Aurora Pays Out $6M Bug Bounty to White Hat Hacker
- Aurora has paid out a $6 million bug bounty to a white hat hacker who warned it of a possible $330 million exploit.
- ImmuneFi, which coordinated the bounty and payout, says that the amount is the second largest reward in crypto history.
- The Aurora payout is surpassed only by a $10 million bug bounty from Wormwhole, which was paid out in May.
Share this article
Aurora, a blockchain bridge project, has paid out the second-largest reward in crypto history after being informed of a vulnerability.
$330 Million In Losses Averted
A white hat hacker by the name of Pwning.eth discovered and notified Aurora of an exploit in the project’s Aurora Engine.
The Aurora Engine is an Ethereum Virtual Machine (EVM) built on the NEAR Protocol. It allows developers to develop and deliver apps for both platforms—NEAR and Ethereum—at once.
Immunefi said in an announcement that the bug concerned an infinite spending vulnerability that “could have been exploited to mint arbitrary ETH in the Aurora EVM at an exponential speed.”
Immunefi estimates that Aurora could have lost up to 70,000 ETH ($130 million) plus $200 million in other assets through the exploit. No funds were lost, though, as the project quickly patched the bug.
Frank Braun, Head of Security at Aurora Labs, stated that “such a vulnerability should have been discovered at an earlier stage of [our] defense pipeline.” However, he added that Immunefi’s bug bounty program has been “valuable in incentivizing white hats to look at our code base and disclose bugs in a responsible manner.”
Pwning.eth was awarded a $6 million bug bounty after alerting the project of the issue via Immunefi on April 26.
Bug Bounty Breaks Records
According to Immunefi, the $6 million reward paid by Aurora is the second-largest bounty ever delivered in crypto history.
Only one other bounty had a higher reward: a $10 million reward for the Solana bridge Wormhole that was paid out in May.
Immunefi is also offering a $10 million reward for the stablecoin project MakerDAO that has not yet been paid out, which could overtake today’s payout and make it the third-largest in history.
To date, Immunefi has paid out more than $40 million in bounties and averted north of $20 billion in hack damage.
DeFi and blockchain exploits can be catastrophic for protocols. Last week, digital synthetic assets creator Mirror Protocol suffered a $2 million hack that almost destroyed the project altogether. It previously lost $90 million to a different vulnerability.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.