Using Smart Contracts to Fund Bug Bounties with Hydra

Ethereum Smart Contracts have been touted as one of the most interesting blockchain developments in the past few years. The Ethereum protocol allows developers to code smart contracts which run on the blockchain.

However, irrespective of how many smart and ethical developers there are in the community, there are an equal number of smart unethical hackers who are merely motivated by greed. However, what happens if one could turn these black-hat hackers into a force for good and become white-hat hackers?

The idea of paying hackers to find vulnerabilities is not a new concept. Bounties have been around on enterprise systems and application development companies for a number of years. However, when a hacker discovers a bug or vulnerability, they have to weigh up the benefits of exploiting it vs. the benefits of reporting it.

That is where a new effort called "Hydra" comes in. Hydra, which is an initiative that is funded by the National Science Foundation Graduate Research Fellowship, tries to create incentives that encourage blockchain bug reporting.

Incentivising Black Hats

The Hydra project was announced at the Ethereum developer conference (Devcon3) today. It is being developed by a team including Lorenz Breidenbach, Ari Juels and Phil Daian from Cornell.

The Hydra project tries is trying to develop contracts that will programmatically offer people who report bugs a higher reward than they would get from actually exploiting the bug. Hence, when a hacker is able to find a bug, he would know that reporting it is more in his favour (monetary wise) than the loot from hacking it.

Although smart contract start-ups may already be offering bounties, these are not designed programmatically. They are merely arbitrary amounts that are not usually able to adjust to the severity of the exploit. Moreover, if a hacker finds an exploit and the bounty is not promising enough, he is unlikely to try and negotiate for fear of releasing details of the bug.

Hydra tries to use the concept of crypto economics to address the inherent mismatch in incentives of current offerings. At the developer conference, Daian sees the benefit of the idea. Relying on honest actions cannot be the solution. He sees a combination of pragmatism and smart programming as one of the only solutions. He said:

Let's see this as a game. What would a rational attacker do with these systems? Say an attacker finds a bug: would they attack or would they claim the bounty?

Although there may be many Ethereum smart contract developers who would be anxious to implement a Hydra solution, Daian made it clear that the project was only in Alpha stage and should not be used to store funds.

Yet, we are sure that as more money becomes involved and more high profile hacks are perpetrated, the demand for a solution such as Hydra's is bound to sky rocket.