\n
![](\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMTEvYWMwNTIxYjQtMTAyZi00OTlkLWIwN2ItNWE3MDBiNTIwOWYxLmpwZw==.jpg\")
<\/p>\n
\n<\/p>\n
Even as the ongoing Binance-FTX saga<\/a> continues to dominate the crypto airwaves, there has been a growing trend \u2014 an uneasy one at that \u2014 that has been garnering the attention of many digital currency enthusiasts in recent months, i.e., hackers returning partial funds for discovering exploits within a protocol.\u00a0<\/p>\n In this regard, just recently, the bad actors behind the $14.5 million<\/a> Team Finance attack revealed that they would be allowed to stay in possession of 10% of the stolen funds as a bounty. Similarly, Mango Markets, a Solana-based decentralized finance (DeFi)<\/a> network that was recently exploited to the tune of over $110 million<\/a>, revealed that its community of backers was working toward reaching a consensus, one that would allow the hacker to be awarded $47 million as a reward for exposing the exploit.<\/p>\n As this trend continues to garner more and more traction, Cointelegraph reached out to several industry observers to examine whether such a practice is healthy for the continued growth of the digital asset market, especially in the long run.<\/p>\n Rachel Lin, co-founder and CEO of SynFutures \u2014 a decentralized crypto derivatives exchange \u2014 told Cointelegraph that on one hand, the habit of encouraging \u201cblack hatters\u201d to turn \u201cwhite hat\u201d encourages the industry to raise its standards of best practices, but it\u2019s still not uncommon for popular protocols to be forked or simply copied and pasted, leaving them replete with hidden bugs. She added:<\/p>\n \u201cWe\u2019d be remiss to say that this is healthy where in an ideal world, there\u2019d be only white hat hackers. But the transition we\u2019re seeing in which hackers are returning some of the funds, which wasn\u2019t previously the case, is a strong step forward, particularly in sensitive times like these where it\u2019s becoming clearer that many projects and exchanges are connected and could impact the ecosystem as a whole.\u201d<\/p><\/blockquote>\n On a somewhat similar note, Brian Pasfield, chief technical officer for decentralized money market Fringe Finance, told Cointelegraph that while the idea of giving hackers a fraction of the money they cart away for discovering loopholes can be seen as unhealthy and almost unsustainable, the fact of the matter remains that ultimately the hacked projects have no choice but to utilize this approach. \u201cThis is a better alternative than resorting to law enforcement\u2019s approach to nab the perpetrators and recover the funds, which takes a very long time, if successful at all,\u201d he added.<\/p>\n Recent:\u00a0What can blockchain do for increasing human longevity?<\/a><\/em><\/strong><\/p>\n Speaking more technically, Slava Demchuk, co-founder of crypto compliance firm AMLBot, told Cointelegraph that since everything is on-chain, all of a hacker\u2019s actions are traceable, so much so that the hacker has almost a 0% chance of using the illegally obtained digital assets. He added:<\/p>\n \u201cWhen the hackers agree to return some of these stolen funds, not only does the project usually not prosecute the hacker, it even allows them to be able to use the remaining funds legally.\u201d\u00a0<\/p><\/blockquote>\n Lastly, Jasper Lee, audit tech lead at SOOHO.IO, a crypto auditing firm for several Fortune 500 companies, said that this kind of white hat behavior could be healthy for the blockchain industry in the long run since it provides the opportunity to identify vulnerabilities within DeFi protocols before they become too large.\u00a0<\/p>\n He further told Cointelegraph that out in non-blockchain industries, even if a hacker finds a vulnerability in a given code, it is difficult for them to go public with that information because it could cause severe legal issues. \u201cIn traditional hacking, it is very rare that a hacker returns the funds they have taken, as doing so would likely reveal their identity,\u201d Lee said.<\/p>\n David Carvalho, CEO at Naoris Protocol, a distributed cybersecurity ecosystem, stated in unequivocal terms that allowing hackers to keep funds in such a way not only undermines the entire ethos of a decentralized financial system but it promotes behavior that fosters distrust.<\/p>\n \u201cIt cannot continue to be seen as something to be tolerated on any level. The fundamentals of a safe and equitable financial system don’t change,\u201d he told Cointelegraph, adding, \u201cThe premise that the only way to solve the hacking issue is to make the problem part of the solution is fatally flawed. It may fix a small crack for a short period of time, but the crack will continue to grow under the weight of the flimsy fixes and result in a destabilized market.\u201d <\/p>\n A similar sentiment is echoed by Tim Bos, co-founder and chairman of ShareRing \u2014 a blockchain-based ecosystem providing digital identity solutions \u2014 who believes that this is a terrible practice. \u201cIt\u2019s akin to paying criminals who hold people hostage. All this does is makes the hackers realize that they can commit a huge crime, be rewarded for it, and then there are no repercussions,\u201d he told Cointelegraph.<\/p>\n Carvalho noted that just because a hacker is nice enough to return part of the funds doesn\u2019t make it a good practice since these episodes still result in people and DeFi platforms losing a lot of money. <\/p>\n \u201cWe can\u2019t afford to associate decentralized finance with nefarious security fixes. For mass adoption by both enterprises and individuals, we need the security systems across the Web2 and Web3 ecosystems to be trusted and hackproof. Having a cohort of hackers ostensibly calling the shots in the cybersecurity space is crazy, to say the least, and does nothing to promote the industry,\u201d he said. <\/p>\n Lin noted that even among traditional Web2 companies \u2014 like the FAANGs of this world \u2014 hackers are incentivized to discover bugs and zero-day exploits in exchange for certain incentives. However, this often comes with strict requirements and having white hat hackers discover these loopholes is viewed as being healthy for the ecosystem. She noted:<\/p>\n \u201cMajor exploits or discoveries typically put the industry as a whole and in-house security teams on alert. But it\u2019s a slippery slope. I\u2019d argue we\u2019d need to define what a \u2018white hat\u2019 hacker is. For example, could you consider a hacker who\u2019s cornered and reluctantly returns only 10% of the funds a white hat hacker?\u201d<\/p><\/blockquote>\n Lee believes that these fat paychecks can serve as a significant impetus for white hats to carry out more such ploys. However, he pointed out that instead of seeing 100% of a protocol\u2019s funds being hacked or disappearing for good, it\u2019s always better for the protocol\u2019s users that a portion of the appropriated funds are recovered.<\/p>\n On a more optimistic note, Demchuk noted that the DeFi market is community-driven and, therefore, such actions could be viewed positively, as hackers themselves are often asked to work for the projects they exploited, making their activities real-life penetration tests. <\/p>\n It is no secret that a large portion of the Web3 ecosystem (and its associated cybersecurity solutions) still runs on yesterday\u2019s Web2 architecture, making them highly centralized. This, in Carvalho\u2019s opinion, is the elephant in the room that most Web3 platforms don\u2019t want to talk about. He believes that if these pressing issues are not solved using decentralized solutions, the standards for smart contract execution and publishing will not be not fundamentally changed or improved, adding:<\/p>\n \u201cThese types of breaches will continue to happen because there is no accountability or criminalization of hacking activity. I believe a \u2018just pay the hacker\u2019 approach is going to increase the risk for DeFi and other centralized\/decentralized platforms because the fundamental weaknesses are not resolved.\u201d<\/p><\/blockquote>\n Bos noted that the core problem here isn\u2019t the hacking or the fake bounties that are rewarding the hackers but an apparent lack of audits, quality security processes and risk reviews, especially from those projects that have in their coffers millions of dollars worth of crypto assets.\u00a0<\/p>\nA good practice, for now<\/h2>\n
Not everyone agrees<\/h2>\n
Setting a bad precedent for the industry?<\/h2>\n
What\u2019s the solution?<\/h2>\n