Wallet Developer Offers ‘On-Chain Bounty’ To Brave Hackers For Taking $430K in BTC
The developer of Zengo Wallet is taking an unusual approach to offering a bug bounty. Instead of paying white hat hackers to discover vulnerabilities, the company is putting 10 Bitcoin (BTC) (worth more than $430,000 at current prices) into an account controlled by the developer. According to an announcement on January 7, any hacker who manages to leak bitcoins will be allowed to seize it.
The prize will be given over a period of 15 days from January 9 to the morning of January 24. On January 9, the account address will be revealed and will contain 1 BTC (approximately $43,000). On January 14, Zengo adds an additional 4 BTC ($172,000) to the account and provides one of the “security conditions” used to protect the account. On January 21, the team will add another 5 BTC ($215,000), bringing the total amount held in the wallet to 10 BTC ($430,000). In addition, this time they show the second security condition. The wallet generally uses three security modes.
Once the second reason is revealed, hackers will have until 4pm UTC on January 24th to crack the wallet. At this time, if anyone manages to crack the wallet, they will be allowed to keep 10 BTC.
Zengo claims to be a wallet that does not have “penetrative vulnerabilities”. Users are not prompted to copy seed words when they first create an account, and no keycap file is stored in the wallet.
According to the official website, the wallet relies on the Multi-Party Computing (MPC) network to sign transactions. Instead of generating a private key, the wallet creates two separate “secret shares”. The first share is stored on the user's mobile device and the second on the MPC network.
Related: Companies look to multi-party computing to advance Web3
The user account is further supported by three-factor authentication (3FA). To get their shares back, they need to find an encrypted backup file on their Google or Apple account and the email address they used to create the wallet. Additionally, they need to perform a facial scan on their mobile device, a third cryptographic factor to rebuild their share.
There is also a backup mechanism for the MPC network share, according to Zengo. The group said it provided a “master decryption key” to a third-party law firm. If MPC's network servers go offline, this law firm is instructed to publish the decryption key to a GitHub repo. Once the key is printed, the app automatically enters “recovery mode”, allowing the user to rebuild the MPC network share associated with their account. Once a user has acquired both shares, they can generate a traditional private key and enter it into a competing wallet app, allowing them to restore their account.
In a statement to Cointelegraph, Zengo's Chief Marketing Officer Elad Bleistein expressed the hope that the on-chain bounty will help encourage discussions in the crypto community around MPC technology. “Complex terms like MPC or TSS can be overly abstract,” Blestein said. “The Zengo Wallet test highlights the security benefits of MPC wallets over traditional hardware options, and we look forward to an interesting discussion with those who participate.”
Wallet security has become a concern in the crypto community over the past year, as the Atomic Wallet breach cost crypto users more than $100 million. The developer has established a bug bounty program to help ensure the security of the app in the future. Users of the Libitcoin Explorer wallet library say they lost $900,000 from the 2023 hack.
