TechynoWorld spoke to the hacker for insights on the timeline of events, as well as the wider implications of bounty programs on DeFi’s security landscape.
Belt Finance, an automated market maker (AMM) protocol operating a yield optimization strategy on Binance Smart Chain (BSC), claims to have paid the largest bounty in the history of decentralized finance (DeFi) to a white hat hacker who averted a $10-million bug crisis.
Industry white hat programmer Alexander Schlindwein discovered the vulnerability in Belt Finance’s protocol this week and reported the news to the team. For his efforts, Schlindwein received a generous compensation of $1.05 million, the majority of which ($1 million) was granted by Immunefi, with the additional $50,000 offered by Binance Smart Chain’s Priority One program.
Immunefi is one of the market leaders in software security for cryptocurrency projects. Since its inception, the platform has reportedly paid out in excess of $3 million to white hat hackers who have successfully identified technical infrastructure flaws in smart contracts and crypto platforms.
Priority One is a BSC initiative launched in July to enhance the security of decentralized applications (DApp) within the platform’s native ecosystem. Mirroring the structure of Immunefi, the service provides a $10-million incentive fund to blockchain bounty hunters who successfully contribute to the avoidance of security breaches across 100 DApps.
Schlindwein told TechynoWorld about how he discovered the vulnerability:
“I went through the list of bug bounties on Immunefi and picked Belt Finance as the next one to work on. While I was studying their smart contracts, I noticed a potential bug in the internal bookkeeping, which keeps track of each user’s deposited funds. Playing the attack through with pen and paper gave me more confidence in the existence of the bug. I continued by producing a proper proof-of-concept [PoC] which undoubtedly confirmed its validity and economic damage.”
“The next step was to create an official report on Immunefi including the PoC and an extensive description of the exploit,“ Schlindwein said, adding, “Immunefi reacted immediately to the critical report, and within three minutes after submission, it was escalated to the Belt team. Shortly after, Belt confirmed the validity of the report and began implementing a fix, which then patched the vulnerability.”
Although DeFi’s security breaches remain a prevalent concern, it has been argued by some that the nascent ecosystem will benefit from such incidents in the long term, as areas of weaknesses are starkly highlighted.
TechynoWorld asked Schlindwein his perspective on the importance of bounty programs in supporting DeFi’s antifragile ambitions:
“I am strongly convinced of the importance of bug bounties and initiatives such as bounty funds. DeFi security consists of multiple layers, starting with peer review and unit testing to external audits and formal verification. Bug bounties are the last line of defense should an issue slip through the overlying layers with the potential to prevent a devastating hack while instead seriously fixing the issue and compensating the finder.”
“Bug bounties in DeFi have been a rare sight before Immunefi existed, only offered by the ‘Crème de la Crème’ of projects. It’s great to see hundreds of projects launching their bug bounty nowadays, which will certainly bring DeFi security forward in the long run,” Schlindwein concluded.