Wormhole Announces $10M Bug Bounty Payout
According to Immunefi, which collaborated with Wormhole to host its bug bounty site, that person goes by the moniker satya0x.
Wormhole revealed the scheme in February, just days after losing over $323 million in ETH to a hacker in one of the largest DeFi protocol attacks to date. It quickly refilled its blockchain bridge and offered the attacker $10 million in exchange for the funds.
Wormhole's program offers bounty rewards in tiers according to how serious the threat is. For instance, a "low" level smart contract bug can earn someone up to $2,500, while a "critical" one can lead to a prize of up to $10 million — the exact amount that satya0x was awarded.
"Wormhole is sending a clear message with this payout to the best, most talented whitehats on the planet that if they responsibly disclose security vulnerabilities to Wormhole, they’ll be well taken care of," Immunefi said.
According to Immunefi, no user funds were lost before the fault was discovered since Wormhole was able to respond swiftly, verifying and addressing the problem the same day (February 24).
Satya0x stated in a statement posted by the crypto platform that the issues of blockchain security constitute an "existential danger" to the network's future.
"I am proud to have played a role in mitigating a serious vulnerability and a systemic threat to the ecosystem," satya0x said.
Wormhole's ability to upgrade smart contracts was the source of the problem. In other words, a hacker may potentially seize control of such contracts. Immunefi described the issue that lead to the security vulnerability as well as how it was remedied in a blog post.
Satya0x also said:
"If we fail to recognize and aggressively reduce systemic risk; if we fail to provide the transparency and tooling needed for users to make informed decisions; if we continue to condemn simple mistakes while praising Total Value Lost as the sole measure of success — we risk enabling the reemergence of the very power structures we seek to destroy."