Web3 Security Researcher Earns $150,000 Bounty for Identifying Critical Bug in Evmos Blockchain

According to Cointelegraph, a Web3 security researcher has been awarded a $150,000 bounty for discovering a critical vulnerability in the Evmos blockchain. The researcher, known by the pseudonym “jayjonah.eth,” identified the bug by meticulously studying the Cosmos Network documentation. This vulnerability had the potential to halt the Evmos blockchain and all decentralized applications (DApps) built on it. The discovery was part of the Evmos Bug Bounty Program, which has been active since November 2022. In a blog post dated October 28, the researcher detailed his findings, explaining that he encountered the concept of “module accounts” in the Cosmos documentation. The documentation noted that if these module accounts received funds outside the expected rules of the state machine, it could break invariants and potentially halt the network. To test this theory, the researcher conducted a crash test by sending funds to the module account in a controlled environment. The result was a complete halt of the Evmos blockchain, stopping the production of new blocks and affecting all DApps built on the network. The Evmos team promptly addressed and fixed the bug before the information was disclosed publicly. The researcher received the highest tier payout for identifying this critical bug. In his concluding remarks, jayjonah.eth encouraged other security researchers to thoroughly read project documents, emphasizing that sometimes the most critical bugs can be surprisingly simple to find. Bug bounty programs play a crucial role in helping projects mitigate the risk of cyberattacks and minimize potential losses in the event of a hack. For instance, in September, the Shezmu protocol managed to recover nearly $5 million in stolen cryptocurrency through negotiations with a hacker. Initially, Shezmu offered a 10% bounty reward and requested the return of 90% of the stolen funds within 24 hours. However, the hacker demanded a 20% bounty, which the protocol agreed to, resulting in the return of the remaining stolen funds.