As a seasoned Web3 security researcher, I can’t help but feel a sense of pride and satisfaction when I read about stories like this one. The world of blockchain and decentralized applications is still relatively new, and every day presents us with fresh challenges and opportunities to make a real impact.
A cybersecurity expert specializing in Web3 was awarded $150,000 by the Cosmos Network for locating a severe flaw within the Evmos blockchain system. This vulnerability had the potential to disrupt not only the main chain but also all of its associated decentralized applications.
On October 29, a security researcher using the handle jayjonah.eth from Spearbit published a cross-platform post featuring a blog entry he authored detailing the discovery of a potential problem in the Evmos (EVMOS) blockchain network, which could have significantly impacted its functioning.
His diligence was recognized by the Cosmos Network as he received a $150,000 reward for uncovering the vulnerability. He found the flaw during his involvement in the Evmos Bug Bounty Program on the Immunefi platform, an initiative that has been operational since last November.
A “crypto bug bounty” program gives rewards to coders and investigators for discovering weaknesses and potential threats hidden within a digital system or cryptocurrency platform.
Unearthed a significant vulnerability worth $150,000 at EvmosOrg, merely by delving into their documentation! Take a look at my newest analysis to find out how focusing on the fundamentals uncovered a critical flaw. Here’s the link below: SpearbitDAO
— jayjonah.eth (@jayjonah_eth) October 28, 2024
While perusing the Cosmos documentation, I stumbled upon the notion of “module accounts.” This discovery marked the initial phase of my quest to unearth potential issues, as the documentation serves as the bedrock for grasping the intricacies of a blockchain system.
He found a section within the document which read as follows:
Generally speaking, such addresses function as module accounts. When they receive funds in a manner that violates the established guidelines of the system (state machine), it’s possible for fundamental rules (invariants) to be breached, potentially causing the entire network to malfunction or stop functioning. (Evmos)
As per jayjonah.eth’s statement, this condition suggests that transferring funds to module accounts might potentially lead to a breakdown of the blockchain. To verify this claim, he performed an experiment by moving funds to the specified module accounts.
He stated that currently, no new blocks are being created and the chain has come to a full stop, effectively disrupting the Evmos blockchain and every Decentralized Application (DApp) constructed upon it.
He reported his findings to the Evmos team, receiving $150,000, the highest prize awarded for a “critical” level bug. The researcher emphasized that the bug was a “low-hanging fruit” — simple yet easy to overlook.
Exploring this bug has taught me some crucial lessons as a security researcher. Firstly, it underscores the importance of meticulously reviewing the project’s documentation before delving into an investigation.
-jayjonah.eth.
Additionally, various initiatives have resorted to organizing bug bounties as a means to uncover concealed dangers within their systems. For instance, last August saw the launch of a bug bounty program by Layer3, a project centered on a decentralized attention layer, in collaboration with HackenProof. This bug bounty program offers a potential reward worth up to half a million dollars.
In July, Immunefi partnered up with the Ethereum Foundation to kick off “Attackathon,” a competition aimed at testing and improving the security of the Ethereum network through audits.
Read More
Sorry. No data so far.
2024-10-29 17:16