On April 18, Avi Eisenberg was found guilty of fraud for exploiting Mango Market in October 2022. The case drew particular attention because Mr. Eisenberg quickly admitted to carrying out the $110 million attack, calling his tactics less a crime and more an interpretation of the adage “the code is the law.” This is because it has been characterized as a “highly profitable trading strategy”.
Steven Walbroehl is the co-founder and chief technology officer of Halborn, a cybersecurity company specializing in blockchain companies.
Mr. Eisenberg also sought to justify his activities in a second way. It's about framing the revenue as a “bug bounty,” a reward for identifying vulnerabilities. That's how the parties characterized the agreement, in which Eisenberg returned approximately $67 million to Mango and kept the remaining $47 million in exchange for a promise not to prosecute. That would make it the largest bug bounty in history.
I've been a cybersecurity professional for 15 years and have even done some bug bounty hunting myself. Therefore, believe me when I say. Bug bounties don't work that way.
But the incident also illustrates why even appropriate bug bounties are controversial among cybersecurity experts. They have a place in a comprehensive security approach, but when used alone they can only create the illusion of security. Worse, they can breed perverse motives and bad blood. increase Rather than mitigating risk, – Especially for cryptocurrency and blockchain projects.
Many other cryptocurrency attackers, such as the Poly Network attack and the Euler Finance attack, refund funds after receiving them. This is a phenomenon unique to cryptocurrencies, and some refer to it as a “retroactive bug bounty.” The vague idea is that an attacker discovers a vulnerability in a system, and the money they receive is some kind of just reward for their discovery. But in reality, these incidents resemble hostage negotiations, with victims hoping to placate or pressure their attackers into returning their money.
I don't approve of hackers taking financial hostages, but as a former bug bounty hunter myself, I can't deny a certain poetic justice to it. I have warned many times that companies with bounty programs have serious or critical vulnerabilities, only to have the risks ignored or ignored for months or even years. did. A young or naive security researcher in such a situation simply increases his or her knowledge and tries to play Breaking Bad to go from being a “white hat” sheriff to being a “black hat” bank robber. I completely understand the frustration you may have.
The central issue is that projects offering bounties have many incentives to pay bounties as often and as cheaply as possible. There are obviously financial costs, but it's amazing how often teams deny the seriousness of reported bugs and expose their users to continued risk just to protect their own reputations. Sho. This rejection can take many forms, including declaring the bug “ineligible” for the posted bounty. In some cases, poorly thought-out developers will even threaten legal action against researchers who properly approach them with serious bugs.
It can be extremely frustrating for researchers to spend endless hours chasing “bug bounties” only to have their results rejected or rejected. If ignored, committing destructive acts such as stealing large sums of money may seem like a reasonable way to obtain results. This is the twisted logic behind Avi Eisenberg's attempt to characterize his theft as a “bug bounty.” The $47 million loss is a pretty big nudge to fix the vulnerability.
The complaints of some bounty hunters are inseparable from another drawback of bug bounty hunters. They usually invite tons of useless posts. For every genuine bug reported, a project can receive dozens or even hundreds of reports that don't resolve anything. Teams can honestly overlook high-quality submissions while sifting through all that garbage. More generally, searching for needles in the bug bounty haystack can consume significant amounts of staff time and energy, offsetting any cost savings that bounty programs appear to provide. there is.
Bug bounties also pose unique risks for blockchain projects in several ways. Unlike, say, an iPhone app, it is difficult to fully test blockchain-based tools before actually deploying them. In mainstream software projects, bug hunters often attempt to break pre-production versions of the software, but in cryptocurrencies, vulnerabilities can emerge from the system's interaction with other on-chain products.
Eisenberg's Mango hack, for example, relied on price oracles, which would have been difficult or impossible to simulate in a test environment. This could result in bounty hunters attempting to attack the same systems that real users are betting money on, putting their real money at risk.
I'm also concerned by the fact that so many blockchain bounty programs allow anonymous submissions, which is extremely rare in mainstream cybersecurity. We may also distribute rewards without verifying your identity. In other words, you have no idea who is paying the bounty.
This poses a very creepy temptation. A programmer on a project could leave a bug unattended or introduce a major bug, and then have an anonymous friend “spot” and “report” the bug. Insiders and bug hunters can divvy up bounties and spend millions on projects without anyone being safe.
Despite all this, bug bounties still have a role to play in blockchain security. The basic idea of offering rewards and attracting highly diverse talent to disrupt the system remains strong. However, we often see blockchain projects relying heavily or exclusively on a combination of bounty programs and internal security oversight. And that's a recipe for disaster.
After all, there's a reason why movie bounty hunters are often morally ambiguous “gray hats.” Think Boba Fett, Clint Eastwood's The Man with No Name, or Dr. King Schultz from Django Unchained. They're mercenaries, they're there for a one-time reward, but they're notoriously uninterested in the bigger picture of the problem they're solving. At the far end of the spectrum are the Avi Eisenbergs who are keen to take on the cover of “Bug Bounty” even though they themselves are actual villains.
That's why the old bounty hunters ended up reporting it to the sheriff. Sheriffs have a long-term obligation to the people they protect, making sure everyone follows the rules. In cybersecurity parlance, the role of sheriff is played by professional code reviewers, people who have public reputations to protect and who get paid to uncover anything. Reviews by external companies also reduce the false defensive impulse of in-house developers, who may reject actual bugs to protect their own reputations. And blockchain security experts can often predict the types of financial interactions that decimated the mango market before any real money is at risk.
Let's be clear: the vast majority of bug bounty hunters are genuinely trying to do the right thing. But they have little power within the rules of that system, so it's no surprise that some of them end up exploiting their findings. We can't normalize exploiters like Avi Eisenberg by giving them a stamp of approval, a bounty. And a project that really cares about user safety shouldn't leave it in the hands of the crowd.
