Bug bounty

No Criminal Charges Likely

The hack on Crema Finance resulted in the theft of 69,422.9 SOL and 6,497,738 USDC – a combined total value of just over US$8.78 million.

Following what Crema Finance described as a “long negotiation”, the hacker agreed to return most funds but retained 45,455 SOL, currently valued at approximately US$1.7 million. The hacker was also referred to as “white-hat” and “ethical” in tweets by Crema Finance, suggesting the DeFi platform won’t be pursuing criminal charges.

Following the hack, the total value locked on Crema Finance fell dramatically, dropping as low as US$3 million on July 4, having sat at over US$12 million on the Saturday prior to the hack.

Crema Finance shared the transaction details proving the hacker had indeed returned 6,064 ETH and 23,967 SOL to its accounts:

Smart Contract Suspended Pending Audit

Since the hack, Crema Finance’s smart contract has been suspended while its new smart contract code is being audited by blockchain security firm SlowMist. Crema Finance says the protocol will go live again once that audit is complete and its security can be assured:

We just submitted our new code base to one of the leading auditors @SlowMist_Team for a new round of smart contract audit. Crema's protocol will go live again after the new audit is completed. 💪
— CremaFinance (@Crema_Finance) July 6, 2022

It’s becoming increasingly common for hackers in the crypto space to agree to return most of the stolen assets in return for a bounty. In June, a high-profile case saw the the Ethereum rollup-solution Optimism hacked to the tune of US$17 million, with the hacker agreeing to return US$15 million worth of the stolen assets in return for a US$2 million bug bounty.

Aurora, an Ethereum bridging and scaling solution that runs on the NEAR Protocol, announced on June 7 that it had paid a reward valued at US$6 million to a whitehat hacker for finding a bug that could have resulted in the loss of up to US$330 million worth of users’ funds:

📍 On April 26, 2022, Aurora Labs received a bug report with critical severity affecting the Aurora Engine. The bug report was submitted to our @immunefi bug bounty program.
— Aurora (@auroraisnear) June 7, 2022

The bug was reported to Aurora on April 26 through ImmuneFi, a leading Web3 bug bounty platform. The hacker who found the bug has been identified only by their Ethereum domain name, pwning.eth.

Aurora has confirmed that this bug was patched before any user funds were lost.

Bug Would Have Allowed Attacker to Mint Infinite ETH

The bug was described by Aurora as an “inflation vulnerability”. If exploited, the bug would have allowed an attacker to mint an unlimited supply of artificial ETH, which they then could have used to completely drain the real ETH from Aurora’s bridge contract – over 70,000 ETH, valued at more than US$200 million.

Other assets with ETH pairs valued at around US$130 million also would have been at risk. In total, up to US$330 million of assets could have been stolen.

Fortunately for Aurora, the hacker decided to report the bug and claim the US$6 million reward, the largest offered by Aurora and the second-largest bug bounty paid in crypto history.

The Aurora payout follows a US$2 million bug bounty paid in February to a whitehat hacker who identified a vulnerability in the Ethereum scaling solution, Optimism, which if exploited would have allowed an attacker to mint unlimited ETH.

Vulnerability Patched, Source Code Released

The vulnerability has since been patched on both the Aurora testnet and the mainnet, and the source code has been added to GitHub so external developers can confirm the bug no longer exists.

Aurora Labs, the organisation responsible for Aurora’s development, expressed disappointment that it allowed this bug to get into a mainnet release, but was happy the bug bounty program worked as intended:

Such a vulnerability should have been discovered at an earlier stage of the defence pipeline, and Aurora Labs has already started improving its methods to achieve that in the nearest future. However, this event ultimately proves that the ecosystem created around Aurora Labs’ security mechanisms actually works.
Aurora Labs statement

Bug bounty platform ImmuneFi says it has paid out more than US$40 million in bounties to date, which it claims have prevented over US$20 billion in potential damage from hacks.