Blockchain security firm Chainlight said it received a $10,000 bounty for uncovering a potential vulnerability that could have jeopardized $32 million in customer funds on Optimism-based decentralized exchange (DEX
) Perpetual Protocol.
In a Nov. 9 post on social media platform X (formerly Twitter), Chainlight detailed how it reported a critical bug in Perpetual Protocol’s “AccountBalance” contract last year. According to the firm, the contract is a pivotal component that “serves as the protocol’s brain for calculating position values.”
The vulnerability posed a severe threat to the DEX, placing the entire $32 million USDC held by the protocol at risk of being misappropriated.
This flaw had the potential to allow bad actors to swiftly move the entire $32 million within a five-minute timeframe, leaving the protocol with insufficient time to deploy effective security measures.
The white-hat hacker detailed that an attacker could manipulate asset prices through a pump-and-dump strategy, exploiting volatile price actions to place position orders outside the permissible range and immediately profit, resulting in the protocol’s bad debt.
In acknowledgment of its efforts, Chainlight said it got $10,000 worth of Perpetual Protocol’s native PERP tokens.
Perpetual Protocol’s low bounty draws critics
The $10,000 bounty has generated several reactions from the crypto community, who argue it was insufficient considering the protected amount.
Trust, the head of security at blockchain auditing firm TrustSec, labeled the reward as another instance of a bounty scam, asserting that it did not adequately reflect the gravity of the situation.
Protocol Specialist at Coinbase, Viktor Bunin, also questioned why the bounty was so low.
Juancito, a blockchain security researcher, criticized the meager bounty offer, suggesting that white-hat hackers’ contributions to the ecosystem are not appropriately valued.
Similarly, Blurpoint noted that white-hat efforts often go unappreciated, emphasizing the importance of acknowledging and adequately compensating these contributions.
Web3 security expert CryptoBandit shared a comparable experience, recounting how he shared a critical vulnerability that could have led to $40 million in losses with the DEX but only got $30,000 as bounty rewards.
This situation underscores the challenges white-hat hackers face within the industry, as they are not properly incentivized to help crypto platforms expose vulnerabilities within their codes.