How to Get Rich in Crypto
May has been a busy month for crypto-bughunters, with more than $32,000 claimed in bounty in the last seven weeks…
In the last few weeks alone, White Hat bughunters have rooted out more than $32,150’s worth of vulnerabilities in cryptocurrency and/or blockchain platforms according to research from Hard Fork. Spread across 30 publicly-released bug reports from 15 blockchain-related companies, the vulnerabilities have been discovered in companies including TRON, Brave, Augur and Coinbase.
TRON paid $3,100 to a researcher who discovered a potentially serious undisclosed flaw in the TRON blockchain, as well as $1500 for a potential DDoS attack vector. The latter essentially allowed: “A single request to submit a post to /wallet/deploy contract with several megabytes of bytecode along with CPU intensive long parsing will consume CPU for about 10 minutes while still holding several megabytes of bytecode in heap. With enough requests (lets say 1K-10K depending upon available memory), its enough to use all the available threads to service incoming HTTP request, fill up the memory and render DDOS.”
TRON fared particularly badly in the ImmuniWeb website security test, scoring a C overall, with multiple warnings across the board. These included PCI DSS and GDPR misconfigurations, while several subdomains gained a fail grade of ‘F’, including developers.tron.network and main.tron.network.
Over the last month, Omise, the firm behind cryptocurrency OmiseGo, saw the largest number of publicly disclosed bugs, racking up six - albeit low value bounties indicating that the vulnerabilities were not very serious. Omise fared better than TRON in the ImmuniWeb website security test, scoring a ‘C’ overall with a clean PCI DSS bill of health, although suffering from a potential GDPR misconfiguration. As is often the case, a subdomain - omisego.network - was graded with a ‘C’.
Meanwhile, blockchain-powered prediction market Augur disclosed a series of three reports, the same number as Brave Software, creators of the Brave browser, which incorporates a native blockchain token, BAT.
Augur scored a respectable ‘A-’ in the ImmuniWeb website security test, with five HTTP configuration warnings and some low-graded subdomains including fonts.augur.net and docs.augur.net both garnering a less flattering ‘F’ grade. Brave also picked up a plain ‘A’ grade, with a strong ImmuniWeb website security test performance only let down by two outdated CMS components and a smattering of sub-domains - laptop-updates-staging.brave.com and eyeshade-staging.brave.com that picked up an ‘F’ warning grade.
At the top of the pile - at least in terms of the ImmuniWeb website security test - was Coinbase, which managed to score an ‘A+’, although while one subdomain failure - exchange.coinbase.com garnered a concerning ‘F’ grade, as did eio-feed.exchange.coinbase.com.
However, as Binance demonstrated just days ago, having a bug bounty programme (with a maximum bounty of $100,000) and scoring high on the ImmuniWeb website security test ‘A+’ do not entirely defend your business from attack, as the company experienced one of the most devastating losses of 2019 so far, chalking up a $41m Bitcoin loss to attackers.
In fairness, Binance’s Immuniweb test also highlighted two ‘F’ grade subdomains resource.binance.com and sensors.binance.com, proving that perfection in security terms is not a practical target.
More seriously, it also demonstrates the yawning gulf between the bounty rewards available for White Hat hackers participating in responsible disclosure programmes, and the potential value of an exploit for criminals.
One thing is certain - there will be more high-profile cryptocurrency and blockchain incidents this year, as well as significant losses. Have you tested your website security recently?