Is CertiK running a BS bug bounty program?

The post Is CertiK running a BS bug bounty program? appeared on BitcoinEthereumNews.com.

CertiK, a cryptocurrency security auditing firm that was recently embroiled in a dispute with Kraken after it hacked the exchange, has now been accused of running a ‘bug bounty’ program that was collecting vulnerabilities for various platforms rather than having security researchers submit those vulnerabilities directly to businesses.  Today I was contacted by OpenBounty (@ShentuChain) to add their platform to Web3 Bug Bounty alerts. Never heard about them before so I decided to investigate as it seemed a bit sus 1/6 — h0wl (@h0wlu) June 25, 2024 The accusations center around ‘OpenBounty,’ operated by Shentu Chain. Shentu Chain used to be known as ‘CertiK Chain,’ which was operated by the CertiK Foundation. Archived versions of the CertiK Foundation website make it clear that it was founded by Fonghui Gu and Zhong Shao, both of whom are still listed as co-founders of CertiK. Besides these obvious connections between the entities, others have highlighted that submitting bug bounties sends requests to URLs with CertiK in the name. Read more: CertiK returns funds on its own terms after hacking Kraken for $3M In many cases, OpenBounty seems to be effectively re-posting bug bounties from other platforms like ImmuneFi, with the page for Arbitrum’s bug bounty explicitly stating that you should refer to ImmuneFi’s website for more information. An ImmuneFi executive took to X (formerly Twitter) to emphasize that ImmuneFi “does not have a partnership nor affiliation with Open Bounty/Shentu, and we would always, always, always suggest submitting via the ImmuneFi programs.” CertiK’s recent disputes with Kraken have further heightened fears around submitting crucial vulnerabilities to CertiK, especially if the projects themselves are unaware that these vulnerabilities are being solicited via OpenBounty. CertiK now blackmailing projects to buy their audit services by listing the project without permission under “Skynet” where you can only get…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ June 26, 2024 4:10 pm