How to change your Black Hats into White Hats
In the cryptocurrency space it is not uncommon to see massive thefts of as much as 9 figure sums. Often people wonder “why aren’t white hats finding these vulnerabilities through audits or bug bounties” and the reason is usually quite simple: Money.
These bugs are hard enough/rare enough that a a bounty hunter being offered a 5 figure bounty isn’t likely to spend the time searching through hundreds or thousands of contracts looking for a bug that will pay out a 5 figure sum, it just isn’t a good use of their time as they could go do other work and make more money.
Auditors on the other hand often do find this class of bug, but it is difficult to identify who are the good auditors who can find this sort of thing and who are the budget auditors that won’t. Also, if your platform undergoes regular changes you likely need to get a full audit done for each change and this can quickly become very expensive, especially if you don’t yet have a revenue stream for your platform that is securing 9 figures of money.
Meanwhile, if you are a black hat you can spend multiple years reading contracts looking for bugs and reviewing every change made to contracts holding a lot of money and find a single opportunity that pays enough to completely cover the opportunity cost of doing no other productive work for that time.
While being a black hat is incredibly lucrative, it is not without its problems. Having 9 figures of dirty money that only lets you buy weapons of mass destruction, drugs, and cam girls isn’t particularly useful. There is only so much sex, drugs, and WMDs that the average black hat has a use for and 9 figures is well beyond that. This means the black hat now needs to launder their 9 figure payday so they can do things like pay rent, buy groceries, etc.
For the day-to-day purchases like groceries, there are generally a number of simple methods that allow you to spend small amounts with very few questions asked. However, that will let you spend maybe 0.1% of your take easily and you won’t be able to buy any yachts, planes, or islands which is what we all know the average black hat actually wants.
So after you have spent a year or whatever searching for an opportunity and you find it, you now need to spend the next 5–10 years devising an incredibly complicated laundry scheme so that you can actually go buy that mega yacht. This 1 year of work just turned into 10 years of work, but it is still a good payday and worth it compared to white hat work or auditing.
In light of this black hat laundry problem, a lot of development teams/operators of these systems will reach out to the hacker and make them an offer like, “if you return 90% of the funds we will not pursue any legal action against you”. This is a reasonable idea at first glance, but unfortunately it likely won’t actually hold up in court. For starters, this agreement isn’t likely binding according to most courts as it would be seen as extortion. The court will treat the black hat as extorting the victim, just like they do with ransomware cases. Beyond that, in many cases it will be the tax man or some government financial crimes division pursuing the black hat rather than the developer suing for damages in civil court. This means that any agreement you come to with the victim after the crime has occurred will almost certainly be irrelevant in the case.
Because of this, the black hat doesn’t have anything they can put down for “source of funds” that would allow them to actually use an exchange, make a large purchase, or pay taxes. So even if they agree to the “return 90%”, they still can only buy WMDs, drugs, and porn but now they can buy 10% as much of those things and they still have to spend their life looking over their shoulder.
As a developer who is building something that holds user funds, you need to have a very clear policy about any bounty program in advance, and it needs to be clear to the users of your product that their funds will be used as part of the bounty program in some cases. An example may look something like:
If someone is able to acquire assets from the protocol that go against its intended design, and they send 90% of the acquired assets to address X within Y time afterward, then the remaining 10% of the acquired assets shall be considered a bug bounty and all parties agree that this is fair game, an intrinsic part of the protocol, and “working as intended”.
This makes it so the would-be black hat (now white hat) who finds a bug that lets them steal 9 figures can return 90% of it to the protocol in a well defined way and they can then report the remaining 8 figure payout as “bug bounty reward” on their taxes/to their bank. If the bank/government asks for proof, the white hat can show the publicly available bounty program and the transactions that included the return of 90% of the funds.
It is very critical that your users agree to these terms, not just the developers and the attacker. Since the funds are actually user funds they need to fully understand the risks or else you (dear developer) may be found guilty of misusing user funds. To do this, you just need to make sure that users are reasonably aware that this is a valid and acceptable use of their funds.
While our white hat won’t be buying a mega yacht and a private island with an 8 figure payout, they can still buy a regular yacht and retire in a beach resort without having to spend decades laundering the funds or dodging government agencies.
While there are certainly *some* black hats who will still choose 9 figures of dirty money over 8 figures of clean money, I believe that most black hats would turn white for a 10% clean payout, just because life is so much easier when you aren’t on the lamb.