Wormhole announces $10 million bug bounty payout

Quick Take

  • Wormhole rewarded $10 million to a white hat hacker who reported a bug.
  • The crypto bridge launched a bug bounty program back in February, after a $323 million exploit.

Crypto bridge Wormhole paid out a massive $10 million to a white hat hacker who disclosed a bug in its core bridge contract on Ethereum in February.

That person goes by the pseudonym satya0x, per an announcement from Immunefi, which partnered with Wormhole in hosting its bug bounty platform.

Wormhole announced the program back in February, shortly after losing close to $323 million in ETH to a hacker, in one of the largest exploits of a DeFi protocol to date. Soon after, it restocked its blockchain bridge, also offering the attacker $10 million if the funds were returned.

Wormhole's program offers bounty rewards in tiers according to how serious the threat is. For instance, a "low" level smart contract bug can earn someone up to $2,500, while a "critical" one can lead to a prize of up to $10 million — the exact amount that satya0x was awarded.

"Wormhole is sending a clear message with this payout to the best, most talented whitehats on the planet that if they responsibly disclose security vulnerabilities to Wormhole, they’ll be well taken care of," Immunefi said.

Immunefi said that no user funds were lost before the bug was reported, as Wormhole was able to quickly respond to it, verifying and fixing the issue on the same day (February 24). 

In a statement shared by the crypto platform, satya0x said that the challenges of blockchain security are an "existential threat" to its future.

"I am proud to have played a role in mitigating a serious vulnerability and a systemic threat to the ecosystem," satya0x said.

The bug was related to Wormhole’s ability to upgrade smart contracts. Essentially, it could potentially allow a hacker to take control of those contracts. In a blog post, Immunefi provided a detailed breakdown of the issue that led to the security vulnerability and how it was fixed.

Satya0x also said: "If we fail to recognize and aggressively reduce systemic risk; if we fail to provide the transparency and tooling needed for users to make informed decisions; if we continue to condemn simple mistakes while praising Total Value Lost as the sole measure of success — we risk enabling the reemergence of the very power structures we seek to destroy."

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.