6 hours ago
13
As cryptocurrency losses from information breaches surge past $1.5 billion, cybersecurity experts are urging exchanges to amended bug bounty programs to pull apical ethical hackers and fortify level security.
On March 3, blockchain information steadfast CertiK said that crypto mislaid from hacks successful February had reached $1.53 billion, with the Bybit hack accounting for the bulk of losses astatine much than $1.4 billion. Excluding the incident, CertiK reported that different exploits had resulted successful $126 cardinal successful losses, including a $49 cardinal Infini hack.
Ethical hacker Marwan Hachem told Cointelegraph that the surge successful crypto hack losses highlighted a increasing request for amended bug bounty programs.
Hachem said that to forestall specified exploits, exchanges indispensable connection higher and much appealing bug bounty rewards to achromatic chapeau hackers.
An “out of scope” bug led to a $1.4 cardinal hack
Hachem, main operating serviceman astatine cybersecurity steadfast FearsOff, said crypto exchanges indispensable connection higher rewards to ethical hackers to forestall akin exploits.
According to the information professional, the bug bounty programme of Safe, Bybit’s multisignature wallet provider, considered bugs related to the beforehand and back-end retired of scope, meaning those who identified these information issues were not eligible for rewards.
The information nonrecreational said the Bybit hack happened due to the fact that of a bug that was not successful the scope rewarded by the bounty program. “What they considered retired of scope led to the biggest crypto hack successful history,” Hachem told Cointelegraph. He added:
“We often breach platforms done bugs recovered successful out-of-scope assets. Ethical hackers wouldn’t get rewarded for specified findings, but criminals exploited them and stole $1.5 cardinal from Bybit.”Bybit’s authoritative bug bounty offers a maximum of $4,000 connected its website and up to $10,000 connected HackerOne — amounts that airy successful examination to the imaginable rewards for malicious hackers.
Hachem said it’s amended to pre-emptively springiness achromatic chapeau hackers bigger rewards alternatively of waiting for a large hack to hap and connection 10% of the stolen funds arsenic a achromatic chapeau reward. The enforcement said this lone “emboldens atrocious actors.”
“Motivating apical ethical hackers to dedicate their clip and attraction to investigating an speech by offering higher rewards volition greatly amended its security, volition beryllium a batch cheaper, and volition safeguard its reputation,” Hachem told Cointelegraph.
Related: Bybit hackers resume laundering activities, moving different 62,200 ETH
Adopting stricter information measures
Alongside amended bug bounty programs, a CertiK spokesperson told Cointelegraph that preventing aboriginal exploits similar the Bybit hack requires adopting stricter information measures.
A CertiK spokesperson told Cointelegraph that air-gapped signing devices, non-persistent OS environments for transaction approvals and enhanced authentication layers for high-value transactions should go manufacture standards.
“Regular red-team exercises and phishing simulations tin besides assistance mitigate societal engineering risks,” the spokesperson said.
CertiK’s study revealed that Bybit’s exploit resulted from a phishing onslaught that tricked multisignature signers into approving a malicious declaration upgrade. Meanwhile, the Infini hack stemmed from an admin backstage cardinal leak, allowing unauthorized withdrawals.
CertiK said some incidents underscored the risks of unsighted signing and inadequate transaction verification. “These cases stress the request for stronger authentication, real-time transaction monitoring, and much resilient UI information to forestall manipulation,” CertiK added.
Magazine: Elon Musk’s program to tally authorities connected blockchain faces uphill battle
English (US) ·