CertiK Accused Of Front-Running Bug Bounties Through Subsidiary

Security researchers have flagged OpenBounty, a platform affiliated with CertiK, for allegedly front-running bug bounty reports.

CertiK, the smart contract auditor, is at the center of renewed controversy for allegedly seeking to front-run bug bounty reports.

On June 25, Pop Punk, the co-founder of Gaslite, a gas efficiency auditor, accused OpenBounty, a bug bounty platform incubated by Shentu — the rebranded CertiK Chain — of front-running bug bounty reports and violating the terms of service surrounding bug bounty reports.

OpenBounty ostensibly provides a platform for aggregating bug bounties and facilitating reporting web3 code vulnerabilities. However, critics believe the platform principally serves as a vehicle for front-running bounty reports to claim any rewards on offer.

“OpenBounty… appears to front-run bug bounty reports,” Pop Punk said. “This is a direct violation of many large protocol’s bug bounty terms… The more suspicious thing is that their website makes requests to a domain with CertiK in the name when you report a bounty.”

Suspicions regarding OpenBounty were first raised by h0wlu, a security researcher.

“I created a test account on their platform to check it out, thinking maybe it’s just an aggregator, but no,” h0wlu said. “They have submission forms for all these programs and the findings are sent to their API servers.”

Howlu found that OpenBounty’s APIs are hosted by the “bounty-prod.noopsbycertik.com” subdomain, further suggesting CertiK is associated with the platform. They also noted that Uniswap’s bug bounty policy states that reports must be madedirectly,and not via a third party.

“If you find a bug, report it to the protocol directly. Not some shady website associated with CertiK,” added Pop Punk. “Who [knows] if they’re going to.”

All eyes on CertiK

The OpenBounty allegations are swirling after CertiK came under fire for exploiting a vulnerability it identified on the Kraken centralized exchange to siphon $3 million from the platform last week.

Kraken accused CertiK’s researchers of holding the funds “hostage” in a bid to negotiate a bug bounty. “This is not whitehat hacking,” said Nick Percoco, chief security officer at Kraken. “This is extortion.”

Security researchers have also spoken out against CertiK in response to the controversy, accusing the firm of carrying out lazy security audits.

CertiK claimed it was merely carrying out “research” into the extent of the exploit before reporting it, and returned the funds after facing backlash.