The arrest of Avraham Eisenberg has sparked an interesting debate regarding the role of white hat hackers and bug bounty programs in the security of the DeFi ecosystem. This is because Eisenberg eventually returned most of the loot and his exploit also shed light on vulnerabilities within the Mango Markets protocol. These are all the markings of a white hat hacker.
Avraham Eisenberg, the crypto trader responsible for the $110 million Mango Markets exploit, was arrested in Puerto Rico on Monday, December 26. This is after the US Department of Justice accused Eisenberg of commodities fraud and manipulation. If convicted, he could be slapped with heavy fines, possibly even jail time.
The arrest has sparked an interesting debate regarding the role of white hat hackers and bug bounty programs in the security of the DeFi ecosystem. This is because Eisenberg eventually returned most of the loot and his exploit also shed light on vulnerabilities within the Mango Markets protocol. These are all the markings of a white hat hacker.
What is a white hat hacker?
White hat hackers, also known as ethical hackers, are computer security experts who use their skills to identify and fix vulnerabilities in computer systems and networks. In the context of cryptocurrency, white hat hackers may be hired by cryptocurrency exchanges, wallet providers, and other companies in the industry to test the security of their systems and help prevent cyber-attacks.
They may also be independent security researchers who discover and report vulnerabilities in cryptocurrency-related systems to improve security in the industry. White hat hackers are distinguished from “black hat” hackers, who use their skills for malicious purposes such as stealing sensitive data or spreading malware.
In many instances, white hat hackers carry out an exploit and then return most of the funds, only holding onto a small chunk of the loot as a fee for uncovering a vulnerability. This is way better than losing all the funds to bad actors or hacking outfits like North Korea’s Lazarus Group that uses ill-gotten funds to fuel their weapons program.
Also, sometimes it is necessary to carry out the exploit to verify the legitimacy of a vulnerability. This is why white hat hackers are often forced to go through with a hack and then return the funds. However, in doing so, they could be breaking the law and opening themselves up to criminal charges, like Avraham Eisenberg.
Why do blockchain and DeFi protocols need white-hat hackers?
Crypto code is very different from traditional software. To begin with, most things on the blockchain are done through smart contracts. These are coded agreements that execute themselves once their pre-determined terms are met.
Smart contracts can be compared to vending machines. You put in money and choose the snack you want in return. The vending machine checks whether your entered amount corresponds to your desired product and if so, it delivers the product to you. This ensures that no human intervention is required throughout the entire process.
The entire DeFi ecosystem is built to function without human intervention. It depends solely on smart contracts that are coded and designed to run without any further inputs.
Another complication is that blockchains are meant to be permanent stores of data. Anything once written on the blockchain cannot be deleted or altered very easily. This goes for smart contracts as well. Moreover, DeFi code is usually open-source, which means that anyone, including black hat hackers, has access to it. They can study the code and look for vulnerabilities to exploit.
When you put all this together, you’ll see that any vulnerabilities in a smart contract are a massive problem. They cannot be easily altered and black hat hackers have all the time in the world to look for back doors and bugs to exploit.
This is why DeFi needs white-hat hackers. They invest time and energy into finding loopholes and then return most of the funds after receiving a payout for their services. On the other hand, black hat hackers can take off with the ill-gotten crypto and use it to fund illicit activities, such as terrorism, drug trafficking, etc.
The Eisenberg case and what it will mean for white hat hackers in the future
When the Mango Markets case does reach a judge and jury, Eisenberg will most likely be found guilty. After all, he has admitted to carrying out the exploit on Twitter. “I was involved with a team that operated a highly profitable trading strategy last week,” he said in an Oct 15 tweet. “Unfortunately, the exchange this took place on, Mango Markets, became insolvent as a result, with the insurance fund being insufficient to cover all liquidations. This led to other users being unable to access their funds,” Eisenberg added.
However, Eisenberg is not the first white hat hacker to carry out such an exploit. Several other white hat hackers have orchestrated similar exploits before him, eventually pocketing some of the loot and returning the rest.
For instance, in Aug 2022, a white hat hacker stole a whopping $610 million from the Poly Network. However, in a strange turn of events, the hacker returned every single token, stating he had carried out the exploit for fun’ and to ‘expose the vulnerability’ of the platform. In exchange for highlighting the vulnerabilities and returning the funds, The Poly Network offered the hacker a $500,000 reward and a job as the protocol’s chief security officer.
There are plenty more such examples, but with Eisenberg currently facing criminal charges for similar actions, white hat hackers may be reluctant to carry out such exploits in the future.
The need for better frameworks
The Eisenberg case highlights the need for better security frameworks. Of course, prevention is better than cure, and screening smart contracts for vulnerabilities before they are implemented on the blockchain is the way to go. This is where smart contract audits come into the picture.
CertiK is one of the leading blockchain security firms, it is responsible for more than 70 percent of all smart contract audits ever carried out. However, vulnerabilities can come to the fore even after smart contract audits have been carried out. This is where bug bounties come into the picture.
A platform known as ImmuneFi has been hosting bug bounty programs on behalf of popular crypto platforms since 2020. ImmuneFi rewards white hat hackers for all the vulnerabilities they uncover. In the process, the platform has handed out over $65 million in bug bounty rewards since its inception. What’s worrying is that, out of all the rewards handed out since 2020, nearly $52 million was paid out to white hat hackers in 2022 alone.
Nevertheless, platforms like ImmuneFi offer a safer alternative to open market exploits. They allow white hat hackers to uncover vulnerabilities without worrying about legal consequences. However, the payout is usually much less than orchestrating a hack and then negotiating terms with the affected platform. Regardless, such platforms could see a rise in popularity after the Eisenberg case, especially if he is found guilty.
Until a better model is found to pressure test decentralized protocols, Eisenberg and other white hat hackers will continue to be an important, yet painful part of the blockchain industry. However, with the possibility of criminal charges hanging over their head, these blockchain sleuths may be dissuaded from carrying out hacks and exposing vulnerabilities. This could lead to smart contract vulnerabilities being left unchecked, creating additional opportunities for malicious entities to syphon funds from DeFi protocols.