Safety researchers have flagged OpenBounty, a platform affiliated with CertiK, for allegedly front-running bug bounty experiences.
CertiK, the sensible contract auditor, is on the middle of renewed controversy for allegedly looking for to front-run bug bounty experiences.
On June 25, Pop Punk, the co-founder of Gaslite, a fuel effectivity auditor, accused OpenBounty, a bug bounty platform incubated by Shentu — the rebranded CertiK Chain — of front-running bug bounty experiences and violating the phrases of service surrounding bug bounty experiences.
OpenBounty ostensibly supplies a platform for aggregating bug bounties and facilitating reporting web3 code vulnerabilities. Nonetheless, critics imagine the platform principally serves as a car for front-running bounty experiences to assert any rewards on provide.
“OpenBounty… seems to front-run bug bounty experiences,” Pop Punk mentioned. “This can be a direct violation of many massive protocol’s bug bounty phrases… The extra suspicious factor is that their web site makes requests to a site with CertiK within the identify while you report a bounty.”
Suspicions relating to OpenBounty had been first raised by h0wlu, a safety researcher.
“I created a take a look at account on their platform to test it out, considering perhaps it’s simply an aggregator, however no,” h0wlu mentioned. “They’ve submission types for all these applications and the findings are despatched to their API servers.”
Howlu discovered that OpenBounty’s APIs are hosted by the “bounty-prod.noopsbycertik.com” subdomain, additional suggesting CertiK is related to the platform. Additionally they famous that Uniswap’s bug bounty coverage states that experiences have to be madedirectly,and never through a 3rd get together.
“In case you discover a bug, report it to the protocol instantly. Not some shady web site related to CertiK,” added Pop Punk. “Who [knows] if they will.”
All eyes on CertiK
The OpenBounty allegations are swirling after CertiK got here underneath fireplace for exploiting a vulnerability it recognized on the Kraken centralized alternate to siphon $3 million from the platform final week.
Kraken accused CertiK’s researchers of holding the funds “hostage” in a bid to barter a bug bounty. “This isn’t whitehat hacking,” mentioned Nick Percoco, chief safety officer at Kraken. “That is extortion.”
Safety researchers have additionally spoken out towards CertiK in response to the controversy, accusing the agency of finishing up lazy safety audits.
CertiK claimed it was merely finishing up “analysis” into the extent of the exploit earlier than reporting it, and returned the funds after dealing with backlash.
Associated: Former Certik Purchasers Query Safety Agency’s Stronghold On Protocol Audits
