The vulnerability was reported via the bug bounty platform Immunefi, and was fixed before any money was stolen or lost.
According to Immunefi, this was a serious inflation bug on Aurora, an Ethereum Virtual Machine (EVM) environment built on the NEAR protocol. This is where users can deposit ETH and ERC-20 tokens from the Ethereum mainnet to NEAR.
That bug in the Aurora engine could have enabled a malicious entity to mint new ETH and drain more than 70,000 ETH, worth around $122 million today and $210 million when the bug was first discovered.
“Our bug bounty program with Immunefi proved very valuable in incentivizing white hats to look at our code base and disclose bugs in a responsible manner,” said Frank Braun, head of security at Aurora Labs. “Such a vulnerability should have been discovered at an earlier stage of the defence pipeline and we have already started improving our methods to achieve that in the future. However this event ultimately proves that our security mechanisms work,” Braun added.
Aurora’s bug bounty programme, as well as many other programmes, are still live on Immunefi. Immunefi claims to have assisted ethical hackers and security researchers in earning $40 million in rewards. Immunefi revealed in May that Wormhole paid out $10 million to a white hat hacker via its platform.
