Aurora, an Ethereum (ETH) bridge and scaling solution, revealed that ethical security hacker pwning.eth had identified a significant vulnerability in the Aurora Engine and had received $6 million as a bug bounty.
Over $200 million in capital is said to have been put at risk as a result of the scam. The payment was awarded in partnership with Immunefi, a major platform for Web 3.0 bug bounties, which has over $145 million in accessible bounties and has paid out over $45 million in bounties.
On April 26, Immunefi received a complaint from pwning.eth concerning a significant weakness in the Aurora Engine that would have allowed the Aurora Ethereum Virtual Machine to drain and suck the matching nested ETH (nETH) pool on NEAR, allowing for unlimited ETH minting. The pool had more than 70,000 ETH, worth at least $200 million, when it was discovered.
“Hats off to Aurora and pwning.eth for the perfect overall processing of the report,” said Mitchell Amador, founder and CEO of Immunefi. The problem was swiftly fixed, and no user payments were lost as a result.”
Aurora had just begun a bug bounty program with Immunefi a week before the security flaw was discovered. Meanwhile, Frank Braun, Aurora Labs’ head of security, said, “We regard the bug bounty program as the final step of a layered defense approach, and we will use this defect as a learning opportunity to enhance earlier phases, such as internal reviews and external audits.”
Cross-chain communication protocols, while certainly creative, have recently become a prime target for hackers. In February, one of the greatest decentralized financial attacks happened when hackers exploited an indefinite minting flaw between the Wormhole token bridge and its wrapped ETH and ETH pool, draining the Wormhole token bridge of almost $321 million in digital assets.