Web3 researcher awarded $150k for finding critical bug in Evmos blockchain
A Web3 security researcher received $150,000 from the Cosmos Network for identifying a critical bug that could halt the Evmos blockchain and all its decentralized applications.
On Oct. 29, a Web3 security researcher from Spearbit with the username jayjonah.eth made an X post containing a blogpost he wrote about finding a bug in the Evmos(EVMOS) blockchain that could have proved catastrophic to its operations.
His efforts were rewarded by the Cosmos Network with a $150,000 payout for identifying the vulnerability. He discovered the bug while participating in the Evmos Bug Bounty Program on the bug bounty platform Immunefi, which has been active since November 2022.
A crypto bug bounty offers incentives to developers and researchers to help identify bugs and vulnerabilities within a system.
In his blog post, the researcher explained that he came across the concept of “module accounts” while reviewing the Cosmos documentation, describing this review as “the first step” in identifying potential problems, as the documentation provides “the foundation” for understanding a blockchain.
He found a section within the document which read as follows:
“Typically, these addresses are module accounts. If these addresses receive funds outside the expected rules of the state machine, invariants are likely to be broken and could result in a halted network,” wrote Evmos.
According to jayjonah.eth, this clause indicated that if users sent funds to module accounts, it could cause the blockchain to break. He then tested this by sending funds to the module accounts.
“At this point, no more blocks are being produced and the chain has completely halted. This breaks the Evmos blockchain and all the DApps built on it,” he wrote.
He reported his findings to the Evmos team, receiving $150,000, the highest prize awarded for a “critical” level bug. The researcher emphasized that the bug was a “low-hanging fruit” — simple yet easy to overlook.
“This bug taught me a few important things as a security researcher. The first, and most obvious, is to always thoroughly read the documentation of the project you’re investigating,”
-jayjonah.eth.
Other projects have also been known to launch bug bounties to help detect hidden threats in their systems. Last August, Layer3, a decentralized attention layer project, launched a bug bounty program in partnership with HackenProof. The bug bounty offers a reward of up to $500,000.
In July, Immunefi collaborated with the Ethereum Foundation to launch “Attackathon,” an audit contest designed to challenge and enhance the Ethereum network’s security.
