Over $200 million worth of users’ funds could have been at risk if the whitehat chose to exploit the vulnerability for personal gain instead of reporting it to developers.
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with $145+ million bounties available and $45+ million bounties paid out.
On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH in the Aurora Ethereum Virtual Machine as to drain and siphon the corresponding nested ETH (nETH) pool on NEAR. At the time of discovery, the pool contained more than 70,000 ETH worth at least $200 million.
Mitchell Amador, founder and CEO at Immunefi, said: “Hats off to Aurora and pwning.eth for the flawless overall processing of the report. The bug was quickly patched, with no user funds lost.” Aurora had launched a bug bounty program with Immunefi just one week before discovering the security vulnerability. Meanwhile, Frank Braun, head of security at Aurora Labs, commented: “We look at the bug bounty program as the last step in a layered defense approach and will use this bug as a learning opportunity to improve earlier steps, like internal reviews and external audits.
Though arguably innovative, cross-chain communication protocols have been a prime target of hackers as of late. In February, one of the largest decentralized finance hacks occurred when the Wormhole token bridge was drained of over $321 million in digital assets after hackers exploited an infinite minting glitch between its wrapped ETH and ETH pool.