Safety researchers have flagged OpenBounty, a platform affiliated with CertiK, for allegedly front-running bug bounty reviews.
CertiK, the good contract auditor, is on the heart of renewed controversy for allegedly searching for to front-run bug bounty reviews.
On June 25, Pop Punk, the co-founder of Gaslite, a gasoline effectivity auditor, accused OpenBounty, a bug bounty platform incubated by Shentu — the rebranded CertiK Chain — of front-running bug bounty reviews and violating the phrases of service surrounding bug bounty reviews.
OpenBounty ostensibly offers a platform for aggregating bug bounties and facilitating reporting web3 code vulnerabilities. Nevertheless, critics consider the platform principally serves as a automobile for front-running bounty reviews to say any rewards on provide.
“OpenBounty… appears to front-run bug bounty reports,” Pop Punk stated. “This is a direct violation of many large protocol’s bug bounty terms… The more suspicious thing is that their website makes requests to a domain with CertiK in the name when you report a bounty.”
Suspicions concerning OpenBounty have been first raised by h0wlu, a safety researcher.
“I created a test account on their platform to check it out, thinking maybe it’s just an aggregator, but no,” h0wlu stated. “They have submission forms for all these programs and the findings are sent to their API servers.”
Howlu discovered that OpenBounty’s APIs are hosted by the “bounty-prod.noopsbycertik.com” subdomain, additional suggesting CertiK is related to the platform. In addition they famous that Uniswap’s bug bounty coverage states that reviews should be madedirectly,and never by way of a 3rd occasion.
“If you find a bug, report it to the protocol directly. Not some shady website associated with CertiK,” added Pop Punk. “Who [knows] if they’re going to.”
All eyes on CertiK
The OpenBounty allegations are swirling after CertiK got here underneath hearth for exploiting a vulnerability it recognized on the Kraken centralized trade to siphon $3 million from the platform final week.
Kraken accused CertiK’s researchers of holding the funds “hostage” in a bid to barter a bug bounty. “This is not whitehat hacking,” stated Nick Percoco, chief safety officer at Kraken. “This is extortion.”
Safety researchers have additionally spoken out in opposition to CertiK in response to the controversy, accusing the agency of finishing up lazy safety audits.
CertiK claimed it was merely finishing up “research” into the extent of the exploit earlier than reporting it, and returned the funds after dealing with backlash.
Associated: Former Certik Shoppers Query Safety Agency’s Stronghold On Protocol Audits
