Sky Mavis – the company behind Axie Infinity – is offering up to $1 million to anyone that can identify major security vulnerabilities in its platform. This follows the massive defi breach that cost Sky Mavis over $600M from Ronin bridge.
Whitehats: A Call
According to the company’s website, the Sky Mavis Bounty Program will take reference from the Bugcrowd Vulnerability Rating Taxonomy. The system will help Sky Mavis prioritize and rate its community’s findings around security issues. The greater the risk of a vulnerability being discovered, the higher the reward.
Potential vulnerabilities are broken down into two categories: “Smart Contracts and Blockchain” and “Web and Apps”. This list contains a list of eligible smart contracts and web applications that can be examined.
Web and app security vulnerabilities generally offer fewer rewards, with a max of $15,000 offered for “critical” findings. By contrast, blockchain weaknesses promise rewards across five severity tiers, ranging from $1000 for “low” risk findings to $1,000,000 for “fatal” ones. These rewards will be paid using Axie Infinity Shards, AXS.
However, the program has very specific rules. To be considered a vulnerability, proof of concept must be provided, not just theoretical. They cannot be conducted without a root/jailbreak and must have a tangible security impact. Also, reports generated by automated tools and scans cannot be accepted.
The program prioritises issues such as reentrancy and logic mistakes, which includes user authentication errors. Eligible problems include block timestamp manipulation, congestion/ scalability and consensus failures.
“Calling all whitehats in the blockchain space,” tweeted Alexsander Larsen, Sky Mavis COO, on Monday. “The Sky Mavis Bug Bounty program is here. Help us keep Ronin Network secure while earning a bounty”.
“Whitehat hackers” are people that use hacking skills for a good cause, to help inform companies of security flaws to strengthen their networks. One whitehat hacker retrieved $813,000 worth ETH from multichain protocol on January 1, after it was hit by a $2million hack.
Recap: Ronin Bridge Hack
Late last month, Ronin – the Ethereum sidechain upon which Axie Infinity operates – saw over $600M in ETH and USDC drained from its blockchain bridge. The hacker managed this by compromising a majority of Ronin’s validator nodes.
Six days after the hack took place, it was only discovered. Sky Mavis, which was tasked with recovering the stolen funds and promising reimbursement to the Axie gamers that were impacted, has been hard at work since. The hacker appears to have already begun mixing the funds using a mixing tool.