In Praise of White-Hat Hackers, But Overreliance Is Foolish

In August, Nomad, a platform that allows users to transfer tokens between different blockchains, fell victim to a hack that drained its users of nearly $200 million.

Instructions on how to execute the attack spread like wildfire across Twitter, turning a one-off heist into a free-for-all open to anyone who could copy and paste a transaction on the Ethereum blockchain.

As black-hat hackers ran away with millions, so-called “white hats” – good Samaritans – looted the funds so that they could return them to Nomad. Altogether, the grassroots rescue effort kept more than $38.5 million out of the hands of attackers.

White-hat hackers play a critical role in securing the Web3 ecosystem, and yet, according to DarkFi.eth – one of the hackers who exploited Nomad in order to rescue its funds from attackers – altruistic hackers aren’t paid enough and operate in an unclear legal landscape.

Nomad x DarkFi case study

DarkFi.eth (not related to DarkFi, the layer 1 blockchain with the Lunarpunk philosophy) was one of the white hats who stole and subsequently returned roughly $2 million from the Nomad bridge.

When DarkFi saw suspicious transactions flowing into and out of the Nomad bridge smart contract, the hacker copied and pasted the format of those similar-looking transactions into his own, new transactions. Suddenly, some of Nomad’s funds – funds that technically belonged to Nomad’s users – appeared in DarkFi’s crypto wallet.

The pseudonymous hacker quickly snapped into action, recalling in an interview with CoinDesk that he noticed the “potential to get some more of this money out [of Nomad] before it’s taken by other malicious actors.”

DarkFi repeated the buggy transaction several times (one, two, three, four, five).

Intent aside, DarkFi and other white hats performed exactly the same steps as the Nomad exploiters: withdrawing funds without the owners’ permission.

DarkFi wanted to rescue more money, but he said he “basically held off on taking more,” because he was “worried about the repercussions of doing it.”

“Even though I fully intended to return the money, it was still kind of unclear,” DarkFi said.

White hats and black hats

Hackers who scan software code to identify potential vulnerabilities are identified by their metaphorical white and black hats.

Black hats deliberately exploit the vulnerabilities that they find – looting crypto, blackmailing businesses or selling their discoveries to an underground criminal marketplace. Stephen Tong, co-founder of security audit firm Zellic.io, calls these hackers “mercenaries.”

“Black hats are simply looking out for themselves most of the time, whether that’s for profit or entertainment,” Tong told CoinDesk in an interview.

“White hats, on the other hand, are strictly trying to do the right thing. They’re trying to act in good faith,” he said.

In the context of Web3, white hats typically alert protocol developers once they discover a bug that needs patching. In exchange for responsibly disclosing bugs, protocols generally reward white hats with some kind of a bounty.

Sometimes, as in the case of Nomad, white hats will discover a bug so severe that they decide to exploit it themselves – securing at-risk funds and returning the funds to the protocol before they can be stolen by someone with ill intent.

In these cases, when a hacker’s original intent is difficult to suss out (perhaps they returned the funds only out of fear of law enforcement), how – and whether – they should be compensated can become difficult for a protocol to decide.

Vulnerability disclosure issue

DarkFi highlighted a common issue for white hats: vulnerability disclosure.

When a hacker knows a protocol is vulnerable with funds at risk of withdrawal without the permission of the owners, two options arise for the hacker:

  1. Exploit the vulnerability to secure the funds himself with the intention of giving it back.
  2. Or alert the project without exploiting the vulnerability.

If a white hat took the first option and exploited the vulnerability, “the legal status of what you’re doing is very up in the air. Technically, you can still get sued by a project if you do white-hat work and steal some money to save it from a black-hat hacker,” said DarkFi.

The problem with the second option is that the project isn’t incentivized to pay you the full amount once you already told the project of the bug. Tong indicated that with funds already returned or vulnerabilities already patched, the project loses its incentive to pay the maximum amount it can and the white hat has less leverage.

In both scenarios, white-hat hackers typically want a reward because they saved a protocol from a greater loss. But at the same time, white hats don’t want to come off as extortionists – holding funds or information hostage unless they are “fairly” compensated

The issue of vulnerability disclosure is “an optimization problem,” Tong said. “Because you want to minimize the pain" for developers, users and hackers.

If the goal is to minimize as much pain for the developers and users, a project would just patch up the vulnerability and not give the hacker anything. And if the goal is to minimize the hacker’s pain, a project would pay the hacker, a pain point for those in charge.

Is it possible to have a fair outcome that makes everyone happy?

Tong says, “No … In most white-hat scenarios, there’s absolutely no win-win scenario.”

Money left on the table

DarkFi returned funds to Nomad in three transactions (one, two, three) before Stani Kulechov, the founder of DeFi lending platform Aave, offered party tickets to white hats and before Nomad announced “an up to 10% bounty to Nomad Bridge hackers where Nomad will consider any party who returns at least 90% of the total funds they hacked to be a white hat.”

If a hacker looted $1 million, returned $900,000 and pocketed $100,000, Nomad would consider the hacker a white hat and not pursue legal action.

DarkFi hasn’t received a rAAVE ticket from Kulechov or a reward from Nomad yet.

Additionally, citing Arbitrum’s 400 ETH reward to 0xriptide after that hacker found a critical $400 million vulnerability, DarkFi noted that bounties aren’t high enough initially, saying projects tend to be stingy.

“It should be a very well-paying job to be a white hat,” he said.

“Making it more clear how we appreciate white hats in the space is very important so that in the future money doesn’t get left on the table for black hats,” DarkFi said.

Nomad didn’t return a request for comment by press time.

Sam Bankman-Fried’s 5-5 standard

Last month, Sam Bankman-Fried, CEO of crypto exchange FTX, put forth a new community standard for hackers involved in a security breach.

The 5-5 standard, which values customer and user protection “above all,” prioritizes making customers whole again before rewarding an ethical hacker.

According to Bankman-Fried, the standard works only when the hacker is acting in good faith from the beginning. To be treated by the community as a "good actor" or a white hat, the hacker must return at least 95% of the stolen funds.

“If the 5-5 standard had been followed, historically, it would have reduced the impact of hacks by more than 98%,” Bankman-Fried said.

An ounce of prevention is worth a pound of cure

The number of times white-hat hackers have prevented a protocol from being exploited highlight concerns about how the Web3 ecosystem relies too much on them to catch critical vulnerabilities.

While white hats hold a significant duty in the security of the crypto ecosystem, “it’s absolutely not okay to rely on the white hats to keep you safe because that’s kind of the last line of defense,” Tong said. “That’s like the last saving grace that stops you from getting hacked because if you are getting ‘whitehatted,’ that already is not a great situation to be in.”

According to Tong, more thorough and stringent development practices need to be established in the long run because “an ounce of prevention is worth a pound of cure.”

A white-hat bug disclosure is “an emergency with a silver lining. Your money was returned even though someone was hacking,” Tong said. “The takeaway is [that] the vulnerability should have been caught during development. It should have been caught during the audit. It shouldn’t be caught in the bug bounty.”