Thirteen cryptocurrency and blockchain-related firms have received 43 different vulnerability reports in the past month - according to an investigation carried out by security researchers.
Between February 13th and March 13th, over 40 software bugs were detected and reported to Hacker One, a vulnerability disclosure platform. Various types of vulnerabilities were reportedly found in some of the world’s largest cryptocurrency networks including Brave, Coinbase, EOS, Monero (XMR), and Tezos.
White Hat Hackers Found Several Vulnerabilities In OmiseGo, Unikrn
Unikrn, an Esports gambling platform that has issued its own cryptocurrency called Unikoin Gold, had the greatest number of vulnerabilities out of all blockchain companies. There were reportedly 12 different software bugs discovered in Unikrn’s source code. Meanwhile, the OmiseGo (OMG) platform, which aims to “enable financial inclusion and interoperability through the public, decentralized OMG network,” had at least six software glitches (as reported by the White hat hackers team).
EOS, one of the world’s largest platforms for creating decentralized applications (dApps), had five different vulnerabilities which were detected by hackers in the past 30 days. On March 12th, Chinese cybersecurity firm, SlowMist discovered a “false top-up” vulnerability which could potentially be exploited by attackers as they “can successfully deposit EOS to these platforms without transferring any EOS.” As noted by SlowMist’s researchers, crypto exchanges and wallets that support EOS could be affected by the false top-up bug.
Vulnerabilities Detected In Tezos, Monero, ICON, MyEtherWallet
The White hat hackers team also found four software bugs in Tendermint, a peer-to-peer (P2P) networking protocol and blockchain consensus algorithm. Decentralized prediction markets platform, Augur (REP) and Tezos, a “self-amending” cryptocurrency and blockchain network for deploying dApps, had at least three vulnerabilities in their respective codebases.
Monero (XMR), a leading privacy-oriented cryptocurrency platform, ICON (ICX), a platform that helps facilitate blockchain interoperability, and MyEtherWallet had two vulnerabilities (each) - which the White hat hacker team reported (between February 13th and March 13th).
San Francisco-based crypto exchange, Coinbase, Crypto.com, Electroneum, and Brave’s software all had various software bugs which could potentially be critical, the White hat hacker team noted.
$23,675 Handed Out As Compensation For Locating Software Bugs
Notably, some of the software vulnerabilities which were detected may not be directly related to problems with the actual blockchain and cryptocurrency platforms. For instance, the Brave browser software is not completely decentralized and certain vulnerabilities may be present in the platform’s supporting wallets or other third-party apps which were not created by the developers of Brave.
In total, security researchers only received $23,675 for finding the software vulnerabilities in these leading crypto and blockchain networks.
The developers of Tendermint’s software (which is reportedly used by Binance’s newly launched decentralized exchange) paid a total of $8,500 to security professionals that discovered the vulnerabilities in their platform’s codebase.
Only $1,375 In Bounties Awarded By Unikrn
EOS’ development team paid $5,500 (in total) to developers who found bugs in the cryptocurrency network’s software. Meanwhile, the Unikrn team only gave out $1,375 to researchers for finding vulnerabilities in their platform’s codebase.
Notably, most of the vulnerability reports are kept confidential as they are not made public. However, the relatively low bounties handed out suggest that the security flaws may not have been critical.
Cayman Islands-registered Block.one, the initial developer of EOS, revealed that four (out of five) software bugs that were found in code associated with EOS was due to a buffer overflow problem. This vulnerability could potentially allow attackers to inject malicious scripts into EOS-related source code. According to Block.one, these issues have now been addressed.