One of its co-founders is a Yale professor
https://www.linkedin.com/in/zhong-shao-545b754/
One is at Columbia University
https://www.linkedin.com/in/guronghui/
Interesting!
Anybody familiar with that name is probably chuckling right now.
Quite a few of their clients have gone on to do that with relatively simple vulnerabilities. To the point where “certik audit” is a meme about not providing any actual assurances (and thus implying they are incompetent).
There also was the story a month or two ago where they actually took funds from a bug bounty target and eventually did give it back: https://blockworks.co/news/krakens-cso-confirms-certik-retur...
There's just absolutely no point to crypto if you end up having to trust institutions that are fundamentally less trustworthy than mainstream financial institutions and regulators, even if they have plenty of issues too.
In general, it turns out that it's very hard to build a crypto wallet that both is easy to use for regular people and doesn't take the control of your keys away from you.
Also let's not ignore that the crypto system itself is not magical and can have plenty of security issues too. At this point we can be fairly confident that BTC and ETH are safe, they have been battle-tested, but this is still about trust. When you get into smart contracts and other complex usages of blockchains, who knows what bugs they might have, there is zero enforced oversight. Crypto only ensures that it will work how it is programmed to work, but the programming could be wrong.
I actually have the skills to evaluate such a device if I had a few weeks of spare time. Expecting the average joe to have that ability is folly.
We have a system of laws and contracts and enforcement that allows someone to trust their bank account without a great deal of sophistication.
It's slower than the growth of storage/$$$
They were pointing out that crypto users rely on these worse-than-worthless audits and as an example how it wasn't until threatened with traditional law enforcement certik gave tokens back.
> What's holding the safety level back ironically is the overbearing regulations making individual financial sovereignty a pain.
There is absolutely no evidence of this.
The reality is, that because of KYC/AML laws it's difficult for ordinary people to replace cash with crypto, which - if it were easy - would be a superior form of money and transacting as any amount from tenths of a cent to billions, moves frictionlessly.
We already know crypto is being used for real, actual terrorist funding[1]. How do propose to balance access to crypto against that real harm? KYC rules seems a reasonable compromise here.
[1] https://home.treasury.gov/news/press-releases/jy1925 (note funding of ISIS amongst others)
But still, would you bet a billion dollars that whatever crypto system you are using has no bugs, vulnerabilities or backdoors? Are you going to audit the whole codebase yourself and trust your technical assessment? Do you even have access to the code that is deployed?
In terms of the blockchains themselves, they all have a kind of built-in bounty, in that if on-chain funds have inherent risk of being lost or taken due to faults in the system, this will have happened - as the biggest / most popular systems are valued in the multi-billions. Ie, a huge bounty if an exploit exists.
To my knowledge, this has not occurred to date with any of the major systems themselves.
It's important not to mistake the above with a different issue of trusting applications development built on blockchain projects.
Almost all blockchains have kind of two layers of functionality.
The base layer allows self-custody and transfer.
Above that, people can build other things using smart contract languages, or hardware solutions, or software that interacts with the chain. Those can have huge bugs or be outright scams.
It's a bit like HTTPS could be provably secure, but that doesn't mean if you visit https://dodgy-website.com-dodgy.tk you're protected against it doing something dodgy.
The different is while HTTPS is limited in its user-facing application, the base layer of say Bitcoin or Ethereum isn't so much.
People can securely store and transact any amount with anyone worldwide, sometimes in seconds, with complete finality and determinism, without needing to trust anyone in between.
In almost all cases, you also have access to the code, and can build it yourself. But as mentioned, the built-in bounty acts as your best security.
Eg, if there was a hole in the base layer of Bitcoin right now, there's hundreds of billions up for grabs.
We already have that in many countries. Yes, it's subject to AML/KYC regulations, and? Why is that a problem? It's only a problem if you want to remain anonymous (which you don't, really, with crypto), which is a very niche use of money. A lot of it related to crime too, which makes it hard to justify.
If governments are acting fairly, some of crypto's use-cases will simply not be adopted en masse. If they're not acting fairly, it will all have huge take up. In that sense it's like a check and balance on democratic values.
This has demonstrably been the case in many countries.
Governments that come down extremely heavy-handed against it, are almost certainly themselves either corrupt in the worst case, or against common democratic principles of freedom and personal sovereignty in the best case.
The common BS trotted out is that crypto os used for financing terrorism. The reality is, cash is used for financing terrorism, banks are used for financing terrorism, and governments are used for financing terrorism.
Why target only crypto for this? Because it's a ruse. It's being targeted for other reasons.
A government truly "for the people, and by the people", would welcome the people being more easily able to transfer value between each other and hold it closer to them without a middle-man they need to trust.
What are those reasons? I'm not doubting you, I actually don't understand.
A government structure concerned more with self-preservation, will - accurately - perceive crypto as a threat to its antithetic hegemony, through a diminished ability to, for example:
- conduct itself without transparency. In a functionally-crypto world, government transactions would be immediately and openly public and auditable by anyone, and likely so automated. Currently, months long latency and bureaucratic obfuscation work against accountability.
- unfairly freeze assets for the purposes of self-preservation or power. In many cases there could well be no ability to freeze assets at all. (Private keys can be stored in minds, and this can be plausibly denied.)
- control the economy, and so ultimately, manipulate every aspect of a populations direction. A sufficiently smart-contract operated world could decentralise and democratise economic "policy" so much it may no longer fit inside that definition, as it may potentially become less of an affectation and more of an effect.
A proposed downside of all this is it simply may not work. I don't buy that. I think the main problems we have as a species are in how we allow ourselves to be exploitable. Building in greater sovereignty is the solution, not a problem.
> Why target only crypto for this?
But this just isn't true. All financial institutions are subject to KYC and AML laws are large penalties have been applied, eg https://www.austrac.gov.au/news-and-media/media-release/aust...
It's not the crypto exchanges pushing for that - they actively work against it as it's a major expense as well as costing them customers.
Aside from exchanges, consider: cash itself is not targeted by these laws, which is crypto's closest existing analog. Do you need to submit KYC and AML documents to pull cash from your physical wallet and pay someone? Yet the push is for that level of involvement in your crypto wallets.
Finally, the SEC's actions for example are very clear: an obvious scammer like FTX gets a tick of approval and ends up reaming customers for billions. Whereas long-stable contributors such as LBRY or Ripple, get bogged down with heavy-handed enforcement. There are more examples.
HSBC was legally found to be actively engaged in facilitating criminal gangs, money-laundering etc. They paid a fine. You think a crypto exchange found to be doing those things would pay a fine? No, the executives would be jailed.
There's a big difference in application, across the board.
I notice substantially lower documentation requirements for a crypto exchange vs a bank. For example for both Binance and Gate (and I think Coinbase - not entirely sure there) I only had to supply a single identification document. For my bank accounts I've never been able to open one with less than 3 documents.
Not sure what your point about HSBC is. If you think SBF or CZ shouldn't be in jail then I don't know what to say. In the case of HSBC I'm not aware of individual witness accounts of deliberate criminal behaviour of individuals like both CZ and SBF did. But I absolutely agree people should have gone to jail.
In general crypto people seem to disagree with the idea of laws - specifically ones that apply to them. When challenged they resort to whataboutism or conspiracy theories. It's a set of weak arguments and really lays bare the weak intellectual foundation the whole crypto industry is based on.
I notice the reverse though it does vary by jurisdiction.
I described FTX as an "obvious scam", citing it as an example of the SEC greenlighting a bad actor - so your speechlessness is the result of comprehension issues on your part.
It's not a "conspiracy theory" to hold a different opinion to you regarding financial policy direction.
What I regard as "weak" is the use of such derogatory labels, rather than proper discussion.
Good day!
They are two completely different things, once you dig a bit deeper. One is going to improve the world immeasurably - in fact one of mankind's most important (maybe greatest) inventions, and the other is a snake pit.
If what I say sounds crazy, it won't after you've studied the topic for 5000 hours.
There are zero trust protocols within some crypto ecosystems and some of the world's top crypto PhDs work on these projects. There are just so a lot of amateur devs and uneducated users trying to make a buck, of which get exploited by a much more sophisticated party who also wants to make a buck, sounds like pretty much any other capital market just much more blatant.
Or, I can buy USDT and move it to my cold wallet and call it a day.
Yeah, but if you get wronged on normal capital markets you can complain at the authorities and get your money back. Your bank goes bust? FDIC covers up to 250k per account. Your credit card company doesn't side with you in a dispute or your bank's customer "service" department acts up? Call the CFPB, and you'll get a call from somewhere very high up the bank's chain who actually has the power to make things happen to make sure you withdraw your complaint. A public traded company does bullshit to mislead investors? The SEC will tear them a new hole. And so on.
In the crypto world, you're left to deal with all of that on your own. Maybe the police will file a fraud complaint that won't lead anywhere.
To be fair, it's a little hard not to when crypto is so bad.
A) the smart contract audit is a choice, certik is one player providing them, there are many players and its a choice that consumer and investors misuse the point of those audits to even make the make. certik provides disclosure of vulnerabilities, consumers chose to see that as a greenlight instead of an objective decision to participate or not
B) your ensuing conversation about exchanges has nothing to do with what certik does or has made a meme for. so thats the conversation you actually wanted to have the whole time, a copy pasted “look! Crypto mentioned, my time to generically complain about it” discussion, but not one really relevant here.
certik and others are just providing cybersecurity, its a sector that needs it, there is demand for it and thats as deep as it goes. if your crusade is to reduce demand for it, its an ineffective and redundant use of energy at this point.
Any "service" that goes against this is basically normal money except way worse. That doesn't mean crypto is broken or useless. It just means scammers gonna scam.
Nice example: Bitcoin ETFs completely miss this point. Is a Bitcoin ETF actually backed by real Bitcoin? Nobody really knows, but judging by Wallstreet's track record and who's behind it (Blackrock and Coinbase) the answer is almost certainly: no, your ETF order is not hitting a lit exchange and no it's not backed by anything and no, the SEC doesn't care.
Literally every US financial crisis can be summarized as "it turned out not to be backed by anything". More info: https://www.amazon.com/Decade-Armageddon-New-Geography-Essay...
VW squeeze: short positions that cannot be closed, because more stocks where sold than where supposed to exist. Same thing for Gamestop (except worse, 220% shorted at some point).
2008 crash: packages of high quality mortgages / credit that turned out to be backed by 0 high quality mortgages.
FTX scandal: sold tons of "Bitcoin" that turned out to never have existed + traded "tokenized stocks, backed 1-by-1 with real stock by some shady broker in Germany" that turned out to be a complete lie.
At least for BITW ETF addresses are disclosed and you can verify it yourself.
For others there is actually on-chain intellegence that let's approximate how they moving BTC itself. I mean there is always a lag between fund adjustments, but you can pretty much verify that BlackRock actually hold a lot of BTC.
https://platform.arkhamintelligence.com/explorer/entity/blac...
In the real world trust is something thats tied to people, then to organizations, etc. Online, to trust is more than just security
Without a real-world identity and a reasonable guarantee of enforcement, it's a lot harder to establish any kind of serious trust, possibly fundamentally impossible.
...and all the miners, the backing infrastructure, internet and so on.
There's also a non-zero sum of crypto proponents that think a large swathe of things that are illegal "IRL", should be non-criminal because ... "online".
Sure, but there is a reason that real banks have tons of laws and regulations. It's more or less not a crime to steal crypto because it's not a thing that's protected by law. And crypto bros are doing everything they can to keep it from being protected by law while whining that the law isn't able to help them.
Unequivocally false in the United States. Despite what computer professionals may sometimes think, judicial opinions and most of our legal system are based on what a "reasonable person" would believe. Judges don't agree with the "Neener neener neener! The terms are exactly X!" methodology, typically.
A reasonable, everyday person (and therefore a judge) would consider a party being deprived their valuable assets as theft, absent some form of agreement. Invariably, the reply incoming is "codeislaw," but that's absolutely not the case in every circumstance.
In this meme, why isn’t the permissionless aspect seen as not gatekeeping who is involved?
The running joke is that protocols with no security audits are safer than protocols with security audits done by CertiK.
They're ostensibly an audit/security firm, but miss many vulns
Most egregiously recently they tried to blackmail Kraken, a big exchange, for $2m
Probably mainly my misunderstanding, but H1 did not help in any way.
I opened an account, filed a report - I can easily crash Amazon Redshift as an unprivileged user. Provided the DDL/SQL to do so - dead simple, two statements, issue them and boom.
I received a reply, something like, "we have closed the report, if you can demonstrate a working issue we'll investigate further".
I was confused, replied and asked for explanation. No reply.
I tried going to their Support, 403 - doesn't work via Tor browser - no use for an anonymous report.
And that seems to be it - end of road.
I don't understand, no replies, no support, and I've disclosed valuable information and I have no idea what H1 have done or are doing with it (if it's been made public, for example).
(I asked on HN for advice. One line of reply was that this is not an exploit, but a bug, which I can see. OTOH, when I filled in the severity rating form, there was nothing in that where I was evidently going against the grain of what was expected, so I'm not wholly sure. Any further advice in replies now gratefully received.)
That's kinda a "you had one job" situation. Yes, it's hard to review security reports, and separate legit ones from bogus ones. But that's what these plattforms advertise they do. They regularly do a very bad job.
> Unfortunately it is hard for the reporter to tell the two apart
that's the reviewer of the report, it's actually:
> Unfortunately it is hard for the reviewer to tell the two apart
Security engineers aren't telepaths.
Yes sometimes reviewers dont do a good job, but i think you are severely underestimating how incomprehensible incoming reports can be sometimes. It is not always worth it to spend 6 hours trying to figure out what someone is talking about.
Yes, and this also goes for bugs filed by the public, sometimes comments/requests in public Open Source projects. There are lots of examples of incomprehensible communication and then there's also argumentative communication (that usually gets increasingly argumentative and ad hominem as the reply chain continues). Based on viewing a sampling of public bug reports my company gets (including security incident reports), I would not want to be the agent who acts as liaison by replying and clarifying with the bug reporter. Most public reports are polite and constructive but it's shocking how high a percentage are not, and become increasingly unprofessional as the discussion continues.
DoS stuff typically wouldn't qualify for most bug bounties. Thats probably why you got ignored.
Most services aren't awfully interested in fixing this sort of thing - they'll just wait for someone to try and DoS at scale, then have the oncall team put in some extra regex on the input which blocks that specific expensive/crashing query.
Denial of service is absolutely a security problem, so I don't think whoever gave this advice is correct. Sounds like a frustrating experience.
Any user could likely cause issues for Redshift by running completely nuts queries that exhaust all the servers resources. Is “shit SQL” a bounty worthy issue
Yes, having the power to crash your own instance might not be a security issue per se.
The problem I know of is a bit different, in that it is a direct and immediate server crash. It's not a denial of service by making the cluster slow. It's run-query, crash-server.
You are right of course that any normal user can issue crazy queries which hog resources, and hammer performance.
They have a direct email and are responsive. If the issue meets their criteria then you get a payout.
I found nothing.
Do you have a URL of any kind, for more information about this, including contacts?
I wouldn’t expect a bounty for something like this, but I believe the above is the correct avenue for reporting it.
- You have raw access to the DB
- You don't have enough privileges to get something more valuable than crashing the DB
- You don't care to get noticed/caught
Does sound pretty unlikely
I've not actually checked, so I don't know, but knowing how logging works on RS, I think the cluster crashing will mean your killer query is not logged.
Your session will have been logged by the time the cluster crashes. OTOH, maybe you were logged in for some time first, or there's connection pooling, or you slipped the query into an existing connection's query stream, and so on.
Actually, thinking about it, I think you could reduce the problem to a single query, rather than two, which would help cover tracks.
First yes for this.
> If it's the latter, it should obviously be rewarded with big $.
Second yes for this.
:-)
"Security problem" isn't a binary. DoS can be an issue, but often it is acceptable risk. Especially if your DoS is minor. E.g. i can crash the server by sending 50 Gbps of data to it, is not usually a security issue in context.
In the parent post they implied they needed privleged access to exploit. That probably makes it not a security issue as it can only be triggered by a trusted user.
Additionally most bug bounty programs disallow DoS, due to some combination of reports being low value, and testers being idiots, so it might be out of scope right from the bat.
These people don't even know about CIA triad and are gatekeeping four-figure bounty payouts while earning five figures or more every month. I'm extremely salty about this.
I’m convinced it’s largely designed to keep people from going full disclosure rather than actually getting bugs fixed.
H1 exists because once you start offering money the crazies start to show up, and its a lot of work to keep up with it.
(That's not to say that you are entirely wrong either. I am sure some less scrupolous companies do have that goal. However a lot of the time its simply that the vuln has low impact so its low priority. Depending on how the company is managed, often there is dysfunction where the security team lacks the ability to get things prioritized)
But you’re also paying them to make sure the serious bugs absolutely do get to you, and if researchers give up, you’re not getting the value you need.
I suspect the problem is that the type of folks who are prepared to do front-line triage which is most commonly large volumes of nonsense and a few mediocre bugs, are early career security folks who can’t easily spot a really serious P0 and a researcher who clearly knows what they’re talking about.
Meanwhile megacorp tech employees with wikipedia articles spend time to explain how "their platform" is not affected by an issue, even though you show them a POC. Of course, things like DOS is not in scope. It's worse than arguing with layers about a contract, because there is so much face-saving and CYA going on.
I feel like I have a better understanding now of the situation and what happened with H1, and I feel better about it.
I will now see if I can figure out how to wipe everyone's RS clusters instantly with a single command, so I can report something on H1 after all :-)
If you give an attacker access to run arbitrary queries in your database, it's already pretty bad news, even without a crash.
I don't know if I should feel happy or concerned about the security policies of a company that has already given 2 million USD in bug bounties :).
Poverty is just a basic gateway. I imagine hackers have to do some calculus on bigger vs little, since usually larger targets are more valuable, buy smaller are likely less secure.
https://hackerone.com/hacktivity/overview?queryString=disclo...
The next highest bounty is $200k from Shopify and then again Coinbase with $115k
https://forum.grin.mw/t/ann-bug-bounty-awarded-to-david-burk...
You can't know that, not all bounty amounts are disclosed, and there's also private/confidential programs.
So, no this is a good bounty but still on the small size for a huge crypto project / company.
So, no.
Crypto organizations float closer to the same market value of exploits that you see blackhat organizations like NSOGroup pay. Its just FAANGs that refuse to value them correctly and put up barriers of entry for pennies.
For crypto skeptics and those who REALLY hate crypto, this is a great opportunity to turn your passion of hating all over it into a lucrative hunt for bugs like this one and to make a massive killing from the payouts.
Just think about it.
source: I started from 0 and the very first bounty I submitted (related to CEX) was valued to $100k+
Immunefi has a similar payouts table to h1's at https://immunefi.com/bug-bounty/ implying people are getting paid, but it could boost credibility by linking to write-ups and findings from researchers if any exist.
> This project utilizes a decentralized vault for their bounty rewards to ensure trust by showing that they have the collateral to cover their bounties. Payments are processed directly on-chain inside the Immunefi webapp.
https://immunefi.com/bug-bounty/beanstalk/
An interesting side-effect is that you can view payments from the public vault for each project, for example:
https://etherscan.io/address/0x66Efac6e6d58D4058CF017E66a003...
Top payment so far is 3 payments of about 8,500 USD to the same recipient. The maximum claimed achievable payment is 1.1m USD.
It does at least imply that they've set aside magic beans to pay researchers, and that someone is being paid from the bean fund, for whatever that's worth.
the hackernews post a few months ago had someone earn $2,000,000 which was paid instantly in USDC. this is freely redeemable for USD on Circle and Coinbase
some other firms pay out in a vesting schedule of their own tokens, so you rely on the exchange rate and liquidity just as with RSUs.
I bet you this was lots of persuasion for them to pay out this bounty. You wouldn't have gotten this bounty if you had this bug.
Crypto at least is easy to ignore as a user. Every other company out there that wants me to handover my personal data and “engage” is less so.
do you have, you know, like some data on those massive payouts? other than one data point?
https://github.com/sayan011/Immunefi-bug-bounty-writeups-lis...
One month ago this same company found a bug with a 2 million dollar bug bounty.
The bug would let them drain funds from a crypto exchange by sending funds to the exchange on the blockchain, but then after sending, reverting the part of the transaction that sent the funds, while keeping the overall transaction alive. The software at the exchange was fooled into counting the reverted transfer as actually happening. [0]
So what do you do when you find an incredibly critical bug with 2 million dollar bug bounty?
CertiK researchers choose to steal 3 million.
Then when they stole it, they exchanged the bulk of the coins for other coins, and sent some of the funds to an OFAC sanctioned entity. CertiK did not report the massive bug that they were exploiting live, in the wild, in public view, for ten days. When they finally did report it for the 2 million dollar bug bounty, CertiK did not mention the 3 million dollars that they stole. When confronted about it, they referred all questions to the sales team, who made demands and refused to return the money. Two weeks of refusing to return the money pass by, and before the head of security at the exchange posts on Twitter the story [1], without naming the company.
So what do you do now there's a now a story out there that some researchers stole 3 million and won't return it.
CertiK chose to confirm everything on their official Twitter, loudly proclaim that the team that stole the money was them, and claim that the exchange was persecuting them by threatening legal action for the return of the stolen funds. CertiK founders also retweeted these tweets.
After a firestorm of twitter drama, by the end of the day, CertiK promised to return the stolen funds.
So CertiK is just some random team of anonymous people, right? Nope.
CertiK is 2 billion market cap, company, headquartered in the US, just did 230 million dollars worth of fund raising.
(CertiK does have a long reputation for working in ways that no one could conclusively prove if their actions were from evil or from incompetentance.)
[0] https://x.com/danielvf/status/1803780167027871878
Crypto is like monopoly money, there is no value outside of what people assign to it, is unusable outside of that specific context, and the "value" can disappear in seconds. If you steal someone's monopoly money, are you liable for theft of the equivalent of that monopoly money's exchange rate on the market (say, it's a rare edition you can sell on Ebay)?
Or like virtual currency in an online game. If someone steals your Robux, can you complain to the FBI?
In my mind, the people that loudly proclaim to want nothing to do with the rules beyond whats in the code get to have their cake.
in this case who knows what kind of tokens they stole, but if it was Ethereum or Bitcoin, those markets are liquid enough that you don't even have this problem.
Source? If that were true wouldn't it have to be regulated the same way as other securities?