A Maltese cybersecurity firm earned over €1.8 million in 2022 on a single bug report, which would have led to the loss of billions of dollars in cryptocurrency.

Its co-founder Neville Grech’s journey to becoming an internationally recognised cybersecurity expert did not happen overnight.

At the beginning of 2021, Grech’s colleague Yannis Smaragdakis landed upon a bug within a financial service found on the blockchain, a digital system where the pair normally make their living testing digital contracts for vulnerabilities under the name Dedaub, a company they co-founded.

Once Smaragdakis found the bug, he notified Grech and the pair began creating a proof of concept – a document that explains the location of the bug and how it can be repeated and abused.

The only solution was to steal the money from its users before anyone else did

In this case, the bug allowed any user of the financial service to steal from any other user, which meant that over €18 million in cryptocurrencies were at stake. 

This was a first for them as neither had reported a security vulnerability before.

“We asked ourselves, should we test it by actually stealing from other users and giving their money back to them,” Grech explained. And they informed the agency that that was what they had to do.

Recording everything as they went along, they created their proof of concept and sent it to the affected organisation. The company returned all the funds using safer and more secure methods.

“The only solution for the company was to steal the money from its users before anyone else did,” the 38-year-old said. 

For their efforts, Grech and Smaragdakis were awarded some €27,000.

“The only solution was to steal the money from its users before anyone else did”

“It’s exciting. It feels like all the studying and effort you did to become better are working. There is a sense of achievement... You get a little bit more courage to do the responsible thing again.”

In 2022, the company they co-founded Dedaub was awarded a whopping €1.8 million after it discovered two vulnerabilities in a blockchain company that would have led to an instant, irrevocable loss of over a billion dollars.

“Had the exploit been executed, it would have been the largest in history by monetary loss,” Grech said.

The European Union Agency for Cybersecurity describes the blockchain as a public data structure made up of blocks, each one pointing back to the previous block creating a link, or chain, of chronological transactions.

Grech  mphasized that most ethical hackers do not report security issues to make money but rather to create a safer environment for the digital community.

Bug bounties

Focusing on the potential financial rewards of these types of reports can be an issue for those without any other type of financial income as they tend to not be the most reliable.

The prize money for the reports – also known as bug bounties – are not always as lucrative as last year’s €1.8 million haul and, even when they are, companies are not always willing to pay the full amount.

“It depends on what you find,” he said. When an ethical hacker sends in such reports, the company deems the value of the reported bug based on its potential danger and damages.

For example, Dedaub recently found a bug within Uniswap, a cryptocurrency exchange that was offering over €2.7 million as part of a bug bounty.

Bug bounties are rewards offered by organisations to incentivise security researchers and hackers to identify and report vulnerabilities within their software, Grech explained.

When Dedaub sent in their bug report to Uniswap, the crypto exchange argued that the bug was not as damaging as it potentially could have been, and awarded Grech and Smaragdakis €36,000.

Despite the relatively low reward, Grech explained that bug bounties are the perfect opportunity to put your name out there in the cybersecurity world.

“We got a lot of publicity from it, certainly more than €40,000 would buy you.”

By finding the bug, Dedaub was not only put on Uniswap’s radar, the fourth-largest crypto exchange in daily trading volume, but by others within the industry.

Bug bounty programmes can be offered directly by the organisation or, in most cases, websites such as Immunefi collect these programmes and list them like an online bounty board.

However, Grech explained that just like the four students who were arrested in November after reporting a security vulnerability to a local mobile app, Dedaub usually sends out bug reports to companies who have not asked for them.

“Even if it is not listed, we sometimes ask companies if they have bug bounty programmes and they usually say they do.”

Earlier this month, Times of Malta revealed that four computer science students were being investigated by the authorities after sending a bug report to local app, FreeHour.

In their response to the story, FreeHour said they were not sure if they were being threatened by the students who mentioned in their e-mail that they were eligible for a bug bounty. 

The students also gave the app three months to fix the vulnerability before they disclosed the breach to the public, a common timeframe to give for such reports, Grech said.

The four students are being investigated for computer and misuse and unauthorised access despite their claims that, at every step of the way, they identified themselves to the app’s servers which subsequently gave them the access they were requesting.

Dedaub is currently paying for all four’s legal fees and has employed two students from the group: Giorgio Grigolo and Michael Debono.

 

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.