Mentors and Mavens All Stories
To The Point Daily Tech Brief Tech Conversations Money Talks Startup Fridays From the Bookshelves All Podcasts
Leadership Mantras Pathbreakers Lets Talk About One Thing Today in Tech Momentum Nuts and Bolts In Conversation With From the Field Beyond the Boardroom All Videos
30 Indian Minds Leading the AI Revolution
  1. Home
  2. UpFront
  3. Crypto Made Easy
  4. Aurora pays $6 mn bug bounty to ethical hacker

Aurora pays $6 mn bug bounty to ethical hacker

User funds amounting to $200 million would have been at risk if the ethical hacker pwning.eth had chosen to act otherwise instead of reporting the vulnerability

Shashank Bhardwaj
By Shashank Bhardwaj
Published: Jun 8, 2022 05:37:16 PM IST
Full Bio

Image: Shutterstock

Aurora, the bridging and scaling solution for Ethereum (ETH), announced on Tuesday that it had given a $6 million bug bounty to an ethical security hacker by the name of pwning.eth for discovering a critical vulnerability in the Aurora Engine.


The bounty was paid by Aurora in collaboration with Immunefi, which is a well-known platform for Web3 bug bounties. The platform has over $145 million in bug bounties available and has paid $45 million worth of bounties. The exploit had brought under risk user funds worth $200 million.

The flaw reported by pwning.eth to Immunefi on April 26, if exploited, could have been critical to the safety of the scaling solution. The flaw in the Aurora Engine would have allowed for the infinite minting of ETH in the Aurora EVM (Ethereum Virtual Machine) to drain and draw off the corresponding nested ETH (nETH) pool on the Near protocol. The pool contained 70,000 ETH with $200 million at the time of discovery.

“Such a vulnerability should have been discovered at an earlier stage of the [defence] pipeline, and we have already started improving our methods to achieve that in the future,” said Frank Braun, Aurora’s head of security. “However this event ultimately proves that our security mechanisms work.”

Read More

He added, “We look at the bug bounty program as the last step in a layered defence approach and will use this bug as a learning opportunity to improve earlier steps, like internal reviews and external audits.”

Mitchell Amador, Immunefi’s founder and CEO, praised Aurora, saying, “Hats off to Aurora and pwning.eth for the flawless overall processing of the report. The bug was quickly patched, with no user funds lost."

The bounty payout is one of the largest bounty payouts in DeFi history to date. Another prominent payout was the $10 million bounty paid to an ethical security hacker that discovered a bug in the crypto bridge Wormhole. This bounty was also paid through the Immunefi platform.

Aurora bounty program was launched in collaboration with Immunefi in April 2022 and had rewards ranging between $1,000 to $6 million depending on the severity of the flaw discovered. Jonah Michels of Immunefi said, “at a time of distrust in the markets, it’s important more than ever for Web3 projects to show that they take security seriously.”

The writer is the founder at yMedia. He ventured into crypto in 2013 and is an ETH maximalist. Twitter: @bhardwajshash

Turkey's black rose producers chase the sweet smell of success
RBI turns hawkish to sail ahead of the 'storm'
X