Web3 researcher awarded $150k for finding critical bug in Evmos blockchain

A Web3 security researcher received $150,000 from Cosmos Network for identifying a critical bug that could halt the Evmos blockchain and all its decentralized applications.

On October 29, a Web3 security researcher from Spearbit with the username jayjonah.eth published an

Their efforts were rewarded with a $150,000 payout from Cosmos Network for detecting the vulnerability. He discovered the bug while participating in the Evmos Bug Bounty Program on Immunefi, a bug bounty platform that has been operating since November 2022.

The crypto bug bounty offers incentives to developers and researchers to help identify bugs and vulnerabilities in the system.

In his blog post, the researcher explained that he came across the concept of “module accounts” while reviewing the Cosmos documentation, and described this review as a “first step” in identifying potential problems; because documentation provides the “foundation” for understanding a problem. block chain.

He found a section in the document that read:

“Usually these addresses are module accounts. If these addresses receive funds outside the expected rules of the state machine, the invariants are likely to become corrupted and could cause the network to stall,” Evmos wrote.

According to Jayjonah.eth, this clause states that if users send money to their module accounts, it could cause the blockchain to break. He then tested this by sending money to the module accounts.

“At this point, blocks are no longer being produced and the chain has completely stopped. “This breaks the Evmos blockchain and all DApps built on top of it,” he wrote.

He reported his findings to the Evmos team and received $150,000, the highest reward for a “critical” bug. The researcher emphasized that the insect is a “low-hanging fruit”; simple but easy to overlook.

“This mistake taught me a few important things as a security researcher. The first and most obvious is to always thoroughly read the documentation of the project you are researching.”

-jayjonah.eth.

Other projects have also been known to launch bug bounties to help detect hidden threats in their systems. Last August, Layer3, a decentralized attention layer project, launched a bug bounty program in partnership with HackenProof. The bug bounty offers rewards of up to $500,000.

In July, Immunefi collaborated with the Ethereum Foundation to launch “Attackathon,” an audit competition designed to challenge and improve the security of the Ethereum network.