Web3 security researchers received $150,000 from Cosmos Network for identifying a critical bug that could bring down the Evmos blockchain and all its decentralized applications.
On October 29th, a Spearbit Web3 security researcher with the username jayjonah.eth wrote a blog post about discovering a bug in the Evmos (EVMOS) blockchain that could have devastating effects on its operations. I have created an X post containing.
His efforts were rewarded with a $150,000 payment from Cosmos Network for identifying the vulnerability. He discovered the bug while participating in bug bounty platform Immunefi’s Evmos bug bounty program, which has been active since November 2022.
Crypto bug bounties provide incentives to developers and researchers who help identify bugs and vulnerabilities in systems.
The researchers explain in a blog post that they came across the concept of “module accounts” while reviewing the Cosmos documentation, and that this documentation provides a “foundation” for understanding the problem, hence this review. described it as a “first step” to identifying potential problems. blockchain.
He found a section in the document that read:
“Typically, these addresses are module accounts. If these addresses receive funds beyond the state machine’s expected rules, the invariants are likely to be violated and the network could be brought to an outage.” writes Evmos.
According to jayjonah.eth, this clause states that if a user transfers funds to a module account, the blockchain may be destroyed. I then tested this by transferring funds to the module’s account.
“At this time, no more blocks are being generated and the chain is completely stopped. This will destroy the Evmos blockchain and all DApps built on top of it,” he wrote.
He reported his findings to the Evmos team and received $150,000, the highest award given for a “severe” level bug. The researchers emphasized that the bug is a “low-hanging fruit” that is simple but easily overlooked.
“This bug taught me a few important things as a security researcher. First and most obvious: always read thoroughly the documentation of the project you’re investigating.”
-jayjona.eth.
Other projects are also known to issue bug bounties to help detect hidden threats in their systems. Last August, distributed attention layer project Layer3 partnered with HackenProof to launch a bug bounty program. Bug bounties offer up to $500,000 in bounties.
In July, Immunefi, in collaboration with the Ethereum Foundation, launched Attackathon, an auditing competition aimed at challenging and strengthening the security of the Ethereum network.
