Scan to download
Home
Article
Flash
Specials
Columns
ETF
Knowledge Base
Calendar
Activity
Tools
RootData
DeInsight 2024🔥
Devcon 2024

CertiK: How to Negotiate Asset Recovery Through Bug Bounties?

CertiK
2023-05-11 19:01:05
Collection
We chose to study the negotiation processes of four different protocols (Poly Network, Allbridge, Euler Finance, and Sentiment Protocol).

Author: CertiK

From October 2020 to March 2023, there were 25 incidents in the Web3.0 space where funds were recovered or partially recovered after being attacked.

In these 25 incidents, the total amount of stolen funds was approximately $1.35 billion, of which $992 million was returned (73%).

This year, we have heard about the recovery of stolen funds in incidents involving Euler Finance, Allbridge, and Sentiment Protocol, all of which successfully negotiated with the attackers.

However, this situation exists in a continuous gray area—attackers are neither clearly defined as white-hat hackers participating in bug bounty programs nor purely black-hat hackers stealing assets. We can refer to them as "gray-hat hackers" for differentiation and analysis.

The malicious exploitation of vulnerabilities has plagued Web3.0 for years, often targeting protocols, smart contracts, and software-based applications like self-custody wallets, with the typical outcome being that hackers "succeed" and abscond with the funds.

However, an increasing number of protocols are now able to successfully negotiate with attackers for the return of funds.

CertiK has compiled data on 25 protocols that were exploited and subsequently had funds returned from October 2020 to March 2023:

  • Approximately $1.35 billion in funds were stolen;
  • Approximately $992 million (73%) of funds were returned;
  • Approximately $314.5 million (23.1%) of funds were retained by the attackers;
  • The remaining approximately 3.9% of funds were lost or frozen during the process.

So far in 2023, among 8 major exploit incidents that resulted in approximately $221.5 million in stolen assets, about $188 million (84.8%) has been returned.

Some of the unreturned funds were retained as white-hat bounties to draw attention to protocol vulnerabilities.

Other unreturned funds were partially due to the attackers' demands.

Among these 25 protocols, four protocols had all their funds returned.

Attackers handled the return of stolen funds in different ways. Some returned all stolen funds, while others returned only part of the funds or refused to return them.

Due to the initially malicious nature of these exploit incidents and the change of heart by some attackers after negotiating with victims, we categorize these incidents as gray-hat situations.

After Cashio.App experienced an incident where $50 million was stolen by an attacker, they ultimately returned funds to investors with less than $100,000 in their accounts, with the remaining money reportedly donated to charity.

The case of Mango Market is more special: attacker Avraham Eisenberg stole a total of $117 million from the protocol and eventually returned about $67 million, but he claimed his actions were legal—"just a high-profit trading strategy." Although he reached an agreement with Mango Market, Avraham Eisenberg was later sued by the U.S. Securities and Exchange Commission for orchestrating the attack on Mango Market.

In recent years, the Web3.0 currency industry has been facing an increasing number of exploits and hacker attacks. However, protocols seem to be attempting to engage in deeper negotiations with attackers to recover a significant amount of stolen funds.

Typically, these negotiations occur in public forums (such as social media or on-chain messages between attackers and victims)—leaving messages for anonymous hackers during transactions is often the only way to contact them.

This trend may indicate a significant shift in the Web3.0 industry, where the risks for protocols and investors are becoming smaller, and security is improving, especially when projects can create market incentives to encourage attackers to negotiate.

To further explore this possibility, we want to study the different negotiation strategies employed by victims by analyzing these public negotiations and their outcomes.

We chose to study the negotiation processes of four different protocols (Poly Network, Allbridge, Euler Finance, and Sentiment Protocol). These security incidents were selected because they all involved large-scale attacks, and most successfully recovered funds within a month, except for Poly Network. Although these four protocols employed different strategies, they all used bounties as incentives for hackers to return funds.

Poly Network

On August 10, 2021, hackers exploited a vulnerability in the Poly Network code, stealing funds from over 12 different Web3.0 currencies, with total losses exceeding $610 million. On the same day, Poly Network directly contacted the hacker through on-chain messages, requesting them to get in touch. ksNRw64A1WVI3IHgXoPKSkWkci6IhPB07PlP5GIK.png

Ultimately, the protocol proposed that if the funds were returned, the hacker would receive a bounty. Poly Network also published an open letter to the hacker on Twitter, stating, "Any law enforcement agency in any country would consider this a serious economic crime, and you will be held accountable." At the end of the incident, Poly Network even praised the hacker, stating they "hope to be remembered as the largest white-hat hacker in history."

However, the hacker responded that initially, before they could reply to Poly Network, the protocol was already urging and blaming investors and others, while they had no intention of laundering the stolen funds. Moreover, during this process, the hacker communicated with Poly Network through transaction notes, indicating they intended to start returning altcoins first and inquired whether the stolen USDT could be unfrozen; if successful, they would return the stolen USDC.

Poly Network did not respond to this issue, which was likely the right move, as the next day the hacker began returning funds to three Poly Network addresses.

The hacker later sent a message stating they would provide the final key to the multi-signature wallet they used to return the funds.

FsAH7UuYAKUWYUPDD99bprkQrDfMZ1a5q0LjpwRx.png

The hacker ultimately returned all the stolen assets sent to the multi-signature account.

Except for $33 million worth of USDT that was frozen by Tether, most of the lost funds were returned to Poly Network.

In return, Poly Network paid a bounty of 160 ETH (approximately $486,000) to an independent account created by the hacker. However, the hacker returned the bounty to Poly Network and requested that the funds be distributed to the affected investors.

Copy link 【https://heystacks.com/doc/977/polynetwork-and-hacker-communicate】 to the browser to view the complete negotiation record between Poly Network and the hacker.

Allbridge

On April 1, 2023, Allbridge suffered an attack targeting its BUSD/USDT pool on the BNB Chain. The project initially stated that the attack only affected the BNB Chain pool, but the vulnerability could extend to other pools. To prevent this, Allbridge halted their bridging platform and created a network interface for liquidity pool operators to withdraw balances.

Like Poly Network, shortly after the attack occurred, Allbridge announced it would offer a bounty to the hacker and added that if the stolen funds were returned, the hacker would be exempt from any legal consequences. On April 3, the team announced it had received a message from the attacker, with 1,500 BNB (approximately $465,000) being returned to the project. The hacker still retained assets worth approximately $108,000.

TlYnaPJ5VE5YGEWqAoIZnrZlx6Jq1hnZGKLdkFGa.png

Allbridge mentioned that another hacker used the same method as the first attacker, but this hacker had not yet proactively contacted the platform. Allbridge urged the second hacker to come forward and initiate negotiations to discuss the conditions for returning funds. As of the time of writing, no updates on this incident have been received.

Euler Finance

The Euler Finance hack is the largest exploit incident that has occurred so far in 2023.

On March 13, 2023, the Euler Finance liquidity pool suffered a flash loan attack, resulting in total losses of approximately $197 million.

Similar to the Poly Network and Allbridge cases, Euler Finance stated that it would offer a 10% bounty if the attacker returned the remaining assets.

However, the project took a more aggressive approach in its negotiation strategy, issuing a warning along with the bounty statement: if the attacker did not return the remaining 90% of the funds, they would offer a $1 million bounty for information about the attacker. Despite this warning, the hacker transferred approximately $1.78 million of the stolen funds to Tornado Cash.

The hacker then contacted Euler Finance through on-chain messages.

FRK2cbCzCPMPafhyAe7PO4DGCoIWn1FtGTYqxIPd.png

On March 21, Euler Finance acted on the warning, launching a $1 million bounty for information about the attacker after the attacker stopped responding. Four days later, the attacker chose to return the funds to Euler and apologized:

VQvKWqK3CSwjXpf3JQarBkRRbXhjjQgmeJQwRTK0.png

On April 3, Euler Finance announced on its Twitter account that they had recovered all "recoverable funds" after negotiating with the hacker.

Additionally, Euler Finance stated that since the hacker "did the right thing," they would no longer accept new information that could lead to the arrest of the attacker, meaning the $1 million bounty action was concluded.

Sentiment Protocol

On April 4, 2023, Sentiment Protocol was attacked, resulting in losses of nearly $1 million.

On April 5, Sentiment Protocol announced the vulnerability on its Twitter account and paused the main contract (allowing only withdrawals) to mitigate further losses.

Sentiment Protocol proposed to negotiate with the attacker, issuing a warning alongside the bounty: if the attacker did not return the funds by April 6, the promised "white-hat" bounty would turn into a bounty for their capture. Like Allbridge, the protocol also promised not to take legal action against the attacker if the funds were returned:

1x5yTi2l3cWZDLbg3y0ajQ91La7Cb8H2wQaRNglS.png

The next day, Sentiment Protocol offered the attacker a $95,000 bounty, provided the attacker returned the funds by April 6 at 8:00 UTC.

On April 6, Sentiment Protocol announced that the attacker had returned 90% of the funds.

How to Negotiate with Gray-Hat Hackers?

As seen in the four cases in this article, all protocols issued bounties in exchange for the stolen assets.

Both Euler Finance and Sentiment Protocol issued warnings (offering bounties for information about the attacker). Allbridge and Sentiment Protocol also announced that they would not take legal action against the hacker if the funds were returned, while Poly Network explicitly stated it would contact law enforcement.

Among these four protocols, two had their "recoverable" funds fully returned, while Allbridge is still negotiating with the second hacker. Sentiment Protocol successfully recovered 90% of the funds after two days of negotiation.

From this, we can see that bounties are a very effective means in negotiations with attackers. However, there are also certain potential risks. For example, the attacker may not fulfill their promise after receiving the bounty and may continue to leak data or attack again. Additionally, some countries and regions may take legal action against the act of paying bounties.

Therefore, organizations need to assess the risks and legality and develop effective strategies to ensure safe ransom payments and the prompt recovery of stolen assets.

Related tags
CertiK Poly Network Allbridge Euler Finance Sentiment Protocol
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
banner
CertiK
CertiK A blockchain security company that collaborates to provide end-to-end blockchain security audit services using formal verification and AI technology.
Solana Funding Vortex: Why Are Rug Pullers Struggling to Lose Money?
Solana Funding Vortex: Why Are Rug Pullers Struggling to Lose Money?
In-depth analysis of two ZK vulnerabilities
In-depth analysis of two ZK vulnerabilities
Related tags
CertiK Poly Network Allbridge Euler Finance Sentiment Protocol
Related reading
TVL has surged over 240% this year, as the crypto tiered fund Tranchess enters the liquidity staking battle.
TVL has surged over 240% this year, as the crypto tiered fund Tranchess enters the liquidity staking battle.
Weekly Report | Over 40 crypto projects will unlock $755 million in assets in July; Binance decides to take strict measures to combat account abuse; Bitfinex analyst: Trump's election will benefit the regulatory environment for the U.S. cryptocurrency industry.
Weekly Report | Over 40 crypto projects will unlock $755 million in assets in July; Binance decides to take strict measures to combat account abuse; Bitfinex analyst: Trump's election will benefit the regulatory environment for the U.S. cryptocurrency industry.
An overview of the 40 cryptocurrency projects with the most abundant funds that have not yet issued tokens.
An overview of the 40 cryptocurrency projects with the most abundant funds that have not yet issued tokens.
Daily Report | Kenyan police have dropped the investigation into Worldcoin; miners' Bitcoin balances have fallen to the lowest level in 14 years; Binance will launch LISTA 1-50x U-based perpetual contracts on June 20 at 20:30.
Daily Report | Kenyan police have dropped the investigation into Worldcoin; miners' Bitcoin balances have fallen to the lowest level in 14 years; Binance will launch LISTA 1-50x U-based perpetual contracts on June 20 at 20:30.
Copyright © 2023
About Us
BitouchNews
Apply for a column
Disclaimer
RSS LINK
Recruitment
Qiong ICP No. 2021009392
Qiong ICP No. 2021009392
ChainCatcher Building the Web3 world with innovators
Open the app