Security Firm Offered $500 Bounty for Averting a Possible $5 Million Hack

A security outfit led by ethical hackers who specialize in security audits claimed to be offered a $500 bounty by DxSale Network, a decentralized token launchpad, after informing the platform of a breach that could cost it over $5 million.

The reward is one of the lowest ever offered to a white hat hacker.

$500 Reward for Saving $5 million

Decurity, in a recent blog post, revealed that one of its researchers on June 28, 2023, discovered a bug in an unverified smart contract on the Binance smart chain (BSC) belonging to DxSale and was offered a reward of $500 for their efforts.

According to the firm, investigations exposed a contract logic that was not secure enough to prevent hackers from draining funds locked in the contract during an initial decentralized offering (IDO).

Based on calculations, a total of 21,600 WBNB (wrapped BNB) tokens in the pools worth around $5.2 million at the time of the report could have been stolen if hackers noticed the vulnerability. Meanwhile, the security firm stated:

“Note that this figure reflects the losses that could be inflicted by an exploit that targets a single instance of the locking contract. However, Dx has more locking contracts on BSC and other chains.”

Alleged Poor Response From DxSale

Decurity claimed to contact DxSale after confirming the bug but said they first encountered friction from the project’s team, which was initially unresponsive, and later claimed to be aware of the problem. According to the blog post, the team stated that the contract in question was inactive, which meant that it was not a threat.

Despite the initial response from DxSale, Decurity stated that it was able to get in contact with DxSale’s founders and developers to discuss the situation.

As a way to fix the bug, the project’s developers decided to set high locking fees on June 29 as a solution to the issue to discourage attackers from carrying out an action. According to Decurity, the solution could deter hackers, but DxSale owners could drain the funds in the event of a potential rug pull.

Although the Dx team tried to debunk claims about hackers being able to drain funds, citing protection from several auditing partners, including CertiK Skynet, the project reportedly moved to set high fees across other chains.

Decurity, meanwhile, expressed some concerns about DxSale’s response to potential security threats, advising users to be careful when interacting with projects on the protocol.

While DxSale has not responded to Decurity’s claims, the decentralized launchpad announced a partnership with security outfit Vital Block Security on July 18.