Multi-billion dollar stablecoin giants Circle and Tether are being grilled by a DeFi risk management firm over their allegedly “inadequate” bug bounty programs that fail to exceed $10,000.
LlamaRisk published the report on September 1, which assessed the bug bounty programs for crypto assets listed on Aave’s V3 Protocol.
It found that 33 assets, making up $19.7 billion of Aave’s supply, have “adequate” bug bounty programs. Ten assets representing $19.2 billion of Aave’s supply, however, either have no program or are “vastly insufficient.”
LlamaRisk says Circle, despite managing $70 billion in assets, has a “vastly insufficient” bug bounty of $5,000. Tether, which manages $160 billion, only offers a bug bounty of $10,000.
Other assets with low bug bounties include BitGo wrapped bitcoin, Gnosis, and Ripple, while Etherfi, Monerium, PayPal, and Agora are flagged as having no active bug bounty program at all.
Read more: Hacker could’ve printed unlimited ‘Ether’ but chose $2M bug bounty instead
LlamaRisk does note, however, that both Circle and Tether, aswell as Paywell, all operate as “centralized, full-reserve issuers,” with “robust” legal operations that would offset various security risks bug bounties are used to tackle.
In order for a bug bounty to attract skilled security researchers, LlamaRisk considers a minimum bounty of $50,000, which would scale based on the total value locked (TVL) at play.
“For protocols with TVL above $250 million, a maximum payout exceeding $1 million represents a sufficiently capitalized program,” LlamaRisk claims.
Bug bounties are becoming “de facto industry standards”
Bug bounties are offered to “white-hat hackers” as a means to incentivize ethical hackers to uncover software vulnerabilities. For instance, Coinbase launched a bug bounty program this year that aimed to secure its smart contracts, with rewards ranging from $5,000 for low-risk finds to $5 million for critical finds.
White hat hackers are asked to create a report on the hack, not disclose it to any third party, and must not exploit it in a malicious manner.
In some cases, however, a bounty is instead offered to a “bad actor” who steals funds from a company.
Indeed, last July, the crypto exchange GMX was hacked for $42 million. The exchange offered the hacker a 10% bounty, and eventually, the hacker began returning the funds in exchange for $5 million.
Read more: Justin Sun defends HTX while it lends 92% of its USDT on Aave
LlamaRisk, which is partly funded by the Aave DAO, says Aave should engage with assets listed on its protocol and encourage them to implement an industry-standard bug bounty program.
It notes that while legal frameworks in the US and EU require robust security standards, bug bounty programs aren’t a requirement.
However, looking to the future, LlamaRisk claims bug bounties “are rapidly becoming de facto industry standards that will likely receive regulatory scrutiny during licensing reviews or post-incident investigations.”
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/circle-and-tether-bug-bounties-arent-enough-says-llamarisk/