Sky Mavis – the company behind Axie Infinity – is offering up to $1 million to anyone that can identify major security vulnerabilities in its platform. This comes after the company was struck by the largest defi hack in history, with over $600M being drained from Ronin bridge.
A Call to Whitehats
According to the company’s website, the Sky Mavis Bounty Program will take reference from the Bugcrowd Vulnerability Rating Taxonomy. The system will help Sky Mavis prioritize and rate its community’s findings around security issues. The more severe and disruptive to business a given vulnerability is, the greater the reward for its discovery will be.
Potential vulnerabilities are broken down into two categories: “Smart Contracts and Blockchain” and “Web and Apps”. A list of smart contracts and web apps eligible for scrutiny is provided.
Web and app security vulnerabilities generally offer fewer rewards, with a max of $15,000 offered for “critical” findings. By contrast, blockchain weaknesses promise rewards across five severity tiers, ranging from $1000 for “low” risk findings to $1,000,000 for “fatal” ones. These rewards will be paid in Axie Infinity Shards (AXS).
The program comes with strict and specific rules, however. For example, vulnerabilities must include proof of concept, rather than remaining purely theoretical. They must not require a root/jailbreak to conduct and need to have a tangible security impact. Reports from automated tools and scans are also ineligible.
Rather, the program prioritizes issues such as re-entrancy and logic errors, which include user authentication errors. Problems with congestion/ scalability, consensus failures, and block timestamp manipulation are also eligible problems.
“Calling all whitehats in the blockchain space,” tweeted Sky Mavis COO Alexsander Larsen on Monday. “The Sky Mavis Bug Bounty program is here. Help us keep Ronin Network secure while earning a bounty”.
“Whitehat hackers” are people that use hacking skills for a good cause, to help inform companies of security flaws to strengthen their networks. In January, one whitehat hacker returned about $813,000 worth of ETH to multichain protocol, which was hit by a $2 million hack the day prior.
Recap: The Ronin Bridge Hack
Late last month, Ronin – the Ethereum sidechain upon which Axie Infinity operates – saw over $600M in ETH and USDC drained from its blockchain bridge. The hacker managed this by compromising a majority of Ronin’s validator nodes.
The hack was only noticed 6 days after it took place. Since then, Sky Mavis has been working to recover the stolen funds and promised reimbursement for Axie players that were impacted. However, the hacker already appears to be obfuscating the funds in small batches using a mixing service.