$32M vulnerability in Perpetual Protocol uncovered by Chainlight nets $10k in white hat rewards $32M vulnerability in Perpetual Protocol uncovered by Chainlight nets $10k in white hat rewards
Crypto security researchers have criticized the bounty rewards for being too low relative to the potential losses averted.
2 min read
Updated: Nov. 10, 2023 at 3:23 pm UTC
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
Blockchain security firm Chainlight said it received a $10,000 bounty for uncovering a potential vulnerability that could have jeopardized $32 million in customer funds on Optimism-based decentralized exchange (DEX) Perpetual Protocol.
In a Nov. 9 post on social media platform X (formerly Twitter), Chainlight detailed how it reported a critical bug in Perpetual Protocol’s “AccountBalance” contract last year. According to the firm, the contract is a pivotal component that “serves as the protocol’s brain for calculating position values.”
The vulnerability posed a severe threat to the DEX, placing the entire $32 million USDC held by the protocol at risk of being misappropriated.
This flaw had the potential to allow bad actors to swiftly move the entire $32 million within a five-minute timeframe, leaving the protocol with insufficient time to deploy effective security measures.
The white-hat hacker detailed that an attacker could manipulate asset prices through a pump-and-dump strategy, exploiting volatile price actions to place position orders outside the permissible range and immediately profit, resulting in the protocol’s bad debt.
In acknowledgment of its efforts, Chainlight said it got $10,000 worth of Perpetual Protocol’s native PERP tokens.
Perpetual Protocol’s low bounty draws critics
The $10,000 bounty has generated several reactions from the crypto community, who argue it was insufficient considering the protected amount.
Trust, the head of security at blockchain auditing firm TrustSec, labeled the reward as another instance of a bounty scam, asserting that it did not adequately reflect the gravity of the situation.
Protocol Specialist at Coinbase,ย Viktor Bunin, also questioned why the bounty was so low.
Juancito, a blockchain security researcher, criticized the meager bounty offer, suggesting that white-hat hackers’ contributions to the ecosystem are not appropriately valued.
Similarly, Blurpoint noted that white-hat efforts often go unappreciated, emphasizing the importance of acknowledging and adequately compensating these contributions.
Web3 security expert CryptoBandit shared a comparable experience, recounting how he shared a critical vulnerability that could have led to $40 million in losses with the DEX but only got $30,000 as bounty rewards.
This situation underscores the challenges white-hat hackers face within the industry, as they are not properly incentivized to help crypto platforms expose vulnerabilities within their codes.
Mentioned in this article
Posted In: Crypto
Author 
Oluwapelumi Adejumo
Oluwapelumi values Bitcoin's potential. He imparts insights on a range of topics like DeFi, hacks, mining and culture, underlining transformative power.
Editor Editor 
Jacob Oliver
Jacob Oliver is a recovering academic and English teacher turned crypto journalist and web3 writer. He holds a Ph.D. from the University of Washington.
In this article
USD Coin (USDC) is a stablecoin fully backed by the US dollar and developed by the CENTRE consortium.
Perpetual Protocol
$1.06435
PERP is Perpetual’s native protocol token and is issued by Perpetual DAO.
