Thanks for finding a critical bug. Have a $1.5 million bounty, and our CTO will get a tattoo of anything you like

Thanks for finding a critical bug. Have a $1.5 million bounty, and our CTO will get a tattoo of anything you like

Congratulations to Alexander Schlindwein.

He’s the chap who discovered what has been described as a “critical bug” that reportedly could have “drained the entirety of underwriting funds” for ArmorFi, a “smart insurance aggregator for decentralized finance (DeFi)”.

(I just write these words, don’t expect me to understand what ArmorFi actually does.)

Schlindwein – who aside from being a vulnerability researcher is also the CTO of Ideal Markets – found a serious bug in AmorFi’s smart contract code, as bug bounty platform ImmuneFi explained:

Had the bug been left unchecked, a malicious actor, with just a single dollar of coverage, could have drained all funds from ArmorFi’s underwriting contract. With Immunefi’s bounty system, that bug was eliminated.

More specifically, in the event where a party needed to draw on its insurance policy after suffering some negative event covered by that policy, this exploit would have let the party withdraw 10^18 times the amount of coverage that they purchased.

Ouch!

What does Schlindwein win for his discovery and responsible disclosure of the bug?

Armor cryptocurrency. Specifically a stash currently worth an alleged $1.5 million US dollars.

Sign up to our free newsletter.
Security news, advice, and tips.

Oh, and AmorFi’s CTO has offered to get a tattoo chosen by the bug hunter as well.

Tattoo tweet


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.