Balancer Labs Offers $2M Bug Bounty to Spot Vulnerabilities

Non-custodial portfolio manager Balancer Labs is launching a bug bounty with a 1,000 ETH or $2 million top prize.

In a statement shared with CoinDesk, Balancer Labs claimed the $2 million bounty is the largest single bug bounty in history, and that the prize will hopefully incentivize ethical hackers to discover and report vulnerabilities in the Balancer V2 Vault architecture, which will be available to developers starting Tuesday.

The V2 vault, which isn’t live yet, is a single vault that holds and manages all the assets entrusted to the platform, designed to dramatically reduce gas fees by making transactions simpler.

“What would have been multiple transactions before, each resulting in gas fees, will now be a single transaction,” Balancer Labs CEO Fernando Martinelli told CoinDesk via a written statement.

The bug bounty for the newly released V2 single-vault comes after Balancer Labs fell victim to a cyberattack that tricked its protocol into releasing $500,000 worth of tokens in June 2020. Balancer Labs is looking to reward discoveries like the draining of significant funds from the Vault, permanent locking of significant funds in the Vault or for discovering severe rounding errors where an attacker can steal funds in excess of any gas costs or swap fees, according to the firm’s announcement.

Bug bounties are increasingly becoming an attractive revenue stream for security researchers, and an efficient way for tech firms to identify weaknesses in their products. In 2020, Google announced it had paid over $21 million in bug bounties under its vulnerability reward program since 2010, spending $6.5 million in 2019 alone. In 2020, hackers from dozens of countries earned up to $40 million just by identifying system vulnerabilities for various organizations.

Decentralized finance (DeFi) platforms like Balancer Labs are increasingly vulnerable to hacks and theft. According to a report by crypto sleuth CipherTrace, in the second half of 2020 half of all targeted entities for crypto-related hacks were DeFi platforms, making up 14% of total hacked volume (amounting to $47.7 million).

In March this year, DeFi platform DODO DEX was drained of $3.8 million in a cyber attack. Last year, $25 million worth of assets were taken from DeFi platform dForce, although most of the stolen funds were returned to the platform a couple of days following the incident.

The Balancer Labs vulnerability tests are scheduled for late April, while further instructions are available on its website.

“Apart from being the largest on record, our bug bounty is innovative in that it scales as ETH goes up, in correlation with the broad crypto market and likely with the total value locked in Balancer protocol. The more there is at stake, the higher we believe our bug bounty rewards should be,” Martinelli said in the announcement.