Hey OP here, thanks for posting. Happy to answer any questions.
I was impressed by the fast payouts. I almost couldn't believe how easy the second one was going to be, but it turned out a bit trickier than I thought. No wonder it flew under the radar.
For whom it seems surprising, that's actually rather small, considering hacks can end up in an irreversible $100M+ transfer to the malicious party.
You can check Immunefi's Bounty-Board for reference, currently paying up to $15M per find.
Another good source is rekt.news, creating post-mortems about all the DEFI-hacks and an own leaderboard, $624M for #1.
Cool writeup! This has got to be one of the biggest security bounties ever paid out, right?
See. These crypto bounties pay as much or even more than big tech bug bounties.
This bounty prize is the equivalent of finding a Chrome zero day bug or an iPhone zero day RCE jailbreak. There are lots of >$1M bug bounties in crypto.
The question is, would you rather target Chrome/Safari or iPhones and find and chain-up 5 - 10 zero days for $1M+ or target crypto projects instead for $2M per project?
You're really missing out.
Pardon my crypto ignorance, but if someone took over the entire SEI platform, wouldn't the value of SEI coin drop to zero?
Honest question: Was the $2M figure advertised in advance? Where does one go about discovering bug bounties of this size?
It seems like it might be worth the gamble of taking 3-6 months off work to discover a bug of that size.
Did they get paid 2M in USD, or did they get paid 2M in magic-bean tokens, where is so little market depth that selling 30k of it would tank the market, so they will have to bleed it out slowly and hope the price doesn't tank before they exit
"
Cosmos uses go panics for error handling. Transaction runs
out of gas? panic. Try to spend more coins than you have?
panic. Invalid inputs? panic.
...
For safety, later on the panic was removed entirely.
"
I worked nearly 10 years in tech and this is all gobbledygook to me. That's scary.
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
The bounties in crypto are so big because the math is so clear on the cost vs benefits of the bounties. Paying two million to avoid losing a billion is not a bad deal. And there just aren't enough security people yet that market forces have commoditized bounty finding.
Good companies use bounties as yet another security layer - after doing everything else, add a bug bounty!
Almost all crypto bug bounties run through Immunefi. [1] There are lots of > one million dollar bounties. You can see SEI's current bounty page here.[2] The company I work (a different company) for has a one million dollar bounty listed on immunefi.com and median response time of six hours.
[1] https://immunefi.com/bug-bounty/
[2] https://immunefi.com/bug-bounty/sei/