>>It would be bad form of me to not explain the incredible flexibility shown by Solana in terms of how they handled my payout. I intended to donate the funds to the Texas A&M Cybersecurity Club, at which I gained a lot of the skills necessary to perform this research and these exploits, and Solana was very willing to sidestep their listed policy and donate the funds directly in USD rather than making me handle the tokens on my own, which would have dramatically affected how much I could have donated due to tax. So, despite my concerns regarding their policy, I was very pleased with their willingness to accommodate my wishes with the bounty payout.
I am not sure how old the author is but I find these donations incredibly generous and sometimes fail to comrehend such generosity. Sure you got an education at this place but was it worth 200K ? I am not trying to look at the action of the author in any disdain but am genuinely amazed at how such a young person will have such tremendous generosity.
It looks like this donation went directly to a student organization. In my experience student organizations receive a nominal (~1k) amount of funding from the University per year, which could then be supplemented by company sponsorships, fundraising, etc.
So while the University at large has an endowment, the specific Cybersecurity Club does not.
As an executive member of a nonprofit, this was exactly the kind of headache I hoped for. You can do as lot of good with $100K. Definitely worth the trouble.
> DoS Attacks: $100,000 USD in locked SOL tokens (locked for 12 months)
Apparently they made an exception in this case by donating in USD, but I certainly wouldn't trust an altcoin to be worth anywhere near the original $100k in 12 months.
A big absurdity I sense here. I'm talking about Solana here, btw.
* Considering the money flying around Solana and its heavy dependency on BPF, $100k payout per vuln is reasonable.
* Considering the money flying around Solana and its heavy dependency on BPF, 2 major vulns with a fuzzer over a weekend is 100% unacceptable. If it was a usual startup, I would not be concerning, but, this is a blockchain that handles tons of money. It's such a complete failure of technical leadership.
* Note that bounty will not always solve the problem. If the vuln could be exploited for profit, Solana would've been already doomed.
Well, the question you might ask is "Why didn't someone at Solana spend a weekend writing a fuzzer for this extremely important component that deals with billions of dollars"?
OP is obviously incredibly talented, fine, but maybe someone at Solana could have spent a month working on it full time?
> OP is obviously incredibly talented, fine, but maybe someone at Solana could have spent a month working on it full time?
Exactly. OP certainly is talented and did a great job up there. However, Solana is simply too important to fail like this. Literally billions of dollars are on stake, and running a fuzzer for 2 days should NOT be this much impactful. It would not be this absurd if OP had to spend much more time and effort than this.
In other words, Solana should have adopted advanced security measures far before this happened. Using BPF requires a compiler toolchain and VM, which are sophisticated by nature. There's no security-by-correctness here, so one should fallback to the next line of defense - practical correctness by stress test - where fuzzer becomes a necessity. There have to be various fuzzers running regularly somewhere in Solana.
Also, one should note that how Solana uses BPF is well outside the original intention of BPF, which is mainly used deep inside system. BPF in system has much smaller attack surface, much easier recovery scenario, and relatively smaller impact upon failure. When it comes to Solana, BPF is wide open to the wild, a faulty BPF program can cause a lot of damage, which are often (or mostly) irreversible. That mean Solana has to be the one who perform extensive researches on BPF. No one else needs to harden BPF to the level that Solana needs it to be.
Honestly, I have mixed feelings about cryptocurrencies, but I love the way it's pumping money into parts of the tech ecosystem by tying things directly to money. IMO it's done more than anything else to popularize FPGAs, GPGPU, and custom ASICs, and a lot to drive functional programming, nix, and fuzzing.
Personally im glad how much attention its drawn to zero knowledge proofs. its a fascinating area, and before bitcoin it was a somewhat obscure corner of cryptography.
Oh, and reproducible builds and supply chain security. Same thing, really; once money directly rides on the security of a system, and privacy issues manifest directly from code, people start paying very close attention:)
I'm not trolling, and I can't tell why you would think I was. If Rolls Royce made a car that was popular that they ended up buying out some part that they used, I'd say that they popularized use of that part. (Your comparison doesn't work because RR constrains supply rather than enlarging demand.) While GPGPU existed before cryptocurrencies started using it, it was a niche thing of minor interest to scientific computing and a little bit of general "that looks kind of neat if we could get it to work for anything useful" from the rest of the field. Then someone said, "hey, you could offload crypto mining to a GPU and use GPGPU to actually directly make money", and overnight it exploded. One might even say that GPGPU became, say, popular.
At this point, the only explanation I can think of is that we're using different definitions of "popularize" (I'm using "To make popular; to make suitable or acceptable to the common people; to make generally known."), or you don't know what GPGPU is (I'm using "General-purpose computing on graphics processing units").
EDIT: Added that RR limits supply rather than raising demand, so not the same thing.
I understand why most people wouldn't want to be earlier adopters of smart contracts. A lot of people are going to lose a lot of money to a lot of contract bugs for a lot of years.
But eventually that will stop, and the contracts will be stable, and the lessons will be learned.
At some point along the bounty x time curve, there's a threshold where you'll have a greater confidence trusting contracts than centrally managed institutions.
There was a time when banking over the internet was laughably insecure, but it saved so much time that people did it anyway. It took about 15 years before 2FA became standard practice and we're still weening people off of SMS.
Securing contracts may take 10 years to happen, but posts like this show me that it's going to happen.
Can someone explain the CVS 2021 46102 bug? Various sources tell me it was an integer overflow in some Rust. The faulty line was:
let addr = (sym.st_value + refd_pa) as u64;
I guess, the + is evaluated using 32-bit arithmetic and then it is cast to a u64, and thus overflow is possible? And in release mode, Rust doesn't trap integer overflow.
Shouldn't something as critical as the EBF compiler be trapping integer overflow?
This is interesting -- I generally think of memory bugs being harder to exploit because of memory protections (stack canaries, ASLR, etc) and code execution being the goal. A quick read of this article it seems from the nature of crypto it was enough for reward to just crash the network (denial of service).
Don't confuse the act of earning money for spending a certain time acquiring a proportionally certain quantity of money. Money is not time and time is not money. Money, in this case, represents coercive power held by the security researcher and bug bounties are a means of buying that coercive power from those researchers who would otherwise find another mechanism of extracting value from that knowledge.
It's an absurd take. Plenty of folks who work in tech can make money doing hackery dark magic, but guess what? It's not their day job that keeps them from doing so.
I am not sure how old the author is but I find these donations incredibly generous and sometimes fail to comrehend such generosity. Sure you got an education at this place but was it worth 200K ? I am not trying to look at the action of the author in any disdain but am genuinely amazed at how such a young person will have such tremendous generosity.