Evmos pays $150K bounty for critical bug found in Cosmos documentation

A Web3 researcher earned $150,000 for finding a bug in Evmos that could halt the blockchain and all DApps.
A Web3 researcher earned $150,000 for finding a bug in Evmos that could halt the blockchain and all DApps.

A Web3 security researcher earned a bounty reward of $150,000 by reading the Cosmos Network documentation and finding a critical bug that could halt the Evmos blockchain and all decentralized applications (DApps) built on it.

Pseudonymous Spearbit security researcher “jayjonah.eth” received $150,000 for identifying a vulnerability in the Evmos blockchain as part of the Evmos Bug Bounty Program, which has been active since November 2022.

In a blog post published on Oct. 28, he explained coming across the concept of “module accounts” in the Cosmos documentation, which read:

“If these addresses (module accounts) receive funds outside the expected rules of the state machine, invariants are likely to be broken and could result in a halted network.”

Crash-testing Evmos blockchain based on Cosmos documentation

The security researcher tried sending funds to the module account in a test environment to test the theory and reported:

“At this point, no more blocks are being produced and the chain has completely halted. This breaks the Evmos blockchain and all the DApps built on it.”

He revealed that the Evmos team fixed the bug before the information was made public.

Security, Cosmos, Web3

Evmos bug bounty payout system. Source: Evmos

The researcher was awarded the highest tier payout for identifying a critical bug. On an end note, jayjonah.eth urged security researchers to read through project documents while adding that “sometimes the most critical bugs can be extremely simple.”

Security, Cosmos, Web3

Source: jayjonah_eth

Related: Tapioca offers $1M to ‘social engineering’ attacker who stole $4.7M

In addition to helping projects alleviate the risk of cyberattacks, bug bounty programs are also used as a tool to minimize the losses in the event of a hack.

Hacker negotiates bug bounty with Shezmu protocol

In September, leveraging yield protocol, Shezmu recovered nearly $5 million in stolen crypto through negotiations with a hacker after agreeing to a higher bounty demand.

Shezmu had initially offered the hacker a 10% bounty reward via an onchain message and requested the return of 90% of the stolen funds within 24 hours.

Security, Cosmos, Web3

Source: Shezmu

However, the hacker demanded 20% of the stolen funds as a bounty reward, which the protocol agreed to and received the remaining stolen funds.

Magazine: Most DePIN projects barely even use blockchain: True or false?