$1.5B Crypto Hack Losses Expose Bug Bounty Flaws
Crypto losses from security breaches have surged past $1.5 billion, exposing a growing need for better bug bounty programs to strengthen platform security. According to blockchain security firm CertiK, the February crypto hack losses had reached a staggering $1.53 billion, with the Bybit hack accounting for the majority of losses at more than $1.4 billion.
Excluding the incident, CertiK reported that other exploits had resulted in $126 million in losses, including a $49 million Infini hack. The surge in crypto hack losses highlights a growing need for better bug bounty programs, according to ethical hacker Marwan Hachem. As chief operating officer at cybersecurity firm FearsOff, Hachem emphasized the importance of offering higher and more appealing bug bounty rewards to white hat hackers.
"What they considered out of scope led to the biggest crypto hack in history," Hachem said, referring to Bybit's multisignature wallet provider. "Bybit’s official bug bounty offers a maximum of $4,000 on its website and up to $10,000 on HackerOne — amounts that pale in comparison to the potential rewards for malicious hackers."
Hachem argued that it's better to pre-emptively give white hat hackers bigger rewards instead of waiting for a major hack to happen and offer 10% of the stolen funds as a white hat reward. "Motivating top ethical hackers to dedicate their time and attention to testing an exchange by offering higher rewards will greatly improve its security, will be a lot cheaper, and will safeguard its reputation," he said.
Alongside better bug bounty programs, a CertiK spokesperson emphasized the need for stricter security measures to prevent future exploits like the Bybit hack. "Regular red-team exercises and phishing simulations can also help mitigate social engineering risks," the spokesperson said.
CertiK's report revealed that Bybit's exploit resulted from a phishing attack that tricked multisignature signers into approving a malicious contract upgrade. Meanwhile, the Infini hack stemmed from an admin private key leak, allowing unauthorized withdrawals. The report underscored the risks of blind signing and inadequate transaction verification.
"These cases emphasize the need for stronger authentication, real-time transaction monitoring, and more resilient UI security to prevent manipulation," CertiK added. With $1.5 billion in crypto losses already surpassed this year, it's clear that bug bounty flaws are a major concern for the industry. Will exchanges take action to improve their security measures and attract top ethical hackers?