$1.5B crypto hack losses expose bug bounty flaws
As cryptocurrency losses from security breaches surge past $1.5 billion, cybersecurity experts are urging exchanges to improve bug bounty programs to attract top ethical hackers and strengthen platform security.
On March 3, blockchain security firm CertiK said that crypto lost from hacks in February had reached $1.53 billion, with the Bybit hack accounting for the majority of losses at more than $1.4 billion. Excluding the incident, CertiK reported that other exploits had resulted in $126 million in losses, including a $49 million Infini hack.
Ethical hacker Marwan Hachem told Cointelegraph that the surge in crypto hack losses highlighted a growing need for better bug bounty programs.
Hachem said that to prevent such exploits, exchanges must offer higher and more appealing bug bounty rewards to white hat hackers.
An “out of scope” bug led to a $1.4 billion hack
Hachem, chief operating officer at cybersecurity firm FearsOff, said crypto exchanges must offer higher rewards to ethical hackers to prevent similar exploits.
According to the security professional, the bug bounty program of Safe, Bybit’s multisignature wallet provider, considered bugs related to the front and back-end out of scope, meaning those who identified these security issues were not eligible for rewards.
The security professional said the Bybit hack happened because of a bug that was not in the scope rewarded by the bounty program. “What they considered out of scope led to the biggest crypto hack in history,” Hachem told Cointelegraph. He added:
“We often breach platforms through bugs found in out-of-scope assets. Ethical hackers wouldn’t get rewarded for such findings, but criminals exploited them and stole $1.5 billion from Bybit.”
Bybit’s official bug bounty offers a maximum of $4,000 on its website and up to $10,000 on HackerOne — amounts that pale in comparison to the potential rewards for malicious hackers.
Hachem said it’s better to pre-emptively give white hat hackers bigger rewards instead of waiting for a major hack to happen and offer 10% of the stolen funds as a white hat reward. The executive said this only “emboldens bad actors.”
“Motivating top ethical hackers to dedicate their time and attention to testing an exchange by offering higher rewards will greatly improve its security, will be a lot cheaper, and will safeguard its reputation,” Hachem told Cointelegraph.
Related: Bybit hackers resume laundering activities, moving another 62,200 ETH
Adopting stricter security measures
Alongside better bug bounty programs, a CertiK spokesperson told Cointelegraph that preventing future exploits like the Bybit hack requires adopting stricter security measures.
A CertiK spokesperson told Cointelegraph that air-gapped signing devices, non-persistent OS environments for transaction approvals and enhanced authentication layers for high-value transactions should become industry standards.
“Regular red-team exercises and phishing simulations can also help mitigate social engineering risks,” the spokesperson said.
CertiK’s report revealed that Bybit’s exploit resulted from a phishing attack that tricked multisignature signers into approving a malicious contract upgrade. Meanwhile, the Infini hack stemmed from an admin private key leak, allowing unauthorized withdrawals.
CertiK said both incidents underscored the risks of blind signing and inadequate transaction verification. “These cases emphasize the need for stronger authentication, real-time transaction monitoring, and more resilient UI security to prevent manipulation,” CertiK added.
Magazine: Elon Musk’s plan to run government on blockchain faces uphill battle
Bitcoin 
Ethereum 
XRP 
Tether 
BNB 
Solana 
USDC 
Dogecoin 
Cardano 
Lido Staked Ether 
TRON 
Wrapped Bitcoin 
Chainlink 
Wrapped stETH 
Stellar 
Avalanche 
Sui 
UGOLD Inc. 
Litecoin 
Toncoin 
Shiba Inu 
Hedera 
LEO Token 
Hyperliquid 
USDS 
WETH 
Polkadot 
MANTRA 
Bitcoin Cash 
Ethena USDe 
Bitget Token 
Uniswap 
Wrapped eETH 
Murasaki 
Monero 
Pepe 
NEAR Protocol 
Ondo 
WhiteBIT Coin 
Aave 
Official Trump 
Dai 
Mantle 
Aptos 
Internet Computer 
sUSDS 
OKB 
Ethereum Classic 
Bittensor 
Gate 
Kaspa 
POL (ex-MATIC) 
VeChain 
Tokenize Xchange 
Coinbase Wrapped BTC 
Cronos 
Algorand 
Render 
Jupiter 
Filecoin 
First Digital USD 
Cosmos Hub 
Arbitrum 
Artificial Superintelligence Alliance 
Lombard Staked BTC 
Fasttoken 
Sonic (prev. FTM) 
Binance-Peg WETH 
Celestia 
Lido DAO 
XDC Network 
Kelp DAO Restaked ETH 
Binance Staked SOL 
Optimism 
KuCoin 
Injective 
Solv Protocol SolvBTC 
Raydium 
Stacks 
Ethena 
Immutable 
Rocket Pool ETH 
Bonk 
NEXO 
Theta Network 
The Graph 
Movement 
Flare 
Worldcoin 
Mantle Staked Ether 
Usual USD 
Sei 
JasmyCoin 
Solv Protocol SolvBTC.BBN 
DeXe 
GALA 
Marinade Staked SOL 
EOS 
The Sandbox 
Telcoin