New York state’s financial regulator is hiring a specialist with expertise in the field of virtual currencies and blockchain technology. New York state’s financial regulator is hiring a specialist with expertise in the field of virtual currencies and blockchain, per a recently published announcement. The Department of Financial Services is looking to hire a Deputy…
Read more
EOS users have been experiencing periodic problems with the network access, developers reassure that everything is “operating correctly.” Within the past few weeks, EOS blockchain protocol users have been experiencing periodic problems with network access. A recent article written by pseudonymous smart-contract developer and security engineer Dexaran described the apparent root of the problem: an…
Read more
Blockchain interoperability platform Cosmos discloses a “high-severity security vulnerability” in consensus engine Tendermint Core. In a forum post published on Oct. 1 blockchain interoperability platform Cosmos has disclosed a “high-severity security vulnerability” that was found in consensus engine Tendermint Core. According to the announcement, an update patch was released the following morning. The vulnerability reportedly…
Read more
China Merchants Bank International is partnering with Nervos Network to jointly develop new decentralized finance applications. China Merchants Bank International (CMBI) is partnering with Nervos Network — a Chinese blockchain startup founded by a former researcher and developer of the Ethereum Foundation. A press release published on Oct. 3 revealed that the new partnership will…
Read more
Hacker bounties: Who are the biggest spenders, why companies need them, and are they really needed?
Crypto companies often find out the hard way that hackers know their security systems better than they do. As hacks in the crypto world can and often do result in hundreds of millions of dollars worth of tokens being stolen, the fate of a company’s future can often ride on its security measures. In an effort to batten down the hatches, companies offer bug bounties.
These bounties are essentially competitions in which hackers are encouraged to try to compromise software. The hackers then submit a vulnerability report to the respective companies so that they are able to patch the bugs before they are exploited. As a reward, successful hackers are paid a bounty.
Most companies offer bounties on a staggered scale, with the reward price corresponding to the severity of the bug. Bounties start from around $50 to $100 for low-level fixes and are usually capped at around $10,000 for critical bugs. In a few rare cases, hackers have been awarded more.
Katie Moussouris, founder and CEO of Luta Security, who launched both Microsoft and the Pentagon’s first bug bounties, explained to Cointelegraph how the bug reward schemes can be of use:
“Bug bounties are most useful and efficient as a supplement to proactive security activities focused on preventing and detecting vulnerabilities inside organizations first. Once organizations have established good security practices, bug bounties can help identify security bugs that organizations missed. Bug bounties on their own aren’t enough.”
Most companies that develop software have bug bounties. In the crypto world, the need for such programs is equally important, regardless of company size. According to a report conducted by HackerOne, companies paid out $878,000 in bug bounties in 2018. Guido Vranken, a Dutch researcher who received a $120,000 payout from EOS after discovering 12 bugs within seven days, told Cointelegraph that the stakes are high for crypto companies:
“For a global digital currency there’s arguably a lot more at stake than many other projects or websites. Theft of assets is the most tangible example, but due the synergy between publicity and exchange rates, net losses might also result from a widely publicized vulnerability.”
One of the most recent bug bounties comes from the global messaging app Telegram. Announced on its Telegram Contests channel on Sept. 24, the company is calling for developers to exploit the TON blockchain and submit a vulnerability report.
If hackers can exploit a bug in the TON blockchain to the extent that they are able to steal funds from the wallet of another user, Telegram will pay out up to $200,000, a sum that matches Augur’s critical issue bounty as one of the largest rewards in crypto history. The contest is taking place against the backdrop of the hotly anticipated launch of Telegram’s native digital token, Gram, in late October.
Although it’s tempting to think that smaller, newer companies may be the most active in providing bug bounties, Block.one, the company behind EOS, took the top spot in 2018 for bounty rewards with $534,500, paying out 60% of all bounties that year, according to a report.
According to the EOS profile on HackerOne, the company will pay a maximum of $1,000 for a low-risk report and a maximum of $10,000 for a critical report. The profile also notes that the final amount is always decided at the discretion of a reward panel, with higher rewards given to exceptional vulnerabilities.
Following the launch of the EOS bounty program in May 2018, Vranken explained how the company had tightened up its approach to security in the wake of his discoveries:
“Reported bugs were quickly analyzed and fixed in their public repository. At first the process was very ad-hoc because [EOS CTO] Daniel Larimer and I were sending files back and forth on Telegram, but they’ve since started to run a bug bounty program on HackerOne which I think is in the best interest of both bug finders and the EOS team.”
EOS has continued to pay out rewards to hackers in 2019, handing out bug bounties for five critical vulnerabilities so far. On Jan. 10, EOS awarded a total of $40,750 to five white hat hackers through HackerOne, with another researcher receiving a further $10,000 bounty.
One of the world’s largest cryptocurrency exchanges, Coinbase, is the second-largest spender on bounties, allocating a total of $290,381 in 2018. The company has experienced a number of high-profile issues since experiencing a significant increase of users in mid-2017, resulting in delayed or missing funds as well as service blackouts.
The company gave out a further $30,000 in rewards in February 2019 for reporting a critical bug, according to Coinbase’s vulnerability disclosure program. At the time, the bug earned the largest-ever reward on the platform, although the details of the bug were not made public. Coinbase operates a four-tier bounty program in which it will pay $200 for a low-risk case, $2,000 for a midlevel issue and up to $50,000 for critical bugs.
According to Coinbase’s HackerOne profile, a critical impact exploitation comprises a situation in which attackers “can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.”
Related: Monero Reports on Resolving Fake XMR Minting Bugs a Month After Fix
The company also laid out its guidelines for assessing low-impact issues: “Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.”
With regard to fixing reported issues, the company has a history of being slow on the uptake. After a Dutch company discovered a smart-contract glitch that allowed users to steal “as much as they want” in Ethereum (ETH), Coinbase reportedly took a month to fix it. Coinbase paid out a $10,000 reward to the company behind the discovery.
The Tron Foundation, which is behind the TRX coin, was the third-largest spender on bug bounties, totalling $78,800 for 15 reports. As of now, the company has paid a total of $85,400 in bounties, with its highest, at $10,000, going to HackerOne user nu11pe for an undisclosed report.
The company’s bounty program will pay $100 for a low-risk vulnerability, $3,000 for medium-risk, $6,000 for high-risk and up to $10,000 for critical issues. Tron’s HackerOne profile describes critical faults as “bugs which can take control of java-tron nodes by remote execution of any code,” as well as those that can cause private key leakage.
In May, the company disclosed a critical vulnerability that could have brought down its blockchain. The announcement on HackerOne states that an attacker could have engulfed all available memory though a distributed denial of service, or DDoS, attack on the TRX network by implementing malicious code in a smart contract.
The company added that one individual could carry out the DDoS attack using a single machine to attack all or 51% of the senior node, thereby rendering the network unusable. Although the bug was reported on Jan. 14, it was only publicly announced after it had already been fixed. The researcher behind the vulnerability was awarded $1,500.
While bug bounty programs clearly create a healthy environment in which companies reward ethical hacks on their systems, the concept is not without its critics. Most recently, prominent crypto figure Dovey Wan criticized Telegram’s decision to open up development on its smart contract. Wan appeared to criticize the event as an example of the company failing to reinvest in its software development processes, saying:
“Sorry but a project raised over a billion, with over 500mm users can’t even properly make a reasonable block explorer? I have to doubt what’s the priority level of this TON network within Telegram’s team and how they will use their mega treasure on crypto-related stuff.”
Luta Security CEO Katie Moussouris told Cointelegraph that although bug bounties are effective for pointing out important loopholes in existing security structures, they are no replacement for having a dedicated security process in place:
“Companies can’t use bug bounties as a cheap alternative for due diligence in security. Simply asking strangers to point out flaws without having the capacity to fix them is one way overusing bug bounties can quickly overwhelm organizations.”
Vranken outlined his view to Cointelegraph that, based on his experience as a researcher, a crypto company with a bug bounty program indicates that the company can be trusted:
“I’d sooner trust a cryptocurrency project that has a properly operating bounty program in place than one that doesn’t. This stance is shaped by my experience as a researcher and my awareness of the fact that even widely used software is not necessarily undergirded by serious scrutiny of its code without a proper incentive.”
Vranken went on to add that it is extremely difficult to build software without bugs, no matter the level of talent or amount of money put forward:
“If nothing else, a bug bounty program establishes a formal channel for reporting bugs and signals non-hostility towards researchers by vowing to appreciate their work (through financial compensation).”
The current bug bounty system relies on hackers acting responsibly, either out of moral inclination or by the rewards offered. While it may seem feasible that hackers could hold out for more money than advertised in the scheme or sell details of the flaw to competitors, Moussouris said that the demand for such information is not as high as many perceive:
“There are not infinite bug buyers waiting to buy up every bug — that’s a common myth. However, in cryptocurrency, there are likely more buyers for bugs than in other areas. That being said, if bug hunters prioritize profits, they may very well choose to exploit rather than sell the bugs they find in cryptocurrency, for more direct profit.”
Although the rewards advertised by both cryptocurrency and software companies around the world may give the impression that bug bounty hunting can offer a lucrative career, the reality is that competition is high and access is not evenly divided. Moussouris explained to Cointelegraph that those who are invited to private bug bounties often have a competitive edge:
“It is usually a lot of work that goes uncompensated, especially if the types of bugs the hunter knows how to find are relatively common classes of bugs. Only the first person to report a particular vulnerability gets paid, so bug bounty hunters who are the most successful tend to be the ones who are invited to private bug bounties with fewer competitors.”
For Vranken, bug bounty hunting is a mixed bag, as the reward does not always match up to the time put into a project:
“Compared to contractual work which stipulates effort and reward in advance, bug bounties can be elating (when you come upon a trove of bugs that gets rewarded profoundly) or frustrating (spending a lot of time on something without achieving results, or receiving a lower reward than you expected).”
Investor giant Vanguard is testing a blockchain-powered platform that allows asset managers to trade currencies while avoiding the big investment banks.
The Vanguard Group is testing a blockchain-powered platform that will allow asset managers to trade currencies while avoiding the big investment banks.
On Oct. 3, Bloomberg reported that the United States-registered investment advisor group, Vanguard, is going after a piece of the global currency market that handles $6 trillion each day and is dominated by firms such as JPMorgan Chase and Deutsche Bank AG.
A source familiar with the matter said that the newly tested blockchain platform has been operational for over two months while handling several trades already.
By entering the global currency market, Vanguard could unsettle some of the major investment banks that have ruled the sector for decades.
Campbell Adams, a former senior currency trader at Deutsche Bank, believes this could happen if enough users join Vanguard’s platform. He said:
“In theory, it sounds great because you can reduce your costs if you can match directly with someone else who has a countervailing interest. Yet it will require a critical mass of users.”
Vanguard, which has over $5 trillion in assets under management, is “currently piloting a project focused on improving the efficiency and reducing the risk of FX hedging,” a spokeswoman for the investment group said, without going into further details.
Cointelegraph previously reported on Sept. 20 that OCBCbecame the first Singapore-based bank to join JPMorgan Chase’s blockchain network and is now one of the 134 banks from the Asia-Pacific region that are participants in the Interbank Information Network (IIN).
Germany’s largest bank, Deutsche Bank, joined IIN in the beginning of September. JPMorgan said it is targeting 400 agreements with banks by the end of 2019, hinting that more leading banks are set to join the network in the near future.
Hackerone user reveals critical bug in MakerDAO’s planned Multi-Collateral Dai upgrade that could have resulted in a complete loss of funds for all Dai users.
MakerDAO, the decentralized organization that runs on Ethereum, has fixed a critical bug that could have resulted in a complete loss of funds for all Dai users.
On Oct. 1 HackerOne user lucash-dev disclosed a report that revealed a critical bug in MakerDAO’s planned Multi-Collateral Dai (MCD) upgrade. The bug could have allowed an attacker to steal all of the collateral stored in the MCD system – possibly within a single transaction, Lucash-dev said.
The bug was caught during the testing phase of the MCD upgrade and before any users had access to the system.
The report reveals that the attack was possible due to a complete lack of access control in a MakerDAO smart contract. The report reads:
“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value. Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”
Lucash-dev reported the security flaw via the HackerOne forum and received a $50,000 bounty from MakerDAO’s bounty program which was the first critical finding in the program.
Cointelegraph reported in September that blockchain-based employment platform Opolis received a developer grant from MakerDAO, which will allow them to bring MakerDao’s stablecoin DAI to Opolis’ blockchain-based employment platform for freelancers.
Richard Brown, head of community development at MakerDAO, explained that while the freelance and gig economy offers freedom to many, it does not come without its downsides, and added:
“Maker is looking forward to seeing how Dai can help de-risk this emerging workforce.”
Venture capital firm Andreessen Horowitz is opening a school specializing in startups aiming to develop cryptocurrency-related projects.
Venture capital firm Andreessen Horowitz (a16z) is opening a school specializing in startups aiming to develop cryptocurrency-related projects.
Andreessen Horowitz unveiled its Crypto Startup School in an announcement on Oct. 3, saying that it intends to “encourage more tech entrepreneurs to start crypto projects and help crypto-curious builders navigate the idea maze.”
Referring to the so-termed idea maze, the company addressed the importance of good ideas for startups industry, which are eventually “well developed, multi-year plans that contemplate many possible paths according to how the world changes.”
Commenting on the initiative launch, Chris Dixon, a general partner at Andreessen Horowitz, told The Block that the school will be free of charge, adding:
“We are going to run a startup school for crypto-specific startups and what we’ve learned over the last seven years as best practices in this category.”
In recent months, an array of industry players have rolled out education-related initiatives. Most recently, privacy-centric computing network and app ecosystem Blockstack announced a partnership with skills-based online school Lambda School. Students enrolled in the program can reportedly now learn how to code Blockstack apps and earn monthly revenue through its App Mining Program.
Major global crypto exchange Binance introduced its new developer-focused project, called Binance X. The project will reportedly support developers and their initiatives by assisting in education and collaboration on Binance and connecting them with relevant internal programs that help projects progress at different stages of growth.
In late August, Coinbase shared research in which it used rankings from US News and World Report for its list of the top 50 universities. The analysis showed that 56% of the top 50 universities in the world offer one or more classes on cryptocurrency or blockchain tech.
Major Slovakia-based antivirus software provider ESET has discovered a Latin American banking trojan that can steal crypto.
Major Slovakia-based antivirus software provider ESET has discovered a banking trojan that can steal cryptocurrencies and is especially widespread in Latin America.
Known as “Casbaneiro” or “Metamorfo,” the newly found malware family targets banks and cryptocurrency services located in Brazil and Mexico, ESET’s editorial arm WeLiveSecurity reports Oct. 3.
According to the report, Casbaneiro uses a social engineering execution method, which displays fake pop-up windows misleading potential victims to enter sensitive information. The capabilities of the malware are typical of Latin American banking trojans that can take screenshots and send them to command and control server, simulate keyboard actions and capture keystrokes as well as restrict access to websites and download and execute other tools, the report notes.
Alongside banks, one of the major targets of Casbaneiro is cryptocurrency wallets. According to ESET, Casbaneiro is capable of monitoring the content of the clipboard and replacing the crypto wallets victims have copied with addresses belonging to the attacker.
As noted in the report, ESET has become aware of only one attacker’s wallet at the time of publication. Reportedly hardcoded in the binary code, the reported wallet has around 1.2 Bitcoin (BTC), worth $9,812 at press time with a total number of transactions amounting to 71, according to Blockchain.com.
Additionally, the newly discovered malware uses multiple cryptographic algorithms, with each one intending to protect a different type of data, the report says.
On Sept. 26, Amerian Internet infrastructure firm Juniper Networks warned users of a new spyware called Masad Clipper and Stealer, which reportedly uses the Telegram app to replace crypto addresses with its own.
Boston-based provider of high-performance blockchain solutions Oneiro secures a $5 million investment from Cosimo Ventures in a Series A funding round.
Oneiro, a blockchain solution company, secured a $5 million investment from Cosimo Ventures.
In an Oct. 3 press release, Boston-based provider of high-performance blockchain solutions Oneiro announced that it had secured a $5 million investment from Cosimo Ventures in a Series A funding round.
Cosimo Ventures is an investment firm involved in sectors including blockchain, cryptocurrencies and the Internet of Things.
Oneiro’s latest funding round brings the company’s total venture capital investment to $8 million. The company wrote that it plans to use those funds to provide additional services to clients, such as the Axiom Foundation, more efficiently.
Cosimo Ventures and Oneiro previously joined forces to launch the unpegged digital currency, ndau, which the press release claims addresses certain pain points associated with other stablecoins. Cosimo Ventures managing partner Ciarán Hynes said:
“The Oneiro team has made significant progress this year, and these new funds will allow the team to further develop multiple blockchain technologies, extend into the crypto ecosystem, and accelerate the adoption and use of various blockchain applications, including digital virtual currencies such as ndau.”
Cointelegraph recently reported that Pantera Capital led a $5 million strategic seed round of decentralized derivatives protocol Vega. The funding round included participants such as Ripple’s investment arm Xpring, Hashed, NGC Ventures, gumi Cryptos Capital, Rockaway Blockchain, KR1, Eden Block, Focus Labs and Greenfield One.
