What is the long-term solution?
Although the ongoing Binance-FTX saga continues to dominate the crypto airwaves, there has been a growing trend – an unsettling one – that has caught the attention of many digital currency enthusiasts in recent months, i.e. hackers returning partial funds to discover exploits within a protocol.
In this regard, recently the bad actors behind the $14.5 million Team Finance attack revealed that they would be allowed to be in possession of 10% of the stolen funds as a bounty. Similarly, Mango Markets, a Solana-based decentralized finance (DeFi) network that was recently leveraged to a value of over $110 million, revealed that its community of backers was working to reach a consensus, one that would allow the hacker to be awarded $47 . million as a reward for revealing the exploitation.
As this trend continues to gain more and more traction, Cointelegraph reached out to several industry observers to examine whether such practices are healthy for the continued growth of the digital asset market, especially in the long term.
A good practice for now
Rachel Lin, co-founder and CEO of SynFutures – a decentralized crypto-derivatives exchange – told Cointelegraph that on the one hand, the habit of encouraging “black hatters” to become “white hats” is encouraging the industry to raise the standards of best practices, but it’s still not uncommon for popular protocols to be split or simply copied and pasted so that they are full of hidden bugs. She added:
“We would be reluctant to say this is healthy where in an ideal world there would only be white hat hackers. But the transition we’re seeing where hackers are returning some of the funds, which wasn’t the case before, is a strong step forward, especially in sensitive times like these where it’s becoming clearer that many projects and exchanges are interconnected and can affect the ecosystem as a whole.”
On a somewhat similar note, Brian Pasfield, CTO of decentralized money market Fringe Finance, told Cointelegraph that while the idea of giving hackers a fraction of the money they take away to discover loopholes can be seen as unhealthy and almost unsustainable, the case remains that in the end the hacked projects have no choice but to use this approach. “This is a better option than resorting to the police approach to catch the perpetrators and recover the money, which takes a very long time, if at all,” he added.
Recent: What can blockchain do to increase human lifespan?
More technically, Slava Demchuk, co-founder of crypto compliance firm AMLBot, told Cointelegraph that since everything is on-chain, all hacker actions are traceable, so much so that the hacker has almost a 0% chance of using the illegal one. acquired digital assets. He added:
“When the hackers agree to return some of these stolen funds, the project usually won’t prosecute the hacker, it even allows them to use the remaining funds legally.”
Finally, Jasper Lee, audit technical lead at SOOHO.IO, a crypto audit firm for several Fortune 500 companies, said this type of white hat behavior could be healthy for the blockchain industry in the long run as it provides the opportunity to identify vulnerabilities within DeFi protocols before they get too big.
He further told Cointelegraph that out in non-blockchain industries, even if a hacker finds a vulnerability in a given code, it is difficult for them to make that information public because it could cause serious legal problems. “In traditional hacking, it’s very rare for a hacker to return the money they’ve taken, as that would likely reveal their identity,” Lee said.
Not everyone agrees
David Carvalho, CEO of Naoris Protocol, a distributed cybersecurity ecosystem, stated in no uncertain terms that allowing hackers to retain funds in such a way not only undermines the entire ethos of a decentralized financial system, but it promotes behavior that fosters mistrust.
“It cannot continue to be seen as something to be tolerated at any level. The fundamentals of a safe and fair financial system do not change,” he told Cointelegraph, adding, “The premise that the only way to solve hacking- the problem is to make the problem part of the solution is fatally flawed. It may fix a small crack for a short period of time, but the crack will continue to grow under the weight of the flimsy fixes and result in a destabilized market.”
A similar sentiment is echoed by Tim Bos, co-founder and chairman of ShareRing – a blockchain-based ecosystem that offers digital identity solutions – who believes this is a terrible practice. “It’s like paying criminals who hold people hostage. All this does is make the hackers realize that they can commit a major crime, be rewarded for it, and then there will be no consequences,” he told Cointelegraph.
Carvalho noted that just because a hacker is nice enough to return part of the funds does not make it a good practice since these episodes still result in people and DeFi platforms losing a lot of money.
“We cannot afford to associate decentralized finance with malicious security fixes. For mass adoption by both businesses and individuals, we need the security systems across the Web2 and Web3 ecosystems to be reliable and hack-proof. It’s crazy to say the least to have a group of hackers seemingly taking action in the cyber security space and doing nothing to advance the industry, he said.
Are you setting a bad precedent for the industry?
Lin noted that even among traditional Web2 companies—like the FAANGs of this world—hackers are encouraged to discover bugs and zero-day exploits in exchange for certain incentives. However, this often comes with strict requirements, and allowing white hat hackers to discover these loopholes is seen as healthy for the ecosystem. She noted:
“Major exploits or discoveries usually put the industry as a whole and internal security teams on alert. But it’s a slippery slope. I would argue that we need to define what a ‘white hat’ hacker is. For example, you might consider a hacker who has ended up in a corner and reluctantly only return 10% of the funds like a white hat hacker?”
Lee believes that these fat paychecks could serve as a significant impetus for white hats to pull off more such tricks. However, he pointed out that instead of seeing 100% of a protocol’s funds get hacked or disappear for good, it is always better for the protocol’s users that a portion of the allocated funds are recovered.
On a more optimistic note, Demchuk noted that the DeFi market is community-driven, and therefore such actions can be viewed positively, as hackers themselves are often asked to work for the projects they exploited, making their activities real penetration tests.
What is the solution?
It’s no secret that a large part of the Web3 ecosystem (and its associated cybersecurity solutions) still runs on yesterday’s Web2 architecture, making them highly centralized. This, in Carvalho’s opinion, is the elephant in the room that most Web3 platforms won’t talk about. He believes that if these pressing issues are not addressed through decentralized solutions, the standards for smart contract execution and publishing will not fundamentally change or improve, adding:
“These types of breaches will continue to happen because there is no accountability or criminalization of hacking activity. I believe that a ‘just pay the hacker’ approach is going to increase the risk to DeFi and other centralized/decentralized platforms because the fundamental weaknesses have not been addressed .”
Bos noted that the core problem here is not the hacking or the fake bounties that reward the hackers, but an apparent lack of audits, quality assurance processes and risk assessments, especially from those projects that have millions of dollars in crypto in their coffers. assets.
Recent: FTX Collapse: The Crypto Industry’s Lehman Brothers Moment
“Established banks are virtually impossible to hack because they spend a lot of money on security reviews, risk audits, etc. We need to see the same level of technical oversight in the crypto industry,” he concluded.
Therefore, as we move into a future driven increasingly by decentralized technologies, one could say that the hackers are simply showing how much more work the crypto sector as a whole needs to put into its security practices.