To be sure, this sword cuts both ways. On the one hand, it presents unprecedented opportunities to innovate financially and provide equitable access. On the other hand, it’s an absolute training ground for hackers. By September 2022, DeFi platforms had already lost an estimated US$2.32 billion to these exploits. In this high-stakes environment, the issue of whether and how to engage with hackers presents a central ethical challenge. Another new and popular method is bounty contracts. In these agreements, hackers either give back the money they’ve stolen or leak information about the weakness they’ve discovered in return for payment. Earlier this month, one Loopscale hacker agreed to return $5.8M in exchange for a 10% bounty. But is this truly a win-win situation?

The Allure of Bounty Agreements

Offering bounties to hackers can seem counterintuitive. After all, they are the ones making it more dangerous in the first place. But there are at least six pretty darn good reasons to do so.

Encouraging Responsible Disclosure

  • A Safer Digital Environment: Bounties can incentivize hackers to act as "white hats," responsibly disclosing vulnerabilities instead of exploiting them for personal gain. This helps to create a safer environment for everyone.
  • Faster Remediation: When a hacker reports a vulnerability, the DeFi platform can quickly patch the issue, preventing further damage and potential losses.
  • Reduced Reputational Damage: By working with hackers, platforms can avoid the negative publicity associated with a major security breach.

The Hacker's Perspective

For bounty hackers, bounty contracts are a legal means to profit from their efforts. They can prevent those localities from running afoul of the law and the likelihood of being caught out. Rather, they are rewarded for deciding to take the ethically correct course of action. Ethically inspired hackers are usually drawn to this sort of work. They want to take an active role in the security of the DeFi ecosystem.

Ethical Gray Areas and Potential Pitfalls

Though bounty agreements offer important advantages, they simultaneously present a host of ethical dilemmas. It’s important to recognize these upsides and downsides and think about what they would or wouldn’t mean.

Legitimizing Hacking Activities

Some may think that paying bounties to hackers is just rewarding criminal behavior and enticing more hackers to cause future havoc. Without careful regulation, this promise can easily turn into a troubling risk. We can’t allow our goal to change from stopping attacks to just paying hackers to go away.

Extortion Risk

  • Creating Vulnerabilities: Hackers may intentionally create vulnerabilities or steal funds to receive bounty payments, effectively engaging in extortion.
  • Demanding Higher Bounties: If a hacker finds a critical vulnerability, they may threaten to exploit it unless they receive a higher bounty.

Blurring Ethical Lines

An exorbitant bounty would simply incentivize white-hat hackers to make away with the bounty funds. They could come back and ask for more, looking for a bigger bounty, and this is where white-hat and black-hat hacking gets muddy.

Encouraging Exploitation

  • Financial Gain: Incentivizing hackers with bounties may lead some to exploit vulnerabilities in systems for financial gain, rather than reporting them responsibly.
  • Turning to Crypto Crime: If bounties are not sufficient or if hackers are not rewarded fairly, they may turn to crypto crime to profit from their skills, increasing the risk of crypto crime.
  • Breaking Rules: If hackers are not careful, they may accidentally break rules set out for bounty programs, potentially leading to consequences such as being banned from the program or even facing legal repercussions.

Strengthening Defenses: Alternative Security Measures

Bounty agreements alone are not a sustainable security strategy. DeFi platforms must proactively implement robust security measures to prevent exploits in the first place.

Proactive Strategies for Preventing Exploits

  1. Conducting comprehensive security audits and code reviews: Regular security audits and code reviews can help identify and address potential vulnerabilities within DeFi platforms and protocols.
  2. Implementing robust security protocols: DeFi platforms must prioritize user fund security to instill trust and confidence among users and investors.
  3. Using multi-signature wallets: Multi-signature wallets offer an additional layer of security and protection for DeFi assets, enabling users to secure their digital assets through a collaborative authentication process.
  4. Adhering to legal frameworks: Adhering to legal frameworks is critical for DeFi platforms to maintain the integrity, legality, and credibility of their operations within the DeFi landscape.
  5. Ensuring secure practices: Teams must use secure practices like two-factor authentication to prevent phishing attacks.
  6. Implementing robust security measures: Using modifiers like nonReentrant to prevent re-entrancy attacks, and incorporating redundancy and fail-safe mechanisms to ensure that even if one layer is compromised, other layers continue to protect the protocol.

Learning from External Audits and Security Protocols

Many DeFi applications hire independent external auditors to find and fix security vulnerabilities. These audits are important supplementary measures that can keep DeFi platforms from getting hacked. Certainly, it’s important to distance ourselves from the mentality that security is reactive in nature, responding only after an attack occurs. Using modifiers such as nonReentrant can be very effective in preventing re-entrancy attacks. When you add in redundancy and fail-safe layers, you make sure that if one layer is breached, the others still serve to safeguard the protocol.

Addressing the Insider Threat

Second, and equally important, it’s time to recognize that not all threats are foreign. North Korean IT workers have been drawing closer to shady crypto and Web3 companies, undermining their networks, operations, and integrity. This points to a need for more rigorous vetting procedures and post-hire surveillance mechanisms to identify and mitigate insider threats.

Bounty agreements greatest potential lies as a collective resource rather than as singular contracts. Few would claim that bounties are a cure-all solution to DeFi security challenges. By complementing bounty programs with proactive security measures like audits, DeFi platforms can build a more resilient and trustworthy ecosystem. To avoid unnecessary restrictions and regulations, it’s important to strike the proper balance between rewarding ethical conduct and preventing bad actors. While the Loopscale case is certainly alarming, it serves to illustrate the larger fight for DeFi security. It’s a manifestation of the idea that we need to beware and continually adjust.