Thanks for finding a critical bug. Have a $1.5 million bounty, and our CTO will get a tattoo of anything you like

Graham Cluley
@gcluley

Thanks for finding a critical bug. Have a $1.5 million bounty, and our CTO will get a tattoo of anything you like

Congratulations to Alexander Schlindwein.

He’s the chap who discovered what has been described as a “critical bug” that reportedly could have “drained the entirety of underwriting funds” for ArmorFi, a “smart insurance aggregator for decentralized finance (DeFi)”.

(I just write these words, don’t expect me to understand what ArmorFi actually does.)

Schlindwein – who aside from being a vulnerability researcher is also the CTO of Ideal Markets – found a serious bug in AmorFi’s smart contract code, as bug bounty platform ImmuneFi explained:

Had the bug been left unchecked, a malicious actor, with just a single dollar of coverage, could have drained all funds from ArmorFi’s underwriting contract. With Immunefi’s bounty system, that bug was eliminated.

More specifically, in the event where a party needed to draw on its insurance policy after suffering some negative event covered by that policy, this exploit would have let the party withdraw 10^18 times the amount of coverage that they purchased.

Ouch!

What does Schlindwein win for his discovery and responsible disclosure of the bug?

Armor cryptocurrency. Specifically a stash currently worth an alleged $1.5 million US dollars.

Sign up to our newsletter
Security news, advice, and tips.

Oh, and AmorFi’s CTO has offered to get a tattoo chosen by the bug hunter as well.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.