Cybersecurity experts are sounding the alarm as cryptocurrency losses from security breaches soar past $1.5 billion, with a call for exchanges to enhance bug bounty programs to attract top ethical hackers and fortify platform security.
According to a report by blockchain security firm CertiK on March 3, cryptocurrency losses from hacks in February reached a staggering $1.53 billion. The majority of these losses were attributed to the Bybit hack, which accounted for over $1.4 billion. Excluding this incident, other exploits led to losses amounting to $126 million, including a $49 million hack of Infini.
In response to the surge in crypto hack losses, ethical hacker Marwan Hachem emphasized the critical need for improved bug bounty programs. Hachem stressed that exchanges must provide more lucrative and enticing bug bounty rewards to white hat hackers to prevent such exploits.
Hachem, who is the chief operating officer at cybersecurity firm FearsOff, highlighted the importance of offering higher rewards to ethical hackers to deter similar breaches. He pointed out that Safe, Bybit’s multisignature wallet provider, had considered bugs related to the front and back-end as “out of scope” in their bug bounty program. This exclusion meant that those identifying these security vulnerabilities were not eligible for rewards, creating a loophole exploited in the Bybit hack.
The Bybit hack, according to Hachem, was a result of an “out-of-scope” bug that was not covered by the bounty program. Criminals capitalized on these overlooked vulnerabilities, leading to the largest crypto hack in history. Hachem argued that rewarding white hat hackers preemptively with higher sums is more cost-effective than waiting for a major breach to occur and offering a fraction of the stolen funds as a reward.
Apart from enhancing bug bounty programs, CertiK suggests that exchanges should adopt stricter security measures to prevent future attacks. These measures include implementing air-gapped signing devices, utilizing non-persistent OS environments for transaction approvals, and incorporating enhanced authentication layers for high-value transactions.
CertiK’s report unveiled that the exploit on Bybit resulted from a phishing attack that deceived multisignature signers into approving a malicious contract upgrade, while the Infini hack stemmed from an admin private key leak. Both incidents underscored the risks associated with blind signing and inadequate transaction verification, emphasizing the need for stronger authentication and real-time transaction monitoring.
In conclusion, the crypto community must prioritize cybersecurity by incentivizing ethical hackers with substantial rewards, fortifying bug bounty programs, and implementing stringent security measures to safeguard exchanges and protect investors from devastating hacks. As the value of cryptocurrencies continues to rise, securing these digital assets against malicious actors becomes an increasingly urgent priority.