Evmos pays $150K bounty for critical bug found in Cosmos documentation
A Web3 security researcher earned a bounty reward of $150,000 by reading Cosmos Network documentation and finding a critical bug that could halt the Evmos blockchain and all decentralized applications (DApps) built on it.
Pseudonymous Spearbit security researcher “jayjonah.eth” received $150,000 for identifying a vulnerability in the Evmos blockchain as part of the Evmos Bug Bounty Program, which has been active since November 2022.
In a blog post published on Oct. 28, he explained coming across the concept of “module accounts” in the Cosmos documentation, which read:
“If these addresses (module accounts) receive funds outside the expected rules of the state machine, invariants are likely to be broken and could result in a halted network.”
Crash-testing Evmos blockchain based on Cosmos documentation
The security researcher tried sending funds to the module account in a test environment to test the theory and reported:
“At this point, no more blocks are being produced and the chain has completely halted. This breaks the Evmos blockchain and all the DApps built on it.”
He said that the Evmos team fixed the bug before the information was made public.
Evmos bug bounty payout system. Source: Evmos
The researcher was awarded the highest tier payout for identifying a critical bug. On an end note, jayjonah.eth urged security researchers to read through project documents, adding that “sometimes the most critical bugs can be extremely simple.”
Source: jayjonah_eth
Related: Tapioca offers $1M to ‘social engineering’ attacker who stole $4.7M
In addition to helping projects alleviate the risk of cyberattacks, bug bounty programs are used as a tool to minimize losses in the event of a hack.
Hacker negotiates bug bounty with Shezmu protocol
In September, leveraging yield protocol, Shezmu recovered nearly $5 million in stolen crypto through negotiations with a hacker after agreeing to a higher bounty demand.
Shezmu had initially offered the hacker a 10% bounty reward via an onchain message and requested the return of 90% of the stolen funds within 24 hours.
Source: Shezmu
The hacker demanded 20% of the stolen funds as a bounty reward, which the protocol agreed to and received the remaining stolen funds.
Magazine: Most DePIN projects barely even use blockchain: True or false?
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Trump considers Kevin Warsh as Treasury secretary first, then Fed chairman
US Embraces Cryptocurrency to Reinforce Global Leadership in FinTech Innovation
241122: XRP Price Surges 25% as Headwinds for Ripple Clear Even More
XRP is closely-related to Ripple Labs, a high-profile payments company targeted by the SEC since 2020 on allegations of selling the token as a security to U.S. investors. Ripple fully cleared a long-drawn court case in 2024, bringing the spotlight back on XRP, a major token that commands a $77 bill