trusted and hackproof. Having a cohort of hackers ostensibly calling the shots in the cybersecurity space is crazy, to say the least, and does nothing to promote the industry,” he said.
Setting a bad precedent for the industry?
Lin noted that even among traditional Web2 companies — like the FAANGs of this world — hackers are incentivized to discover bugs and zero-day exploits in exchange for certain incentives. However, this often comes with strict requirements and having white hat hackers discover these loopholes is viewed as being healthy for the ecosystem. She noted:
“Major exploits or discoveries typically put the industry as a whole and in-house security teams on alert. But it’s a slippery slope. I’d argue we’d need to define what a ‘white hat’ hacker is. For example, could you consider a hacker who’s cornered and reluctantly returns only 10% of the funds a white hat hacker?”
Lee believes that these fat paychecks can serve as a significant impetus for white hats to carry out more such ploys. However, he pointed out that instead of seeing 100% of a protocol’s funds being hacked or disappearing for good, it’s always better for the protocol’s users that a portion of the appropriated funds are recovered.
On a more optimistic note, Demchuk noted that the DeFi market is community-driven and, therefore, such actions could be viewed positively, as hackers themselves are often asked to work for the projects they exploited, making their activities real-life penetration tests.
What’s the solution?
It is no secret that a large portion of the Web3 ecosystem (and its associated cybersecurity solutions) still runs on yesterday’s Web2 architecture, making them highly centralized. This, in Carvalho’s opinion, is the elephant in the room that most Web3 platforms don’t want to talk about. He believes that if these pressing issues are not solved using decentralized solutions, the standards for smart contract execution and publishing will not be not fundamentally changed or improved, adding:
“These types of breaches will continue to happen because there is no accountability or criminalization of hacking activity. I believe a ‘just pay the hacker’ approach is going to increase the risk for DeFi and other centralized/decentralized platforms because the fundamental weaknesses are not resolved.”
Bos noted that the core problem here isn’t the hacking or the fake bounties that are rewarding the hackers but an apparent lack of audits, quality security processes and risk reviews, especially from those projects that have in their coffers millions of dollars worth of crypto assets.
“Established banks are virtually impossible to hack into because they spend a lot of money on security reviews, risk audits, etc. We need to see the same level of technical oversight in the crypto industry,” he concluded.
Therefore, as we head into a future driven increasingly by decentralized technologies, one can say that the hackers are simply demonstrating how much more work the crypto sector as a whole needs to put into its security practices.