In the early morning of March 9, LP, who was still sleeping, received a call on Telegram. In her opinion, this is not a good sign. She picked up her laptop from under the blanket and put on her contact lenses. Time to save other people’s cryptocurrencies – hack them first.
LP is an engineer with a Ph.D. who worked for a Silicon Valley law firm and is also the founder of cybersecurity firms RugDoc and Paladin Blockchain Security.
According to LP, the caller was a colleague of hers, who told her that someone was hacking investors in a cryptocurrency protocol called Fantasm that had millions of dollars in liquidity locked up by investors at the time .
When she was sober enough to open her laptop, she said, she started working with two colleagues to save as much cryptocurrency as possible, try to defeat hackers and cut losses. In the world of cryptocurrencies, where stolen funds are often gone forever due to the irreversible nature of the blockchain, saving funds like this means hacking before the thief.
“An exploiter figured out there was a very, very easy way to take advantage of this thing,” LP said. “Suddenly, millions of dollars were being siphoned off.”
The race against hackers begins. With the help of a colleague who discovered the vulnerability the hackers were exploiting, LP said she wrote a series of smart contracts designed to exploit the vulnerability faster than the hackers could.
Because the actions on the blockchain are public, hacking incidents can quickly go crazy. LP and her colleagues did some trial and error using the vulnerability, which was recorded on the blockchain so hackers were able to notice their activity. At this point, even other opportunistic hackers saw what was going on and began to siphon their funds. But LP and two of her colleagues were able to save tens of thousands of dollars and help the project fix bugs and thwart hackers. However, the hackers still netted around 800 ETH, worth around $1.5 million, according to the LP.
“A lot of people lost money and it wasn’t the happiest ending,” LP said. “But it wasn’t as bad as it was imagined.”
According to LP, the entire operation took about half an hour.
The term “white hat” is as old as the Internet, and it originally came from Western movies, where the good guys wear white hats and the bad guys wear black hats. In the field of cybersecurity, it is well known that “white hats” are generally considered to refer to well-meaning hackers like LPs.
In the world of cryptocurrencies, however, color often points to bloodshed.
Some hackers take advantage of loopholes to steal money and then publicly announce that they will actually get the money back as long as they are rewarded. This happened in the bizarre incident of Poly Network being hacked. The hackers returned some $600 million in stolen cryptocurrency after the Poly Network publicly pleaded with them several times, calling them Mr. White Hat. There is also the recent hack of Multichain. In these cases, it’s not clear if the hackers were genuine white hats all along, or if they stole the money and felt pressure to keep it in their cryptocurrency wallets with the world watching, so the change idea.
There are also “white hat hackers” like LPs who raid and save funds, often in competition with malicious hackers, sometimes without even the consent of the user whose wallet was hacked or the hacked encryption protocol. These hackers always maintain the intention of returning the funds to the rightful owners.
Perhaps the first time the term caught on in this context was in 2016, when volunteer programmers calling themselves the Robin Hood Group competed against hackers who stole millions of dollars in ETH from decentralized autonomous organizations (DAOs). In this incident, the group fought back against the hackers and saved around $15 million in ETH. The following year, the same group calling itself the White Hat group rescued $200 million in cryptocurrency after ethereum client Parity was hacked.
This practice has become relatively more frequent recently with hacking attacks against cryptocurrency protocols and users. Hackers and crooks stole around $1.23 billion in cryptocurrency in the first three months of this year alone , according to a report by blockchain cybersecurity firm Immunefi .
Motherboard interviewed five people, including the LP, who said they had direct experience with such white hat activities.
“In Web3, white hats are really seen as heroes. It’s definitely a win-win situation,” Stephen Tong, co-founder of blockchain security firm Zellic, told Motherboard in an online chat . “It’s acceptable, Because if I don’t do it, who else will?” I’m always better than a black hat. “
Legally, it’s unclear whether it’s legal to white hat someone else’s wallet or protocol without their consent.
“White hat hacking, while noble, is fraught with risk in the cryptocurrency space without the explicit consent of the target,” Preston Byrne, a lawyer specializing in cryptocurrency-related issues, told Motherboard in an email . “Disclosures Vulnerability is one thing; assuming the owner’s rights to third-party funds, for whatever reason, is another, and if the target is unhappy with the hack, for whatever reason, this could make the hacker civil and criminal responsibility.”
“The problem with white hat/gray hat hackers is that when one target is (fairly rightly) grateful for notification of the vulnerability, another target may break their stack and turn to the police,” Preston said. When you find a bug in a smart contract system, the best way is to notify the developer privately and let it go. You’re not Superman, it’s not your problem to save the world.”
The practice of white hat hacking can be compared to the controversial concept of hacking when it comes to obtaining cryptocurrency from user wallets or even hacker wallets. In the world of cybersecurity, hackers fight back when victims of data breaches try to recover stolen files on their own and gather information about the hacker’s whereabouts and identities. Despite the controversy, the hacking did happen, albeit in secrecy, given the legal risks.
Some of those involved in “white hat activity” in the cryptocurrency world are trying to avoid the risk of being sued.
Emiliano Bonassi is a blockchain cybersecurity researcher who has also been involved in several white hat operations. In one case last year, the wallets of users of crypto investment platform Primitive Finance were exposed to anyone who knew how to exploit a vulnerability.
Bonassi told Motherboard on the phone: “The only way we can save users of the protocol is to withdraw funds from their wallets and then notify them. So that’s the worst you can possibly have, because you basically have to pump Take the user’s funds.”
In this case, Bonassi collaborated with Immunefi founder Mitchell Amador and researchers at cryptocurrency cybersecurity firm Dedaub. According to the post-mortem analysis of the white hat hacker, it was crucial that Primitive Finance personnel were involved in the rescue from the start.
Unlike LPs, Bonassi did not use their wallets to save funds, but just showed protocol developers how to do white hat hacking themselves.
“We showed them how to execute, scripted the execution, ran simulations, and said to them: ‘We’re here to support you, you execute orders, and if something goes wrong, we’ll take action,'” Bonassi said.
Some blockchain cybersecurity researchers are well aware of the risks of using their own wallets and hacking without the consent of users using vulnerable wallets or developers building vulnerable protocols.
A cybersecurity researcher who asked for anonymity in an interview with Motherboard precisely because of the risks of using people’s wallets while saving other people’s cryptocurrency said he has done so in some cases in the past.
Others simply don’t use their wallets.
“As a personal policy, I never send transactions myself. I certainly don’t put the funds in my own custody,” Samczsun, an anonymous security researcher at cryptocurrency investment firm Paradigm, told Motherboard by phone. “My policy is : ‘I’ll tell you everything you need to know and keep you up to date. Then I’ll let you decide. I don’t think I’m the type of person who’s going to step in and take control of the situation,’ he said. If you want me Help, I’ll help. If you want to handle this yourself, I’d be happy to stand aside and let you handle it.”
Samczsun, who has rescued millions of dollars in cryptocurrencies in some white hat hacks, said “Personally, I don’t want to know what the impact of temporarily acquiring nine-figure assets and then disposing of them will be. So if possible, , I would avoid doing that entirely. I’m not sure if Courage will extend to blockchain.”
According to Preston, the Computer Fraud and Abuse Act (CFAA) can punish those who cause losses by taking cryptocurrency from someone’s wallet, etc., so Samczsun is right.
“To avoid suspicion, you should never decide to do it yourself, you’re playing with fire,” Preston said. “Remember, you risk attracting the attention of prosecutors.”
At a conference organized by Chainalysis last month, Elizabeth Roper, director of the New York County District Attorney’s Office’s Cybercrime and Identity Theft Bureau, said “white hats” are “a real gray area” of the law and it could be the something to study.
“If it ended up saving everyone, every user and a lot of money on the platform, and the person who did it seemed to disclose it immediately, maybe we wouldn’t use our resources to sue that person,” Roper said. But it also depends on the specific case.”
When asked if she was worried about unwanted consequences, the LP appeared calm. She explained that, for her, the risk-benefit calculation is based on the fact that the cryptocurrency projects usually involved are relatively small and may not even be in the U.S., and that if she helps them, the other side may not bring charges.
“The odds of me being sued are slim, but I can save some of those funds and make sure someone doesn’t go completely bankrupt and have a very bad week, month, year,” LP said.
A more likely outcome for white hats is that they will be rewarded for the trouble they face. The Fantasm case isn’t the only time the LP and her RugDoc team have rescued money. In this case, they did not claim the reward. And other times, they have demands.
LP said: “If it was a notorious mega project and there was money left over, we would say: ‘Okay guys, we just saved you guys and you should give us something.
Without an official bug bounty, the standard bounty is usually 10% of the amount that could be stolen, Bonassi said. But he has also carried out white hat hacks and reported vulnerabilities in the past without any compensation. This is not only out of a desire to help related cryptocurrency projects, but also out of a desire to help the entire ecosystem. In addition to deterring potential hackers, Bonassi likes to see white hat hacking as a learning opportunity for everyone involved.
The larger the reward, the more likely it is that researchers will be motivated to find bugs and report them.
“We started out with 10,000 bug bounties, then 100,000. Now it’s 1 million to 10 million. Maybe in the next year, we’ll see hundreds of millions of dollars,” Bonassi said. “Because Web3 is different from other industries. The thing is, you can get unlimited money within seconds of a hack. So we need to push the incentives hard to keep it safe.”
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/the-dilemma-facing-white-hat-hackers-of-web3/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.