Aurora, an Ethereum Virtual Machine (EVM) compatible scaling and bridge solution built on top of the NEAR Protocol blockchain network, has completed the payment of a $2 million bug bounty to a pair of whitehat hackers that reported vulnerabilities on the platform back in June.
According to a blog post written by ImmuneFi, a leading web 3 bug bounty platform that facilitated the transaction, the whitehat hackers will each receive $1 million worth of the platform’s eponymously named native token streamed linearly over one year.
The vulnerabilities the hackers discovered related to Aurora’s permissionless bridging functionality between NEAR Protocol and Ethereum. The first vulnerability was that the platform had a different ERC-20 (fungible token standard) called NEP-141. This would potentially allow an attacker to create worthless NEAR tokens, bridge them to Aurora, and then use them to withdraw ETH from the addresses of Aurora users.
The second bug had to do with the burn function of the bridge. It would have allowed an attacker to create a “fake burn event” on Aurora which could then be used to withdraw ETH from the protocol’s reserve.
Both vulnerabilities have been fixed without any loss of funds to users, the blog post noted. The first report on the vulnerabilities was written by DeFi security firm Halborn.
“We would like to thank the anonymous whitehat for doing an amazing job and responsibly disclosing such an important bug. Big props also to the Aurora team who responded quickly to the report and patched it,” ImmuneFi said in the post.
Hacks still a major problem among blockchain platforms
Not all cross-bridge blockchain platforms have been as lucky as Aurora in handling major vulnerabilities without loss of funds. According to a CNBC report in August, bridge protocols have lost over $1.4 billion to hackers so far in 2022.
The report notes that the endemic attacks on bridges can be traced in part to sloppy engineering. This was the case in the hacks of Axie Infinity’s Ronin Network, and also Harmony Horizon, Wormhole, and Nomad.
Meanwhile, they are not the only sector of the crypto market under attack by cybercriminals. The New York Times estimates that over $2 billion in total have been stolen from the crypto industry this year by hackers. The trend points to the need for greater scrutiny and regulation of the space the report noted.