Professional hacking group detected 43 vulnerabilities in crypto platforms
How can you economically determine if your crypto platform’s blockchain coding could be vulnerable to a major hacking compromise? The easiest way, it seems from a recent report, is to offer “bounties” to a group of professional hackers to scour the open-source code in the crypto universe for susceptible targets of entry, i.e., vulnerabilities. Various crypto development teams handed out $23,675, a meager sum, to a team of “White Hat Hackers” for hire, who detected 43 coding errors over a month ending on March 13.
The exact details of the so-called vulnerabilities were not disclosed to the general public, but several applied to leaders in the crypto arena. The general consensus was that the problems detected were not significant in that they could be corrected easily before any real harm could be done.
EOS, one of the world’s largest platforms for creating decentralized applications (dApps), did announce that five problem areas had been discovered, four having to do with what it called “a buffer overflow problem.” The related code could have provided a window for hackers to inject malicious code, but the EOS team also noted that the “bugs” had already been addressed.
The work was performed over the period from February 13 through March 13 by a White Hat hacker team, and results were reported to Hacker One, a vulnerability disclosure platform. Since the rewards were rather smallish, analysts have presumed that “from the low compensation amount that was handed out, it can be ascertained that the bugs weren’t serious”, but, in a few instances, the hacker group did suggest that some of the 43 “bugs” detected were of a critical nature.
Several of the detected problem areas were “reportedly found in some of the world’s largest cryptocurrency networks including Brave, Coinbase, EOS, Monero (XMR), and Tezos”, while many of the vulnerabilities resided on platforms of lesser known, specialty networks that cater to niche markets.
Here is a brief rundown of the reported results:
•) Unikrn, an e-sport gambling platform, led the list with 12 bugs detected in its code;
•) Omise, the developer of the OmiseGo (OMG) platform, whose mission is to “enable financial inclusion and interoperability through the public, decentralized OMG network,” was found to have six software glitches;
•) EOS, as noted above, won the third place medal for having five vulnerabilities;
•) Tendermint, a P2P networking protocol, and blockchain consensus algorithm, received four bug notifications;
•) Augur (REP), a decentralized prediction markets platform, and Tezos, a “self-amending” cryptocurrency and blockchain network for deploying dApps, were next on the hit parade, each having had at least three vulnerabilities to amend in their respective platform coding databases;
•) Monero (XMR), a favored privacy-oriented cryptocurrency platform, ICON (ICX), a platform devoted to blockchain interoperability, and MyEtherWallet, an open-source interface for generating Ethereum wallets, followed with two bugs each;
•) The list concludes with one bug each for Coinbase, the largest U.S. crypto exchange based out of San Francisco, Crypto.com, Electroneum, and Brave Software.
Vulnerability audits such as these should become standard protocol in the crypto industry, which needs to shore up its open-source code to prevent the continuing re-occurrences of network compromises that have plagued the industry from Day One. Reports such as these are for the general good of the industry and should not be used for competitive purposes, as was witnessed recently in the offline wallet sector of the crypto market. Ledger had publicly pointed out vulnerabilities in the Trezor wallet device, which Trezor refuted as non-critical and not capable of being exploited.