$1.5 billion crypto hack exposes bug bounty flaws

The recent $1.4 billion hack of cryptocurrency exchange Bybit has highlighted significant vulnerabilities in bug bounty programs, which are crucial for attracting ethical hackers to strengthen platform security.

Ethical hacker Marwan Hachem emphasised that the Bybit hack was facilitated by an "out of scope" bug, which was not covered by the exchange's bug bounty program.

Hachem noted that Bybit's bug bounty offers a maximum reward of $4,000 on its website and up to $10,000 on HackerOne, amounts that are dwarfed by the potential gains for malicious hackers.

He suggested that offering higher rewards to white hat hackers could prevent similar exploits by motivating them to identify vulnerabilities before they are exploited by criminals.

The Bybit hack, attributed to North Korea's Lazarus Group, involved sophisticated phishing techniques and manipulation of the exchange's multi-signature approval process.

Blockchain analytics firm CertiK reported that crypto losses from hacks in February reached $1.53 billion, with Bybit's incident accounting for the majority of these losses.

CertiK also emphasised the need for stricter security measures, including air-gapped signing devices and enhanced authentication layers for high-value transactions.

Regular red-team exercises and phishing simulations can help mitigate social engineering risks, which were central to the Bybit exploit.

"What they considered out of scope led to the biggest crypto hack in history," Hachem pointed out.  

This incident underscores the importance of comprehensive bug bounty programs and robust security protocols to safeguard against increasingly sophisticated cyber threats in the cryptocurrency sector.