User funds amounting to $200 million would have been at risk if the ethical hacker pwning.eth had chosen to act otherwise instead of reporting the vulnerability
Image: Shutterstock
Aurora, the bridging and scaling solution for Ethereum (ETH), announced on Tuesday that it had given a $6 million bug bounty to an ethical security hacker by the name of pwning.eth for discovering a critical vulnerability in the Aurora Engine.
The bounty was paid by Aurora in collaboration with Immunefi, which is a well-known platform for Web3 bug bounties. The platform has over $145 million in bug bounties available and has paid $45 million worth of bounties. The exploit had brought under risk user funds worth $200 million.
The flaw reported by pwning.eth to Immunefi on April 26, if exploited, could have been critical to the safety of the scaling solution. The flaw in the Aurora Engine would have allowed for the infinite minting of ETH in the Aurora EVM (Ethereum Virtual Machine) to drain and draw off the corresponding nested ETH (nETH) pool on the Near protocol. The pool contained 70,000 ETH with $200 million at the time of discovery.
“Such a vulnerability should have been discovered at an earlier stage of the [defence] pipeline, and we have already started improving our methods to achieve that in the future,†said Frank Braun, Aurora’s head of security. “However this event ultimately proves that our security mechanisms work.â€