- A bug bounty platform has been posting bug reports publicly.
- It's "insanely irresponsible," a security researcher says.
- The platform also lists projects' bug bounties without their permission.
Bug bounty platform OpenBounty is under fire from fellow security researchers after it was discovered that the bug reports submitted by users are posted on a public blockchain.
When OpenBounty receives reports, it automatically posts their contents in transactions on Shentu, a blockchain run by OpenBounty’s parent organisation, the Shentu Foundation.
Details made public include the bug’s threat level, the location of the potentially vulnerable code, and comments from the report’s author.
“Leaking potential bugs publicly is insanely irresponsible,” Pascal Caversaccio, an independent security researcher who first identified the issue, told DL News. “Any blackhat could screen the reports to exploit them.”
Blackhat refers to hackers who exploit bugs for malicious purposes, including theft of money, passwords, or data.
OpenBounty lists bug bounties provided by over 30 different crypto projects with a combined deposit value of more than $11 billion.
OpenBounty did not respond to DL News’ requests for comment.
Bug bounties are rewards offered by crypto projects to those who successfully identify bugs in a project’s code.
Bug bounties are important because they incentivise developers to look for bugs in open-source code, and dissuade those who find bugs from exploiting them for monetary gain.
Many crypto projects offer bounties of over $1 million to those who identify the most severe bugs.
Piggybacking bug bounties
Security researchers also complain that OpenBounty lists and accepts reports for bug bounties provided by other security firms and crypto projects without their permission.
Bounties from top decentralised exchange Uniswap and lending protocol Compound are among those listed on the OpenBounty website.
“As OpenZeppelin’s security advisor to the Compound DAO, I can say with authority that they are not authorised to be managing a bug bounty on the protocol’s behalf,” Michael Lewellen, head of solutions architecture at crypto security firm OpenZeppelin, told DL News.
Listing bounties without permission could have legal consequences, Dmytro Matviiv, CEO of bug bounty platform HackenProof, told DL News.
Matviiv said the bug bounty market operates within a well-thought-out legal process. Under this system, he said, it’s mandatory to obtain a bounty issuer’s permission before placing their bounty on a bug bounty platform.
OpenBounty acts as a middleman between those finding bugs and the projects offering bounties. So it’s hard to know for certain if it is passing along all the bug reports it receives to the proper parties and is fully crediting those who found them.
Some bug bounty programmes listed by OpenBounty, such the one run by Uniswap, say that bug reports must be submitted directly to Uniswap, and not via a third party.
The CertiK connection
The situation at OpenBounty is the latest controversy linked to crypto auditor CertiK.
In June, CertiK was roundly criticised after it used a bug to withdraw almost $3 million from crypto exchange Kraken.
Although CertiK later returned the funds, onchain records show that a CertiK-linked address sent some of the funds to sanctioned DeFi protocol Tornado Cash.
A CertiK spokesperson confirmed to DL News that Shentu, the entity that controls the OpenBounty platform, used to be part of CertiK.
Since 2020, however, Shentu has operated autonomously as an independent entity.
Still, four years after the split, code in the OpenBounty platform still links to domains with CertiK in their name.
Such domains are independently managed by Shentu, the CertiK spokesperson said.
Tim Craig is a DeFi Correspondent at DL News. Got a tip? Email him at tim@dlnews.com.