User funds amounting to $200 million would have been at risk if the ethical hacker pwning.eth had chosen to act otherwise instead of reporting the vulnerability
By Shashank Bhardwaj
Aurora, the bridging and scaling solution for Ethereum (ETH), announced on Tuesday that it had given a $6 million bug bounty to an ethical security hacker by the name of pwning.eth for discovering a critical vulnerability in the Aurora Engine.
The bounty was paid by Aurora in collaboration with Immunefi, which is a well-known platform for Web3 bug bounties. The platform has over $145 million in bug bounties available and has paid $45 million worth of bounties. The exploit had brought under risk user funds worth $200 million.
The flaw reported by pwning.eth to Immunefi on April 26, if exploited, could have been critical to the safety of the scaling solution. The flaw in the Aurora Engine would have allowed for the infinite minting of ETH in the Aurora EVM (Ethereum Virtual Machine) to drain and draw off the corresponding nested ETH (nETH) pool on the Near protocol. The pool contained 70,000 ETH with $200 million at the time of discovery.
“Such a vulnerability should have been discovered at an earlier stage of the [defence] pipeline, and we have already started improving our methods to achieve that in the future,” said Frank Braun, Aurora’s head of security. “However this event ultimately proves that our security mechanisms work.”
He added, “We look at the bug bounty program as the last step in a layered defence approach and will use this bug as a learning opportunity to improve earlier steps, like internal reviews and external audits.”
Mitchell Amador, Immunefi’s founder and CEO, praised Aurora, saying, “Hats off to Aurora and pwning.eth for the flawless overall processing of the report. The bug was quickly patched, with no user funds lost."
The bounty payout is one of the largest bounty payouts in DeFi history to date. Another prominent payout was the $10 million bounty paid to an ethical security hacker that discovered a bug in the crypto bridge Wormhole. This bounty was also paid through the Immunefi platform.
Aurora bounty program was launched in collaboration with Immunefi in April 2022 and had rewards ranging between $1,000 to $6 million depending on the severity of the flaw discovered. Jonah Michels of Immunefi said, “at a time of distrust in the markets, it’s important more than ever for Web3 projects to show that they take security seriously.”
The writer is the founder at yMedia. He ventured into crypto in 2013 and is an ETH maximalist. Twitter: @bhardwajshash
Crypto wallet users are warned as scammers might get active during the potential Ethereum hard fork