You want former black-hats only, with a reputation of being a white-hat hacker in the present day. Handing tons of sensitive customer information to people actively engaged in black-hat hacking and scams is a terrible idea.
They perform audits of crypto projects. The idea is that you’re certifying that the code is not going to immediately steal people’s money.
Quite a few of their clients have gone on to do that with relatively simple vulnerabilities. To the point where “certik audit” is a meme about not providing any actual assurances (and thus implying they are incompetent).
I know this is rather obvious and has been repeated to death but:
There's just absolutely no point to crypto if you end up having to trust institutions that are fundamentally less trustworthy than mainstream financial institutions and regulators, even if they have plenty of issues too.
You don't have to trust those institutions. You can custody your own crypto without them, pay for services, etc. What's holding the safety level back ironically is the overbearing regulations making individual financial sovereignty a pain.
True, but let's be realistic, there is no practical way to get crypto outside of exchanges for a normal user, and that's a serious trust bottleneck. And if you are looking to use crypto as real currency, then you'd expect there to be a complex ecosystem of lenders, insurance, and markets around it, money is not just about buying consumer items.
In general, it turns out that it's very hard to build a crypto wallet that both is easy to use for regular people and doesn't take the control of your keys away from you.
Also let's not ignore that the crypto system itself is not magical and can have plenty of security issues too. At this point we can be fairly confident that BTC and ETH are safe, they have been battle-tested, but this is still about trust. When you get into smart contracts and other complex usages of blockchains, who knows what bugs they might have, there is zero enforced oversight. Crypto only ensures that it will work how it is programmed to work, but the programming could be wrong.
If I'm reading and understanding correctly, it looks like Ethereum's blockchain is 18TB, but you only need to download about 1.1TB if pruning: https://eips.ethereum.org/EIPS/eip-4444
It's not actually pruning, the full node is really around 1TB. That 18TB number comes from old naive design for an archive node. Archive is basically cached state after each historical block. The 1.1tb full node can generate all this data by executing blocks and the current generation of archive nodes can store it around 3TB instead of 18TB.
Of course if you're buying a 14" Macbook Pro, the upgrade to 2TB will cost you $400. Or $1,000 if you want 4TB (on top of the cost of upgrading the processor to the Max chip - necessary for that option.)
They were pointing out that crypto users rely on these worse-than-worthless audits and as an example how it wasn't until threatened with traditional law enforcement certik gave tokens back.
> What's holding the safety level back ironically is the overbearing regulations making individual financial sovereignty a pain.
The reality is, that because of KYC/AML laws it's difficult for ordinary people to replace cash with crypto, which - if it were easy - would be a superior form of money and transacting as any amount from tenths of a cent to billions, moves frictionlessly.
We already know crypto is being used for real, actual terrorist funding[1]. How do propose to balance access to crypto against that real harm? KYC rules seems a reasonable compromise here.
You do have a point there, KYC/AML does tend to make a few large exchanges a trust bottleneck.
But still, would you bet a billion dollars that whatever crypto system you are using has no bugs, vulnerabilities or backdoors? Are you going to audit the whole codebase yourself and trust your technical assessment? Do you even have access to the code that is deployed?
In terms of the blockchains themselves, they all have a kind of built-in bounty, in that if on-chain funds have inherent risk of being lost or taken due to faults in the system, this will have happened - as the biggest / most popular systems are valued in the multi-billions. Ie, a huge bounty if an exploit exists.
To my knowledge, this has not occurred to date with any of the major systems themselves.
It's important not to mistake the above with a different issue of trusting applications development built on blockchain projects.
Almost all blockchains have kind of two layers of functionality.
The base layer allows self-custody and transfer.
Above that, people can build other things using smart contract languages, or hardware solutions, or software that interacts with the chain. Those can have huge bugs or be outright scams.
It's a bit like HTTPS could be provably secure, but that doesn't mean if you visit https://dodgy-website.com-dodgy.tk you're protected against it doing something dodgy.
The different is while HTTPS is limited in its user-facing application, the base layer of say Bitcoin or Ethereum isn't so much.
People can securely store and transact any amount with anyone worldwide, sometimes in seconds, with complete finality and determinism, without needing to trust anyone in between.
In almost all cases, you also have access to the code, and can build it yourself. But as mentioned, the built-in bounty acts as your best security.
Eg, if there was a hole in the base layer of Bitcoin right now, there's hundreds of billions up for grabs.
> which - if it were easy - would be a superior form of money and transacting as any amount from tenths of a cent to billions, moves frictionlessly.
We already have that in many countries. Yes, it's subject to AML/KYC regulations, and? Why is that a problem? It's only a problem if you want to remain anonymous (which you don't, really, with crypto), which is a very niche use of money. A lot of it related to crime too, which makes it hard to justify.
It's a problem because AML/KYC laws are created and enforced by governments, who sometimes are also the criminals such laws are supposedly created to protect us all from. Under a corrupt regime, crypto is a potential corrective force.
If governments are acting fairly, some of crypto's use-cases will simply not be adopted en masse. If they're not acting fairly, it will all have huge take up. In that sense it's like a check and balance on democratic values.
This has demonstrably been the case in many countries.
Governments that come down extremely heavy-handed against it, are almost certainly themselves either corrupt in the worst case, or against common democratic principles of freedom and personal sovereignty in the best case.
The common BS trotted out is that crypto os used for financing terrorism. The reality is, cash is used for financing terrorism, banks are used for financing terrorism, and governments are used for financing terrorism.
Why target only crypto for this? Because it's a ruse. It's being targeted for other reasons.
A government truly "for the people, and by the people", would welcome the people being more easily able to transfer value between each other and hold it closer to them without a middle-man they need to trust.
If free to evolve unrestrained, crypto would likely eventuate in a future where governments are less relevant, less powerful, and smaller.
A government structure concerned more with self-preservation, will - accurately - perceive crypto as a threat to its antithetic hegemony, through a diminished ability to, for example:
- conduct itself without transparency. In a functionally-crypto world, government transactions would be immediately and openly public and auditable by anyone, and likely so automated. Currently, months long latency and bureaucratic obfuscation work against accountability.
- unfairly freeze assets for the purposes of self-preservation or power. In many cases there could well be no ability to freeze assets at all. (Private keys can be stored in minds, and this can be plausibly denied.)
- control the economy, and so ultimately, manipulate every aspect of a populations direction. A sufficiently smart-contract operated world could decentralise and democratise economic "policy" so much it may no longer fit inside that definition, as it may potentially become less of an affectation and more of an effect.
A proposed downside of all this is it simply may not work. I don't buy that. I think the main problems we have as a species are in how we allow ourselves to be exploitable. Building in greater sovereignty is the solution, not a problem.
> The common BS trotted out is that crypto os used for financing terrorism. The reality is, cash is used for financing terrorism, banks are used for financing terrorism, and governments are used for financing terrorism.
It's true that all financial institutions are subject to KYC and AML laws. However, if you've ever used a crypto exchange versus a bank, or even just a prepaid debit card, you'll immediately see a massive difference in the application of those laws in terms of what you have to supply and how often.
It's not the crypto exchanges pushing for that - they actively work against it as it's a major expense as well as costing them customers.
Aside from exchanges, consider: cash itself is not targeted by these laws, which is crypto's closest existing analog. Do you need to submit KYC and AML documents to pull cash from your physical wallet and pay someone? Yet the push is for that level of involvement in your crypto wallets.
Finally, the SEC's actions for example are very clear: an obvious scammer like FTX gets a tick of approval and ends up reaming customers for billions. Whereas long-stable contributors such as LBRY or Ripple, get bogged down with heavy-handed enforcement. There are more examples.
HSBC was legally found to be actively engaged in facilitating criminal gangs, money-laundering etc. They paid a fine. You think a crypto exchange found to be doing those things would pay a fine? No, the executives would be jailed.
There's a big difference in application, across the board.
I’m moderately familiar with exchanges. I've had quite a lot to do with them including being involved in a coin listing.
I notice substantially lower documentation requirements for a crypto exchange vs a bank. For example for both Binance and Gate (and I think Coinbase - not entirely sure there) I only had to supply a single identification document. For my bank accounts I've never been able to open one with less than 3 documents.
Not sure what your point about HSBC is. If you think SBF or CZ shouldn't be in jail then I don't know what to say. In the case of HSBC I'm not aware of individual witness accounts of deliberate criminal behaviour of individuals like both CZ and SBF did. But I absolutely agree people should have gone to jail.
In general crypto people seem to disagree with the idea of laws - specifically ones that apply to them. When challenged they resort to whataboutism or conspiracy theories. It's a set of weak arguments and really lays bare the weak intellectual foundation the whole crypto industry is based on.
> I notice substantially lower documentation requirements for a crypto exchange vs a bank.
I notice the reverse though it does vary by jurisdiction.
I described FTX as an "obvious scam", citing it as an example of the SEC greenlighting a bad actor - so your speechlessness is the result of comprehension issues on your part.
It's not a "conspiracy theory" to hold a different opinion to you regarding financial policy direction.
What I regard as "weak" is the use of such derogatory labels, rather than proper discussion.
Absolutely correct regarding cRypTo. But there's also bitcoin, which people wrongly group with it.
They are two completely different things, once you dig a bit deeper. One is going to improve the world immeasurably - in fact one of mankind's most important (maybe greatest) inventions, and the other is a snake pit.
If what I say sounds crazy, it won't after you've studied the topic for 5000 hours.
Im not into crypto either but this is a gross generalization.
There are zero trust protocols within some crypto ecosystems and some of the world's top crypto PhDs work on these projects. There are just so a lot of amateur devs and uneducated users trying to make a buck, of which get exploited by a much more sophisticated party who also wants to make a buck, sounds like pretty much any other capital market just much more blatant.
Rather than relying on the idea that you're more sophisticated than everyone else who could steal from you, you could just leave your money with a mainstream financial institution that's regulated.
That's a problem where I live. If I want to buy USD to protect me from my country's currency inflationary trend, I have to fill up cases of green bills , and risk going to banks with stashes of pesos to change for usd.
Or, I can buy USDT and move it to my cold wallet and call it a day.
> There are just so a lot of amateur devs and uneducated users trying to make a buck, of which get exploited by a much more sophisticated party who also wants to make a buck, sounds like pretty much any other capital market just much more blatant.
Yeah, but if you get wronged on normal capital markets you can complain at the authorities and get your money back. Your bank goes bust? FDIC covers up to 250k per account. Your credit card company doesn't side with you in a dispute or your bank's customer "service" department acts up? Call the CFPB, and you'll get a call from somewhere very high up the bank's chain who actually has the power to make things happen to make sure you withdraw your complaint. A public traded company does bullshit to mislead investors? The SEC will tear them a new hole. And so on.
In the crypto world, you're left to deal with all of that on your own. Maybe the police will file a fraud complaint that won't lead anywhere.
It is easy. There's only debate if there's uncertainty. If there's no question about it, it's not necessary to go through the same material in literally every single thread where the topic comes up, even tangentially.
the point is the choice, and there is a flaw in your discussion
A) the smart contract audit is a choice, certik is one player providing them, there are many players and its a choice that consumer and investors misuse the point of those audits to even make the make. certik provides disclosure of vulnerabilities, consumers chose to see that as a greenlight instead of an objective decision to participate or not
B) your ensuing conversation about exchanges has nothing to do with what certik does or has made a meme for. so thats the conversation you actually wanted to have the whole time, a copy pasted “look! Crypto mentioned, my time to generically complain about it” discussion, but not one really relevant here.
certik and others are just providing cybersecurity, its a sector that needs it, there is demand for it and thats as deep as it goes. if your crusade is to reduce demand for it, its an ineffective and redundant use of energy at this point.
The entire point of crypto is there's no need to trust institutions. The only person you need to trust is your counterparty.
Any "service" that goes against this is basically normal money except way worse. That doesn't mean crypto is broken or useless. It just means scammers gonna scam.
Nice example: Bitcoin ETFs completely miss this point. Is a Bitcoin ETF actually backed by real Bitcoin? Nobody really knows, but judging by Wallstreet's track record and who's behind it (Blackrock and Coinbase) the answer is almost certainly: no, your ETF order is not hitting a lit exchange and no it's not backed by anything and no, the SEC doesn't care.
Bitcoin ETFs are not trying to replace money or leverage the benefits of bitcoin themselves, they are just providing a way for investors to speculate on interest in bitcoin. Same way that you would not buy an auto industry focused ETF and expect to be able to get into it and drive off.
Gold ETFs[1] are backed by physical bars of gold sitting in a vault somewhere. I would expect a "bitcoin ETF" to be backed by actual bitcoins on the blockchain, proportional to the investor's stake.
VW squeeze: short positions that cannot be closed, because more stocks where sold than where supposed to exist. Same thing for Gamestop (except worse, 220% shorted at some point).
2008 crash: packages of high quality mortgages / credit that turned out to be backed by 0 high quality mortgages.
FTX scandal: sold tons of "Bitcoin" that turned out to never have existed + traded "tokenized stocks, backed 1-by-1 with real stock by some shady broker in Germany" that turned out to be a complete lie.
> Is a Bitcoin ETF actually backed by real Bitcoin?
At least for BITW ETF addresses are disclosed and you can verify it yourself.
For others there is actually on-chain intellegence that let's approximate how they moving BTC itself. I mean there is always a lag between fund adjustments, but you can pretty much verify that BlackRock actually hold a lot of BTC.
Indeed, trust is about knowing that a counterparty has a strong incentive to act with goodwill. For important things, the incentive is that they will be punished by the justice system if they don't act with goodwill.
Without a real-world identity and a reasonable guarantee of enforcement, it's a lot harder to establish any kind of serious trust, possibly fundamentally impossible.
Well, you do need to trust that the crypto system is working as advertised. Crypto is not immune to bugs. Precisely why untrustworthy auditing, like certik, is a big problem.
It's not about stealing crypto. If I'm selling 1KG gold in exchange for crypto I need to trust the mining infrastructure that authorised the transaction.
I see no problem with this. Crime doesn't stop being crime just because its happening to virtual assets. Maybe some crypto folks want to disconnect from the rest of society, but I don't think that's very many of them.
Many folks said the Silk Road had made drug dealing "harmless". What they really meant was "harmless to me". Because it does nothing for anyone else in the chain to make it safer.
There's also a non-zero sum of crypto proponents that think a large swathe of things that are illegal "IRL", should be non-criminal because ... "online".
>Crime doesn't stop being crime just because its happening to virtual assets.
Sure, but there is a reason that real banks have tons of laws and regulations. It's more or less not a crime to steal crypto because it's not a thing that's protected by law. And crypto bros are doing everything they can to keep it from being protected by law while whining that the law isn't able to help them.
> because it's not a thing that's protected by law
Unequivocally false in the United States. Despite what computer professionals may sometimes think, judicial opinions and most of our legal system are based on what a "reasonable person" would believe. Judges don't agree with the "Neener neener neener! The terms are exactly X!" methodology, typically.
A reasonable, everyday person (and therefore a judge) would consider a party being deprived their valuable assets as theft, absent some form of agreement. Invariably, the reply incoming is "codeislaw," but that's absolutely not the case in every circumstance.
I don’t really get the amusement. Just because some crypto users were allergic to “centralized institutions” what does that have to do with anyone else?
In this meme, why isn’t the permissionless aspect seen as not gatekeeping who is involved?
That's just the classic attack/defence asymmetry though, no? When playing defence you have to find every reachable vulnerability. When playing attack, you have to find one.
It highlights the fact that even experts can't find every bug in code, and therefore you probably shouldn't be using code as the only security for a monetary system.
Crypto security audit company that used to be decent & somewhat respected then scaled out and hired many more security auditors with questionable skills and morals (such as exploiting bugs in projects they're paid to review & help).
The running joke is that protocols with no security audits are safer than protocols with security audits done by CertiK.
What should we understand? It looks like the H1 account is the actual company, at least they link to their website. Is the company doing bug bounty? Or is this a creative way to pay for an audit?
I have to say, I did not have a positive first experience with H1.
Probably mainly my misunderstanding, but H1 did not help in any way.
I opened an account, filed a report - I can easily crash Amazon Redshift as an unprivileged user. Provided the DDL/SQL to do so - dead simple, two statements, issue them and boom.
I received a reply, something like, "we have closed the report, if you can demonstrate a working issue we'll investigate further".
I was confused, replied and asked for explanation. No reply.
I tried going to their Support, 403 - doesn't work via Tor browser - no use for an anonymous report.
And that seems to be it - end of road.
I don't understand, no replies, no support, and I've disclosed valuable information and I have no idea what H1 have done or are doing with it (if it's been made public, for example).
(I asked on HN for advice. One line of reply was that this is not an exploit, but a bug, which I can see. OTOH, when I filled in the severity rating form, there was nothing in that where I was evidently going against the grain of what was expected, so I'm not wholly sure. Any further advice in replies now gratefully received.)
As someone on the other side - we get spurious reports and people who cause DoS but only for that account in non-realistic scenarios regularly. Unfortunately it is hard to tell the two apart or wise to get into debates about these topics - people start demanding money for "issues" you and every other web host in your industry is aware of (for example client side XSS modifying what appears on the screen... yes, really, they'll argue for cash).
That's kinda a "you had one job" situation. Yes, it's hard to review security reports, and separate legit ones from bogus ones. But that's what these plattforms advertise they do. They regularly do a very bad job.
> That's kinda a "you had one job" situation. Yes, it's hard to review security reports, and separate legit ones from bogus ones.
Security engineers aren't telepaths.
Yes sometimes reviewers dont do a good job, but i think you are severely underestimating how incomprehensible incoming reports can be sometimes. It is not always worth it to spend 6 hours trying to figure out what someone is talking about.
> Yes sometimes reviewers dont do a good job, but i think you are severely underestimating how incomprehensible incoming reports can be sometimes.
Yes, and this also goes for bugs filed by the public, sometimes comments/requests in public Open Source projects. There are lots of examples of incomprehensible communication and then there's also argumentative communication (that usually gets increasingly argumentative and ad hominem as the reply chain continues). Based on viewing a sampling of public bug reports my company gets (including security incident reports), I would not want to be the agent who acts as liaison by replying and clarifying with the bug reporter. Most public reports are polite and constructive but it's shocking how high a percentage are not, and become increasingly unprofessional as the discussion continues.
DoS stuff typically wouldn't qualify for most bug bounties. Thats probably why you got ignored.
Most services aren't awfully interested in fixing this sort of thing - they'll just wait for someone to try and DoS at scale, then have the oncall team put in some extra regex on the input which blocks that specific expensive/crashing query.
Yes, but generally you don’t give SQL access to the internet or completely unauthenticated users.
Any user could likely cause issues for Redshift by running completely nuts queries that exhaust all the servers resources. Is “shit SQL” a bounty worthy issue
The problem I know of is a bit different, in that it is a direct and immediate server crash. It's not a denial of service by making the cluster slow. It's run-query, crash-server.
You are right of course that any normal user can issue crazy queries which hog resources, and hammer performance.
Just as an aside, I don't think your query is directly logged.
I've not actually checked, so I don't know, but knowing how logging works on RS, I think the cluster crashing will mean your killer query is not logged.
Your session will have been logged by the time the cluster crashes. OTOH, maybe you were logged in for some time first, or there's connection pooling, or you slipped the query into an existing connection's query stream, and so on.
Actually, thinking about it, I think you could reduce the problem to a single query, rather than two, which would help cover tracks.
I assume the exploit only takes down your own instance, not the whole AWS redshift service. If it's the latter, it should obviously be rewarded with big $.
> Denial of service is absolutely a security problem
"Security problem" isn't a binary. DoS can be an issue, but often it is acceptable risk. Especially if your DoS is minor. E.g. i can crash the server by sending 50 Gbps of data to it, is not usually a security issue in context.
In the parent post they implied they needed privleged access to exploit. That probably makes it not a security issue as it can only be triggered by a trusted user.
Additionally most bug bounty programs disallow DoS, due to some combination of reports being low value, and testers being idiots, so it might be out of scope right from the bat.
I see you have never reported a DOS on H1. High-profile millionaire engineers will go out of their way to argue with you that DOS of their TOP100 website is in fact not a security problem.
These people don't even know about CIA triad and are gatekeeping four-figure bounty payouts while earning five figures or more every month. I'm extremely salty about this.
As someone who worked on the other side (i.e. at a previous job i handled incoming bug bounty reports) a big part of why we used H1 is that it can be exhausting dealing with reporters. Often the reports are non sensical. Even the one's that are real, often there will be very minor issues that the reporter feels should get top payout. Sometimes reporters are very demanding and rude. At the same time you can't just throw out the crazy reports, because sometimes the crazy looking emails actually have the legit vulns.
H1 exists because once you start offering money the crazies start to show up, and its a lot of work to keep up with it.
(That's not to say that you are entirely wrong either. I am sure some less scrupolous companies do have that goal. However a lot of the time its simply that the vuln has low impact so its low priority. Depending on how the company is managed, often there is dysfunction where the security team lacks the ability to get things prioritized)
Oh yeah, I’d absolutely not want to have a raw unfiltered inbound bug bounty and be first line of triage, so paying H1 or Bugcrowd is the way to go.
But you’re also paying them to make sure the serious bugs absolutely do get to you, and if researchers give up, you’re not getting the value you need.
I suspect the problem is that the type of folks who are prepared to do front-line triage which is most commonly large volumes of nonsense and a few mediocre bugs, are early career security folks who can’t easily spot a really serious P0 and a researcher who clearly knows what they’re talking about.
I feel the same. IMO H1 is a face-saving filter layer for megacorp tech employees so the issues don't bubble up to their bosses via media reports. They tarpit you, send junior people into the ticket who don't understand the issue, and in the end they try to refuse payouts as much as possible.
Meanwhile megacorp tech employees with wikipedia articles spend time to explain how "their platform" is not affected by an issue, even though you show them a POC. Of course, things like DOS is not in scope. It's worse than arguing with layers about a contract, because there is so much face-saving and CYA going on.
Yeah, sure, and if someone gives me access to their redshift, I could just run "SELECT digest('foo', 'sha256');" in a loop, which takes redshift CPU and thus costs them lots of money.
If you give an attacker access to run arbitrary queries in your database, it's already pretty bad news, even without a crash.
I want to offer rewards (my site is on H1) but they require I sign up for a minimum $50k/yr subscription to enable that feature. I don't think that's a reason for concern, just means it's a smaller company.
Poverty is just a basic gateway. I imagine hackers have to do some calculus on bigger vs little, since usually larger targets are more valuable, buy smaller are likely less secure.
Is this the highest single bounty ever payed? The only other paymnts in this range I can think of are the yearly rewards by Google. But then again thats not really a bounty.
we had a talk yesterday by our H1 people to the company and a Q was asked how our bounty values with in with the industry norm. Part of the answer (IIRC, and it was to help understand how different sectors place bounties at different amounts) included that for some crypto things, bounties have gone up to $1mil (but I could be misremembering, it was at the end of a day of lots of talks and I was exhausted).
Crypto organizations float closer to the same market value of exploits that you see blackhat organizations like NSOGroup pay. Its just FAANGs that refuse to value them correctly and put up barriers of entry for pennies.
Again, we have another 6-figure winner on finding a vulnerability in a crypto exchange and the payouts are way more than the average bug bounty these days (especially for critical bugs).
For crypto skeptics and those who REALLY hate crypto, this is a great opportunity to turn your passion of hating all over it into a lucrative hunt for bugs like this one and to make a massive killing from the payouts.
Cost/benefit analysis? What is the chance I would someday get a $500k payout, starting from near zero experience today, with the help of a little bit of luck?
Crypto skeptics probably don't trust crypto firms to pay the "rewards up to $15,000,000" bounties advertised at places like https://immunefi.com/.
Immunefi has a similar payouts table to h1's at https://immunefi.com/bug-bounty/ implying people are getting paid, but it could boost credibility by linking to write-ups and findings from researchers if any exist.
Whenevrt i see a crypto disxussion with dollar signs, im forced to ask if thw payment is in actual dollars or dollar equivelents. Aftetall, bitcoin isnt a currency and is more like a stockmarket as when you try to extract large value from it you typically cause its real price to decline.
Payments seem to be in Ethereum, based on the description of the "Immunefi vault platform":
> This project utilizes a decentralized vault for their bounty rewards to ensure trust by showing that they have the collateral to cover their bounties. Payments are processed directly on-chain inside the Immunefi webapp.
Top payment so far is 3 payments of about 8,500 USD to the same recipient. The maximum claimed achievable payment is 1.1m USD.
It does at least imply that they've set aside magic beans to pay researchers, and that someone is being paid from the bean fund, for whatever that's worth.
The real sketch ones is when the payout is in their custom altcoin since if you find a truly show stopper bug, their altcoin might end up going to 0 once you report it.
the hackernews post a few months ago had someone earn $2,000,000 which was paid instantly in USDC. this is freely redeemable for USD on Circle and Coinbase
some other firms pay out in a vesting schedule of their own tokens, so you rely on the exchange rate and liquidity just as with RSUs.
I’m not a fan of crypto, but it’s not like non-crypto tech (which is mostly about collecting people’s personal data and wasting their time with ads) is any more useful.
Crypto at least is easy to ignore as a user. Every other company out there that wants me to handover my personal data and “engage” is less so.
One month ago this same company found a bug with a 2 million dollar bug bounty.
The bug would let them drain funds from a crypto exchange by sending funds to the exchange on the blockchain, but then after sending, reverting the part of the transaction that sent the funds, while keeping the overall transaction alive. The software at the exchange was fooled into counting the reverted transfer as actually happening. [0]
So what do you do when you find an incredibly critical bug with 2 million dollar bug bounty?
CertiK researchers choose to steal 3 million.
Then when they stole it, they exchanged the bulk of the coins for other coins, and sent some of the funds to an OFAC sanctioned entity. CertiK did not report the massive bug that they were exploiting live, in the wild, in public view, for ten days. When they finally did report it for the 2 million dollar bug bounty, CertiK did not mention the 3 million dollars that they stole. When confronted about it, they referred all questions to the sales team, who made demands and refused to return the money. Two weeks of refusing to return the money pass by, and before the head of security at the exchange posts on Twitter the story [1], without naming the company.
So what do you do now there's a now a story out there that some researchers stole 3 million and won't return it.
CertiK chose to confirm everything on their official Twitter, loudly proclaim that the team that stole the money was them, and claim that the exchange was persecuting them by threatening legal action for the return of the stolen funds. CertiK founders also retweeted these tweets.
After a firestorm of twitter drama, by the end of the day, CertiK promised to return the stolen funds.
So CertiK is just some random team of anonymous people, right? Nope.
CertiK is 2 billion market cap, company, headquartered in the US, just did 230 million dollars worth of fund raising.
(CertiK does have a long reputation for working in ways that no one could conclusively prove if their actions were from evil or from incompetentance.)
Crypto is like monopoly money, there is no value outside of what people assign to it, is unusable outside of that specific context, and the "value" can disappear in seconds. If you steal someone's monopoly money, are you liable for theft of the equivalent of that monopoly money's exchange rate on the market (say, it's a rare edition you can sell on Ebay)?
Or like virtual currency in an online game. If someone steals your Robux, can you complain to the FBI?
generally yes to both. it's imperfect but the legal system already has longstanding ways of valuing illiquid assets that don't have straightforward market prices (art, houses, used cars, etc.).
in this case who knows what kind of tokens they stole, but if it was Ethereum or Bitcoin, those markets are liquid enough that you don't even have this problem.
https://www.certik.com
One of its co-founders is a Yale professor
https://www.linkedin.com/in/zhong-shao-545b754/
One is at Columbia University
https://www.linkedin.com/in/guronghui/
Interesting!