NFTs

CertiK Accused Of Front-Running Bug Bounties Through Subsidiary

2 Mins read


Security researchers have flagged OpenBounty, a platform affiliated with CertiK, for allegedly front-running bug bounty reports.

CertiK, the smart contract auditor, is at the center of renewed controversy for allegedly seeking to front-run bug bounty reports.

On June 25, Pop Punk, the co-founder of Gaslite, a gas efficiency auditor, accused OpenBounty, a bug bounty platform incubated by Shentu — the rebranded CertiK Chain — of front-running bug bounty reports and violating the terms of service surrounding bug bounty reports.

OpenBounty ostensibly provides a platform for aggregating bug bounties and facilitating reporting web3 code vulnerabilities. However, critics believe the platform principally serves as a vehicle for front-running bounty reports to claim any rewards on offer.

“OpenBounty… appears to front-run bug bounty reports,” Pop Punk said. “This is a direct violation of many large protocol’s bug bounty terms… The more suspicious thing is that their website makes requests to a domain with CertiK in the name when you report a bounty.”

Suspicions regarding OpenBounty were first raised by h0wlu, a security researcher.

“I created a test account on their platform to check it out, thinking maybe it’s just an aggregator, but no,” h0wlu said. “They have submission forms for all these programs and the findings are sent to their API servers.”

Howlu found that OpenBounty’s APIs are hosted by the “bounty-prod.noopsbycertik.com” subdomain, further suggesting CertiK is associated with the platform. They also noted that Uniswap’s bug bounty policy states that reports must be madedirectly,and not via a third party.

“If you find a bug, report it to the protocol directly. Not some shady website associated with CertiK,” added Pop Punk. “Who [knows] if they’re going to.”

All eyes on CertiK

The OpenBounty allegations are swirling after CertiK came under fire for exploiting a vulnerability it identified on the Kraken centralized exchange to siphon $3 million from the platform last week.

Kraken accused CertiK’s researchers of holding the funds “hostage” in a bid to negotiate a bug bounty. “This is not whitehat hacking,” said Nick Percoco, chief security officer at Kraken. “This is extortion.”

Security researchers have also spoken out against CertiK in response to the controversy, accusing the firm of carrying out lazy security audits.

CertiK claimed it was merely carrying out “research” into the extent of the exploit before reporting it, and returned the funds after facing backlash.

Related: Former Certik Clients Question Security Firm’s Stronghold On Protocol Audits


Source link

Related posts
NFTs

Binance Announces Solv Protocol (SOLV) on Its 3rd Megadrop

1 Mins read
Binance has unveiled the inclusion of Solv Protocol (SOLV) as the 3rd project on its Megadrop platform. Solv Protocol, a Bitcoin staking…
NFTs

Experience to Earn: Everdome's Metaverse Frontier

2 Mins read
Everdome is a Metaverse space that combines creativity, blockchain technology, and easy-to-use tools. Its digital currency, called DOME, lets users host events,…
NFTs

NFT/Tokens Gainers of the Week (23 Dec – 29 Dec)

3 Mins read
This was an interesting week for NFTs and crypto, with some lesser-known names popping up alongside recent heavyweights. NFTs and tokens both…

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *