$1.5B crypto hack losses expose bug bounty flaws

As cryptocurrency losses from security breaches surge past $1.5 billion, cybersecurity experts are urging exchanges to improve bug bounty programs to attract top ethical hackers and strengthen platform security.

On March 3, blockchain security firm CertiK said that crypto lost from hacks in February had reached $1.53 billion, with the Bybit hack accounting for the majority of losses at more than $1.4 billion. Excluding the incident, CertiK reported that other exploits had resulted in $126 million in losses, including a $49 million Infini hack.

Ethical hacker Marwan Hachem told Cointelegraph that the surge in crypto hack losses highlighted a growing need for better bug bounty programs.

Hachem said that to prevent such exploits, exchanges must offer higher and more appealing bug bounty rewards to white hat hackers.

An “out of scope” bug led to a $1.4 billion hack

Hachem, chief operating officer at cybersecurity firm FearsOff, said crypto exchanges must offer higher rewards to ethical hackers to prevent similar exploits.

According to the security professional, the bug bounty program of Safe, Bybit’s multisignature wallet provider, considered bugs related to the front and back-end out of scope, meaning those who identified these security issues were not eligible for rewards.

The security professional said the Bybit hack happened because of a bug that was not in the scope rewarded by the bounty program. “What they considered out of scope led to the biggest crypto hack in history,” Hachem told Cointelegraph. He added:

“We often breach platforms through bugs found in out-of-scope assets. Ethical hackers wouldn’t get rewarded for such findings, but criminals exploited them and stole $1.5 billion from Bybit.”

Bybit’s official bug bounty offers a maximum of $4,000 on its website and up to $10,000 on HackerOne — amounts that pale in comparison to the potential rewards for malicious hackers.

Hachem said it’s better to pre-emptively give white hat hackers bigger rewards instead of waiting for a major hack to happen and offer 10% of the stolen funds as a white hat reward. The executive said this only “emboldens bad actors.”

“Motivating top ethical hackers to dedicate their time and attention to testing an exchange by offering higher rewards will greatly improve its security, will be a lot cheaper, and will safeguard its reputation,” Hachem told Cointelegraph.

Related: Bybit hackers resume laundering activities, moving another 62,200 ETH

Adopting stricter security measures

Alongside better bug bounty programs, a CertiK spokesperson told Cointelegraph that preventing future exploits like the Bybit hack requires adopting stricter security measures.

A CertiK spokesperson told Cointelegraph that air-gapped signing devices, non-persistent OS environments for transaction approvals and enhanced authentication layers for high-value transactions should become industry standards.

“Regular red-team exercises and phishing simulations can also help mitigate social engineering risks,” the spokesperson said.

CertiK’s report revealed that Bybit’s exploit resulted from a phishing attack that tricked multisignature signers into approving a malicious contract upgrade. Meanwhile, the Infini hack stemmed from an admin private key leak, allowing unauthorized withdrawals.

CertiK said both incidents underscored the risks of blind signing and inadequate transaction verification. “These cases emphasize the need for stronger authentication, real-time transaction monitoring, and more resilient UI security to prevent manipulation,” CertiK added.