On the 19th of December 2022, KKlas, a Twitter user and web3 developer, announced that he found a bug on Solana that could put user funds at risk, and the projects ignored his message.
Recently I discovered a critical loss of funds vulnerability on a Solana SC that would have affected multiple apps with ~$30M being at risk. If it was exploited it would have been the third largest SC exploit on Solana.
Yet none of the affected apps want to give me a bounty…
— kklas (@kklas_) December 19, 2022
Aside from corrupt centralized establishments, hacks and exploits continue to be another problem of the crypto space, which shows the importance of finding bugs in smart contracts and vulnerabilities in the codes to prevent losses and FUD. However, after all the hard work of Kkla, he was not rewarded.
In a tweet, he claimed that he found a vulnerability in a Solana smart contract that would have affected several projects and potentially led to the loss of $30 million in funds. According to the dev, he reported and helped resolve this, and when it was time to ask for a reward, the projects just ignored him.
This sends the wrong message. The message is that projects prefer getting hacked than having critical bugs reported to them. This brings the Mango exploit to mind.
The hacker informed the project about a vulnerability, and they didn’t handle it favorably, so he cracked the system, then sent them a proposal for Mango Markets to pay him a $70 million bounty.
The proposal also involved sending back about $50 million on the condition that Mango Markets used the $70 million USDC in its treasury to clear the bad debt and also pay back all its users.
He made sure they wouldn’t freeze his account so he could use the stolen Mango tokens to vote yes on his proposal.
He was supported by another member of the community, ReddSpark, who had this to say:
Yep, the incentives to hack it yourself is way higher than the incentive to report. Also..perhaps these devs secretly wanted to exploit it themselves. Don't rule that out. I'm sure the people that a most likely to spot exploits are the code writers.
— ReddSpark (@Redd_Spark) December 20, 2022
In his opinion, there are two possibilities. Either the developers aimed to exploit this from the beginning since they are in the best place to spot these vulnerabilities. That would explain their negative reaction to Kklas’s discovery, or developers should just hack the project themselves and then negotiate from a place of leverage.
This would be more profitable than getting ignored afterward.
This has led to a new potential trend. Some users predict that the next cycle in the crypto space will be what they term a “break-and-fix cycle.” According to these users, traders could potentially pay black hat hackers to exploit critical vulnerabilities in projects while shorting projects, making a profit, and having leverage against these projects.