In decades past, whether it’s Hollywood or Netflix, stories of heists continue to capture the imaginations of millions around the world: Now You See Me, Baby Driver, Inception, and Ocean’s Eleven, just to name a few.
These plots involve beautiful backdrops, subversive agents, betrayal, and life-changing amounts of money. Not only does it make for great film, but it also paints a gilded picture of grand-larceny-as-a-profession. The daring raids, complicated planning, and desperate characters who everyone can relate to, is what makes a heist movie exciting.
But what of modern heists? Modern heists have moved into the networked world in the form of ransomware, phishing, and botnets. Most big heists these days involve spreading malware across networks and stealing information from private databases.
It’s not as dramatic as it used to be…or is it?
It is. It exists in web3, and it’s happening right now. As we write this article, some of the most valuable, easily-stolen objects to ever exist (smart contracts with billions in user funds) are being fought over by whitehats trying to protect the space and blackhats trying to pull off some of the biggest heists ever seen in history — to the tune of hundreds of millions.
This new paradigm shift in information security is so significant that it deserves a new name.
We call it the Web3 Security Revolution.
Join us as we venture to the lesser-known world of web3 security, where the dangerous game of whitehats and blackhats continues in a battle of wits that decides the fate of billions of dollars beneath the surface of web3.
The Digital Diamonds of Web3.
You’ve probably heard the term ‘mark’ used to describe the person or company targeted by a group of burglars. A mark is a target overflowing with cash and ripe for the taking. The mark could be a painting, a diamond, a precious collection of jewels, or a sensitive document — each worth the wages of many lifetimes.
And there’s no mark bigger than the digital diamond of decentralized finance, which as of today is valued at a total of $48 billion dollars.
There’s no physical vault, train, or cargo truck involved. All of these assets are in smart contracts on blockchains, and can be stolen with just a computer and the right combination of code. The physical/virtual distinction is well-known and separates the physical world from web2. In the analog world, if you wanted to steal sensitive documents, you’d actually need to physically break into a facility. In web2, you can be thousands of miles away, anonymous, and cart away entire archives of information in seconds.
But what about the differences between web2 and web3?
The key difference is this: in web2, you essentially never come across opportunities to steal $850 million dollars with knowledge of an exploit and the click of a button. But that’s what is at stake every single day in decentralized finance and much more, since in a genuinely permissionless environment, if there’s a bug in the code, whatever user funds are in the smart contract could be immediately stolen. There are no checks required for large transactions in DeFi — like with wire transfers in traditional finance.
If the difference between the analog world and web2 is stark, ask yourself the question: what singular object capable of being picked up and stolen by a single person is worth $850 million dollars?
The closest comparisons are Leonardo da Vinci’s Salvator Mundi, valued at $450 million, and the Cullinan diamond, discovered in South Africa in 1905 and valued at $400 million dollars. It’s now incorporated into the Crown Jewels in the United Kingdom.
The Polygon vulnerability, patched via Polygon’s bug bounty program via Immunefi, was worth $850 million dollars. In other words, it was worth two Cullinan diamonds with $50 million left over. And in the Polygon case, nobody would have had to break into the Tower of London to steal the Crown Jewels.
There’s just no comparison to the physical world or web2. Web2 is old. Web3 is where the new security battles are being fought, and where new heroes and villains are emerging and making names for themselves.
The Blackhats
To date, billions in web3 funds have been stolen. Although this represents less than 1% of the total value locked in DeFi, it’s still a staggering amount.
These funds are stolen by hackers known as blackhats. They’re brazen, unpredictable, and always on the run from the law. Despite having a tendency to act alone, they often end up having to work with shady characters to launder their funds, or even to pull off the exploit in the first place.
Some of these hackers may simply return the funds rather than go through the trouble of laundering it, making some sort of statement to boost their ego, like in the case of the lone hacker who ‘liberated’ $600M in funds, and later returned it to the project it was stolen from, while leaving a whole trail of messages addressed to the community at large.
Many are choosing to become whitehats, but others have elected to remain blackhats and are constantly on the prowl trying to steal hundreds of millions in user funds for selfish gain.
The Whitehats
In the real world, valuables are protected by walls, fences, alarms, and security guards. In web3, this duty falls to auditors, whitehats, and other security professionals.
Some projects hire their own security — knowledgeable devs or CTOs who know the code backwards and forwards, and can pinpoint any issues during the development process. They also hire auditors to check the pre-deployment code for any potential flaws. But good auditing firms are in high demand, leading to expensive audits and long queues.
As a result, some projects even opt to skip the audit entirely. But once your code is live, there’s nothing to stop anyone from exploiting any mistakes that made it through.
Nothing except whitehats and smart contract bug bounties.
The simple beauty of the blockchain is in its transparency, allowing anyone with a computer and internet access to join the effort. This often means that any irregular activity, including large capital transfers, are quickly spotted.
But it also means that your security mechanisms can be freely studied by the wrong people. It’s a weird situation — as a protocol, both you and your attacker have access to the same information. It’s very much like being locked in a steel cage, in plain sight of the sharks that swim by.
Smart contracts are only as good as you build them, and any gap in the code means that you could lose a large chunk of funds, or worse — you could lose it all.
This is where you need the help of the whitehats to step in and hunt down those bugs before they can do significant harm.
Whitehats: DeFi’s Elite Protectors
Whitehats are hackers working for the good guys. They go the extra mile, filtering through code looking for vulnerabilities, and keeping a close eye on transactions in the blockchain. Their aim is to find the bug and disclose it responsibly via a bug bounty program before the blackhats exploit it. Being even one second too late could mean the difference between saving $100 million, or losing it to the dark side.
Whitehats exist in web2 as well. But while a typical bug bounty payout in web2 can range from $100 to $200,000 in very rare cases, in web3, extremely high bounties of up to $10 million now exist — and have been paid out. The largest bug bounty payouts on record have been paid out via Immunefi, including a $10 million bounty paid by Wormhole, and a $6 million bounty paid out by Aurora.
Why are the payouts so high? Because of scale. When the stakes are this high, you can’t go cheap on security. Another reason is that the complexity of these hacks mean that only very specialized people with the knowledge of web3, DeFi, and blockchain can participate in these bug bounty programs.
In web3, whitehats are legendary individuals with a moral compass that guides them to work for the good of web3 and its inhabitants every day. They might be students, academics, CTOs, developers, or others who took up an interest in smart contracts and self-studied their way to becoming an expert.
It takes incredible work to become as good as some of the best whitehat hackers like pwning.eth, satya0x, bobface, Lonely Sloth, and thec00n, to just give a few examples from the Immunefi Leaderboard. You need to have the keen intuition and interest to study the work of a blackhat and still be one step ahead of them at all times.
Given the amount of skill required and the amount of funds at risk, whitehats who are part of the Web3 Security Revolution will go on to become legends known for their incredible feats, just like the early hackers of web2.
Just read these excerpts of a web3 whitehack, where the project owners were in a war room with Immunefi, scrambling to protect exposed funds without tipping their hand to an unknown attacker who might be watching:
“The Dedaub team, now realizing the implications of the exploit, pinged Mitchell and his co-founder, Duncan Townsend on Saturday to facilitate the disclosure process. Within about 15 minutes, Duncan had confirmed that the vulnerability was, in fact, serious business.
That’s when Alex received the call, and that’s when the clock started ticking.
…
“What made this war room more challenging than the usual fare is that Primitive Finance is a truly decentralized protocol. There are no admin keys, no multisig wallet. The contracts can’t be paused. Once they’re live, they can’t be changed. So, what to do? For a few moments, things felt hopeless.”
…
“So, what was Plan B?
Plan B was a whitehack. If you can’t get approvals reset to 0, and you can’t pause contracts, your only option left is to hack the funds yourself, so that you can personally return them to users.
In the war room, this idea understandably turned up the temperature. By a lot. A whitehack isn’t a trivial operation. It can’t be executed haphazardly, it has to be mistake-free, it needs to be itself well-protected from attacks, and it has to be total, capturing all user funds — or at least close to total. All the addresses have to be found and the exploit carefully handcrafted to do the job. There’s zero room for error.”
You’ll want to read on to finish the story. It wasn’t easy finding a solution, and the first one didn’t make it through. It was a ticking time bomb because anyone else who found the bug first could have launched a devastating attack against the protocol.
And yet, finding flaws in a smart contract is not as easy as reading code. Whitehats need to have a sense of every possible interaction between a single contract, and the 100s of other contracts that exist in the ecosystem of projects and tokens, forming a kaleidoscope of potential vulnerabilities.
Hence why their skills are demigod-like and extremely in demand. Their work protects billions of dollars from being stolen. One whitehat hacker, Alexander Schlindwein has single-handedly protected countless hundreds of millions of dollars worth of funds from being stolen, and has in turn received millions in bounties for his time and effort.
We’re still in the early days of the Web3 Security Revolution, but there’s never been a better time to skill up and join the fight. There is no exception, no mercy, and no do-overs in Web3 security: you really have to be the best, brightest, and fastest to survive. After all, if you don’t start now, blackhats and other criminals will dominate the future of computing, snuffing out the possibility of blockchain’s ability to scale and gain mass adoption.
As when it comes to DeFi and its billion-dollar diamonds, there is no second place: only the relief of being first, or the humility of being totally Rekt.
Whitehats working with Immunefi have saved billions of dollars and made millions from grateful projects for their efforts. One or two large bounties could set you up for life. What are you waiting for?
Join us in securing the future of money at Immunefi.
Review code. Prevent hacks. Build rep. Get paid.
🔒 For more guides on how to secure smart contracts, analysis of past hacks, and information on the latest bounties, make sure you follow us on Twitter or join our whitehat Discord community.
P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.
