The Wormhole inter-blockchain transfer protocol team has paid a record $10 million bounty to a whitehat hacker. This follows the discovery of a critical flaw on 24 February, which fortunately was patched the same day and resulted in no loss of funds.
Wormhole rewards a whitehat with a record bounty
As part of its bounty program, Wormhole has paid a record $10 million reward to a whitehat hacker operating under the alias satya0x.
The protocol used to transfer funds from one blockchain to another used the services of Immunefi, another protocol that specialises in paying such bounties:
Whitehat satya0x reported a critical vulnerability in @wormholecrypto on Feb 24 via Immunefi.
The bug was quickly patched, no user funds were affected, and satya0x received a $10 million payout from Wormhole, the largest bounty payout on record. https://t.co/xKDGxfFLjA
– Immunefi (@immunefi) May 20, 2022
This critical flaw, the details of which have just been explained by Immunefy, was discovered on February 24. It is the functionality allowing to update the smart contract of Wormhole which was implicated. If this flaw had been exploited, a hacker could have taken control of the protocol by performing a series of specific actions.
Fortunately, none of this happened and Wormhole took action on the same day to make this worst case scenario a thing of the past.
Hacker satya0x praised himself for helping to avoid an event that could have shaken decentralised finance (DeFi) again with this bridge:
I am proud to have played a role in mitigating a serious vulnerability and systemic threat to the ecosystem. I have great respect for the way the Wormhole team managed both the security response and the entire bounty process. “
Consistent measures for ecosystem stability
The bounty programme, in which Wormhole invites every whitehat to report potential flaws, was put in place after the massive $320 million hack on February 2. Whitehats, literally translated as “white hats”, are security hackers who rent out their talents in exchange for rewards.
This discipline allows them to earn large sums of money in a completely legal manner, while ensuring a valuable reputation in the ecosystem.
Depending on the severity of a vulnerability, bridge teams pay rewards ranging from $1,000 to $10 million to the person who discovered it. According to Immunefi, this is an effective strategy for increasing the resilience of a protocol:
“Wormhole is sending a clear message with this payment to the best whitehats […] on the planet, if they responsibly disclose security vulnerabilities to Wormhole, they will be well taken care of. “
With Wormhole supporting 9 blockchains and $650 million in total locked value (TVL), it’s understandable how important security must be, especially following the events the team faced earlier this year.
