CertiK is accused of running bug bounty programs through a subsidiary
Security experts have warned OpenBounty, a platform connected to CertiK, for supposedly being quick to report bugs.
CertiK, the smart contract auditor, is currently the subject of renewed controversy due to allegations that it is attempting to advance bug bounty reports.
The co-founder of Gaslite, an efficiency auditing tool, Pop Punk, accused OpenBounty, an incubator of bug bounty reports managed by Shentu (the renamed CertiK Chain), of breaking the terms of service and front-running reports on June 25.
OpenBounty purports to offer a platform for the aggregation of bug bounty and the facilitation of the reporting of web3 code vulnerabilities. Nevertheless, critics contend that the platform is primarily used to submit bounty reports in advance in order to claim any available rewards.
Pop Punk asserted that “OpenBounty… appears to preempt bug bounty reports.” “This is a blatant violation of the bug bounty provisions of numerous large protocols…” What is even more concerning is that their website generates requests to a domain named “CertiK” when you submit a bounty report.
OpenBounty was initially the subject of suspicion by h0wlu, a security researcher. “I established a test account on their platform to investigate it, assuming that it was merely an aggregator. However, I was mistaken,” h0wlu stated. “They have submission forms for all of these programs, and the results are transmitted to their API servers.”
Howlu discovered that the “bounty-prod.noopsbycertik.com” subdomain hosts OpenBounty’s APIs, further emphasizing the platform’s association with CertiK. Additionally, they observed that Uniswap’s bug bounty policy mandates that reports be submitted directly rather than through a third party.
The allegations regarding OpenBounty are currently in a state of flux, following CertiK’s recent criticism for exploiting a vulnerability on the Kraken centralized exchange to withdraw $3 million from the platform.
Kraken accused CertiK’s researchers of “holding the funds captive” in an attempt to negotiate a bug bounty. Nick Percoco, Kraken’s chief security officer, declared, “This is not whitehat hacking.” “This is an act of extortion.”
In response to the controversy, security researchers have also expressed their dissatisfaction with CertiK, condemning the company for conducting inadequate security audits.
Also Read: Frax Finance Enhances Our Multi-Chain Vision Through Partnership with NEAR Protocol