The developer of Zengo Wallet is taking an unusual approach to offering a bug bounty. Instead of offering to pay white hat hackers to discover vulnerabilities, the company is placing 10 Bitcoin (BTC) (worth over $430,000 at current price) into a developer-controlled account. According to a Jan. 7 announcement, any hacker who manages to drain the Bitcoin will be allowed to keep it.
The bounty will be offered over a period of 15 days, beginning on Jan. 9 and continuing until the morning of Jan. 24. On Jan. 9, the account’s address will be revealed, and it will contain 1 BTC (approximately $43,000). On Jan. 14, Zengo will add an additional 4 BTC ($172,000) to the account and provide one of the “security factors” used to secure the account. On Jan. 21, the team will add another 5 BTC ($215,000), bringing the total amount held in the wallet to 10 BTC ($430,000). They will also reveal a second security factor at this time. The wallet uses three security factors in total.
After the second factor is revealed, hackers will have until 4 pm UTC on January 24 to crack the wallet. If anyone manages to crack the wallet during this time, they will be allowed to keep the 10 BTC.
Zengo claims to be a wallet with “no seed phrase vulnerability.” Users are not asked to copy down seed words when they first create an account, and no key vault file is stored by the wallet.
According to its official website, the wallet relies on a multi-party computation (MPC) network to sign transactions. Instead of generating a private key, the wallet creates two separate “secret shares.” The first share is stored on the user’s mobile device and the second on the MPC network.
Related: Organizations look toward multiparty computation to advance Web3
The user’s share is further backed up through a three-factor (3FA) authentication method. To recover their share, they must have access to an encrypted backup file on their Google or Apple account and the email address they used to create the wallet account. In addition, they must undergo a face scan on their mobile device, which constitutes a third cryptographic factor to reconstruct their share.
A backup method for the MPC network’s share also exists, according to Zengo. The team claims it has provided a “master decryption key” to a third-party law firm. If the MPC network’s servers go offline, this law firm has been instructed to publish the decryption key to a GitHub repo. The app will automatically enter “recovery mode” if the key is published, allowing the user to reconstruct the MPC network’s share that corresponds to their account. Once a user has both shares, they can generate a traditional private key and import it into a competitor wallet app, allowing them to restore their account.
In a statement to Cointelegraph, Zengo chief marketing officer Elad Bleistein expressed hope that the on-chain bounty will help to foster discussions around MPC technology in the crypto community. "Complicated terms like MPC or TSS can be overly abstracted," Bleistein stated. "The Zengo Wallet Challenge will highlight the security benefits of MPC wallets over traditional hardware alternatives, and we look forward to a lively discussion with those who get involved."
Wallet security has become a growing concern in the crypto community over the past year, as a breach of Atomic Wallet caused over $100 million in losses for crypto users. The developer later instituted a bug bounty program to help ensure the app’s security in the future. Users of the Libbitcoin Explorer wallet library also reported $900,000 in losses from hacks in 2023.