Jack Kubinec

Jeff Albus

Today, enjoy the Lightspeed newsletter on Blockworks.co. Tomorrow, get the news delivered directly to your inbox. <a href="https://blockworks.co/newsletter/lightspeed">Subscribe to the Lightspeed newsletter</a>.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Howdy!



The Solana ETF bandwagon moved a bit further down the road yesterday, as Cboe filed 19b-4s to list and trade VanEck and 21Shares’ proposed ETFs. Prolific ETF poster Nate Geraci <a href="https://x.com/NateGeraci/status/1810410517522944415">said</a> the “decision clock starts ticking” once the SEC acknowledges the filings.&nbsp;



But we’re all about the tech over at Lightspeed, so let’s pop the hood open for a minute:



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<h2 class="wp-block-heading">Firedancer looks to put out fires</h2>



For the first time in some time, we got news about Firedancer this week. The Jump Crypto-created Solana validator client — boasted of as lightning-fast — is running a $1 million bug bounty <a href="https://immunefi.com/boost/firedancer-boost/?utm_source=thesleuth.co&amp;utm_medium=newsletter&amp;utm_campaign=paypal-s-strategic-solana-incentives-solana-infrastructure-updates-more">program</a> through Immunefi from tomorrow until late August.



That’s notable because debugging only seems useful for far-along code, and Firedancer comes up repeatedly whenever I ask someone on the technical side of Solana why they’re bullish on the network.&nbsp;



The bug bounty — which offers money to anyone who finds flaws in Firedancer v0.1 — will ask participants to trawl over roughly 200,000 lines of new code, Immunefi CEO Mitchell Amador told me. Amador said since the codebase is “memory-unsafe,” he expects bug bounty searchers to find some “denial of service conditions.” He added that participants should test the durability of Firedancer’s security.



Solana’s blockchain is created and secured by validators, and these validators run software clients, which are versions of the Solana program. Currently, Solana’s two clients are the original Solana Labs-created client, named Agave, as well as Jito-Solana, which is a <a href="https://github.com/jito-foundation/jito-solana">fork</a> of the Labs code with some MEV modifications created by Jito.



Ideally, you’d have even more clients: <a href="https://blockworks.co/news/lightspeed-newsletter-solana-core-governance">As I’ve written before</a>, clients being forced to compete for validators could incentivize client upgrades to stay faithful to validators’ wishes — and give validators who don’t like choices made by their client’s developers alternative options. 



Firedancer is written from <a href="https://github.com/firedancer-io/firedancer">scratch</a> in a different programming language from Agave and Jito-Solana, which could also make Solana harder to attack, Jump claims.



Eschewing the Bisquick method of client-building has created quite the workload for Jump though: The codebase has seen nearly-constant updates since July of 2022, according to the client’s GitHub. Today, only a pared-down version of Firedancer, named Frankendancer, is available on testnet — and that’s the subject of the Immunefi bug bounty. Frankendancer <a href="https://github.com/firedancer-io/firedancer">uses</a> some Firedancer components alongside Agave’s code for execution and consensus.



Agave uses the Rust programming language, while Firedancer is being written in C, which is tougher to use but offers more fine-grained control over the code. Interestingly, Solana co-founder Anatoly Yakovenko has <a href="https://x.com/jump_firedancer/status/1605605538447990785">said</a> he started building Solana in C but switched to Rust because he didn’t have the resources to build the blockchain from scratch at the time.&nbsp;



Some of the apparent difficulties with creating the client from scratch are implementing the QUIC network protocol — which is <a href="https://www.helius.dev/blog/all-you-need-to-know-about-solana-and-quic#whats-a-network-protocol">essentially</a> a set of rules for how data gets passed around on Solana — and matching the Solana runtime, which is Solana’s concurrent transaction processor.&nbsp;



Solana boosters will hope the bug bounty is a harbinger of more concrete news to come. For some time, Firedancer has been held up as the coming Death Star that could do things like push Solana to one <a href="https://x.com/jump_firedancer/status/1654124415087521810">million</a> TPS. With the bug bounty — and apparent external <a href="https://discord.com/channels/787092485969150012/1258108082571972739/1258783930971062414">audits</a> — these claims are getting closer to the real world.&nbsp;



And for bug searchers, those 200,000 lines of code await.



“Goodbye grass,” one Immunefi Discord member <a href="https://discord.com/channels/787092485969150012/1258108082571972739/1258110115253326015">wrote</a> of the contest.



— Jack Kubinec



<h2 class="wp-block-heading">Zero In&nbsp;</h2>



Rebuilding a blockchain client from scratch takes a lot of work, it turns out.



<figure class="wp-block-image"><img decoding="async" src="https://lh7-us.googleusercontent.com/docsz/AD_4nXdBywM94B9Ebs1Fx3KtTQ-TxOeUbIOGCvyW4Zs1gOqvH3oLkMihBNtVjHMRgXaxrR9M1Z3rncbvdU4BJt1tYkQWrk_yi6bBTOFLPS7IoR9fGb1AgHuEK_PsOccI0LRk2N9g6-CIBjsgiVSn-FxamH_bXr4?key=XEHNdst_YchuvbyYc-v6OQ" alt=""/></figure>



This chart from Firedancer’s <a href="https://github.com/firedancer-io/firedancer/pulse">GitHub</a> tells a pretty notable story: There have been thousands of weekly additions and deletions from the client’s code almost constantly since mid-2022. Two years in, the number of contributions to Firedancer’s code is near an all-time <a href="https://x.com/whosknave/status/1810432199528689736">high</a>.



For anyone keeping nerd score at home, the leading contributor to Firedancer is Richard Patel, who has made 892 code commits and over 200,000 additions. I’m hoping he’s developed a good wrist-stretching regimen, at least.



— Jack Kubinec



<h2 class="wp-block-heading">The Pulse</h2>



Last week, Multicoin Capital <a href="https://x.com/KyleSamani/status/1809238856010514472">announced</a> it would match up to $1 million in SOL donations to the Sentinel Action Fund over ten days (with a little under a week remaining). The Sentinel Action Fund <a href="https://x.com/KyleSamani/status/1809238857323360439">backs</a> conservative candidates who claim to support crypto innovation.&nbsp;



By matching donations, Multicoin aims to double the impact of contributions, <a href="https://x.com/KyleSamani/status/1809238864701128985">mobilizing</a> significant financial support for pro-crypto campaigns.



Many in the crypto community, including figures like Dan Spuller of the Blockchain Association, <a href="https://x.com/DanSpuller/status/1809242696491360640">praised</a> Multicoin&#8217;s leadership for “stepping up for this fall&#8217;s elections&#8217;.&#8217; Other positive reactions include @DremeaKal, who <a href="https://x.com/DremeaKal/status/1809344447211086019">tweeted</a>, &#8220;Fighting the good fight cheers.&#8221; @MH3NFT <a href="https://x.com/MH3NFT/status/1809257298922975455">shared</a>, &#8220;Excited for this,&#8221; and @TopoGigio_sol <a href="https://x.com/TopoGigio_sol/status/1809240465558184378">commented</a>, &#8220;That’s an incredible initiative.&#8221; @kanth <a href="https://x.com/kanth/status/1809248046019985728">added</a>, &#8220;Thank you for doing this. You are helping the entire community. We are grateful.&#8221;



Detractors made their positions strongly known as well. @SilvermanJacob <a href="https://x.com/SilvermanJacob/status/1809360233212580005">criticized</a> the initiative and those <a href="https://x.com/SilvermanJacob/status/1809360699782754811">choosing</a> to be single-issue voters, &#8220;because some billionaire tech execs got Trump to say &#8216;crypto good.'&#8221; He also pointed out that Multicoin is supporting candidates who some voters believe are of questionable character, <a href="https://x.com/SilvermanJacob/status/1809361065895161972">adding</a> &#8220;Look who they&#8217;re supporting: Insane Bernie Moreno and the former SEAL who keeps lying about shooting himself.&#8221; Indeed, Bernie Moreno faced accusations of shredding evidence in a wage theft lawsuit, which court records <a href="https://www.nbc4i.com/news/your-local-election-hq/fact-check-did-senate-candidate-bernie-moreno-shred-documents-accusing-him-of-wage-theft/">confirmed</a>. The former Navy SEAL mentioned by Silverman is Tim Sheehy, a Republican candidate for the US Senate in Montana who <a href="https://www.mtpr.org/montana-news/2024-04-10/sheehy-says-he-lied-about-the-origin-of-a-bullet-wound-in-his-arm">admitted</a> that a gunshot wound he said came from military service was actually the result of an accidental discharge.



The Sentinel Action Fund&#8217;s connection to Senator Cynthia Lummis, a vocal crypto advocate, has also raised eyebrows in the past. Lummis has faced <a href="https://x.com/Protos/status/1748036641183109183">criticism</a> for her ties to venture capitalists and wealthy crypto investors, leading some to question her motivations and the ethics of her support.



For crypto&#8217;s single-issue voters, the challenge now lies in balancing the industry&#8217;s needs with the controversies surrounding some of its political advocates. Whichever way the die is cast, the decisions made in these Congressional races will have lasting implications for the US crypto industry.



— Jeffrey Albus



<h2 class="wp-block-heading">One Good DM</h2>



A message from @metaproph3t, founder of MetaDAO:


<div class="wp-block-image">
<figure class="aligncenter"><img decoding="async" src="https://lh7-us.googleusercontent.com/docsz/AD_4nXd0rhAHukbqC5eBwu0B5wxfIg4S0PW_y71hq9wXBWSj3QdgpW_gv7vgyd0kfMmAI3Qx45GPMA31Q0t210Y97lsCS2lVqJyPDo3a_pUeMXKLvQ1MUrI2LAY2o3yeKWb1MqvgPt6jaGwve4Ivhj9CvNzzzwQI?key=XEHNdst_YchuvbyYc-v6OQ" alt=""/></figure></div>


<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

bug bounty

Lightspeed Newsletter: Solana’s new client is opening up a bug bounty

Katherine Ross

The back and forth between CertiK and Kraken this week left more questions than answers.&nbsp;



So to get some potential answers — and to pick his brain — Blockworks chatted with Ledger Chief Technology Officer Charles Guillemet.



Outside of the use of Tornado Cash by the US-based CertiK, he also highlighted the withdrawal of XMR — a privacy coin on Monero, in case you’ve skipped some of Empire’s <a href="https://blockworks.co/news/privacy-coins-sacrificed-so-crypto-could-run">previous segments</a> — as suspicious because, well, it’s a privacy coin.



Add ChangeNow, a self-styled non-custodial exchange, into the mix. In Guillemet’s experience, ChangeNow is generally one of the top picks for attackers who are trying to hide crypto. It’s often used by bad actors because it doesn’t require proper KYC checks before facilitating swaps from one token to another.



It was also weird that there were video calls between CertiK and Kraken. And don’t even get him started on the millions withdrawn (he maintains you can exploit as little as $5 to prove the bug and then report it for a bounty).&nbsp;



Read more: <a href="https://blockworks.co/news/empire-newsletter-trump-kraken-drama">Empire Newsletter: DJT and Kraken bring the drama</a>



However, the five-day time period in which the researchers were testing the exploit isn’t that strange.&nbsp;



“So the five day period is not suspicious, per se. But what is suspicious is what they did during the meantime,” he told Blockworks.



The silver lining in this is the speed in which Kraken assessed the issue (47 minutes, according to Kraken’s Chief Security Officer Nick Percoco) and investigated the issue.



“<a href="https://blockworks.co/tag/kraken">Kraken</a> had everything in place in order to verify what happened on their platform and to find out that the vulnerability was actually exploited several times, by three accounts and not only by one,” he added.&nbsp;



Guillemet was in the security world before swapping over to crypto in 2017.&nbsp;



With that experience, he said that the “behavior that we see in blockchain and crypto when it comes to white hat [hacking] is really weird from my standpoint.”



Read more from our opinion section: <a href="https://blockworks.co/news/dangers-of-custody-on-exchanges">We need to talk about the dangers of custody on exchanges</a>



“Sometimes you have a white hat, supposedly, who finds a vulnerability on some smart contract. It completely drains the smart contract and then gives back like 90%, choosing its reward [of] 10%. This kind of behavior, for me, is extortion. It seems to be okay. It seems to be white hat behavior,” Guillemet continued.“But I completely disagree with this. When you do security research, you don&#8217;t choose your reward.”



“In crypto, it&#8217;s not always the case, and it&#8217;s a bit disturbing for me, and it&#8217;s also disturbing for other security guys in the field.”



CertiK said it wasn’t trying to exploit or “extort” funds from the exchange, unlike claims made by Percoco. On Thursday, Kraken confirmed it received the funds back sans a bit lost to fees.



The simplest way to improve the space is obviously investing in security, but the more difficult path forward is for security teams to stay humble, Guillemet said.&nbsp;



“Attackers will get better and better and we as an ecosystem must be humble and always raise the bar for security because this is a cat-and-mouse game and the stakes are getting higher.”



A shorter version of this article appeared in Friday’s Empire Newsletter. Sign up <a href="https://blockworks.co/newsletter/empire">here</a> to never miss an issue.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Some white hat hacker behavior is ‘weird,’ Ledger CTO says

Kraken and CertiK fought it out on the battleground of Crypto Twitter earlier this week.&nbsp;



On Wednesday, Kraken said it had received a bug bounty alert from a security researcher to address a bug allowing users to fake their account balance on Kraken. The security team, according to Chief Security Officer Nick Percoco, quickly addressed the issue — quickly, meaning that the team apparently solved it in 47 minutes.



The researcher who flagged the issue shared the bug with two colleagues, and they withdrew roughly $3 million from the Kraken accounts after the first researcher proved the bug by crediting their account with $4.



“After patching the risk, we thoroughly investigated the situation and quickly discovered that 3 accounts had leveraged this flaw within a few days of each other. As we dug deeper, we noticed that one account was KYC’d to an individual who claimed to be a security researcher,” Percoco said.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">In turn, we requested a full account of their activities, a proof of concept used to create the on-chain activity, and to arrange the return of the funds that they had withdrawn. This is common practice for any Bug Bounty program. These security researchers refused.&mdash; Nick Percoco (@c7five) <a href="https://twitter.com/c7five/status/1803403612892107159?ref_src=twsrc%5Etfw">June 19, 2024</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



Percoco’s thread also alleged that CertiK insisted on a meeting between the business development team and Kraken.&nbsp;



A <a href="https://blockworks.co/tag/kraken">Kraken</a> spokesperson told Blockworks that they’re “disappointed by this experience and are now working with law enforcement agencies to retrieve the assets from these security researchers.&#8221;



(Earlier Thursday, Percoco confirmed the funds were returned, though a “small amount” was lost due to fees.)



CertiK then <a href="https://x.com/CertiK/status/1803450205389402215">came out</a> as the security researchers, and now there are a lot of questions. For example, the two can’t seem to agree on the amount. CertiK maintains it never refused to return the funds (Percoco claimed they did, calling it “extortion”) but that the total amount “differs from what Kraken commanded.”



“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,” CertiK wrote in a post on X.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">CertiK recently identified a series of critical vulnerabilities in <a href="https://twitter.com/krakenfx?ref_src=twsrc%5Etfw">@krakenfx</a> exchange which could potentially lead to hundreds of millions of dollars in losses. Starting from a finding in <a href="https://twitter.com/krakenfx?ref_src=twsrc%5Etfw">@krakenfx</a>&#39;s deposit system where it may fail to differentiate between different internal… <a href="https://t.co/JZkMXj2ZCD">pic.twitter.com/JZkMXj2ZCD</a>&mdash; CertiK (@CertiK) <a href="https://twitter.com/CertiK/status/1803450205389402215?ref_src=twsrc%5Etfw">June 19, 2024</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



The differing narratives caused a stir on X, with various folks weighing in on the series of events. Overwhelmingly, the X crowd seemed to be skeptical of what CertiK was saying, though they did provide a timeline and alleged receipts of the transactions.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">Too bad there isnt a way to short <a href="https://twitter.com/CertiK?ref_src=twsrc%5Etfw">@CertiK</a> Step 1: Steal <a href="https://twitter.com/krakenfx?ref_src=twsrc%5Etfw">@krakenfx</a> funds Step 2: Fail to report security flaw for 3 days Step 3: Brag about exploit to other researchers Step 4: Researchers repeat exploit &amp; tornado cash funds Step 5: Go on CT and pretend to be white hats + martyrs… <a href="https://t.co/2daA0Q2u9Z">https://t.co/2daA0Q2u9Z</a>&mdash; CryptoCondom (@crypto_condom) <a href="https://twitter.com/crypto_condom/status/1803482784557850803?ref_src=twsrc%5Etfw">June 19, 2024</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



Coinbase director Conor Grogan also <a href="https://x.com/jconorgrogan/status/1803486112608034854">pointed</a> out that the US-based firm used Tornado Cash for some of the transactions. CertiK didn’t return my request for comment on this.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Kraken’s CSO confirms CertiK returned funds with a ‘small amount’ lost to fees

Ben Strack

Crypto media company Blockworks has launched a platform to track crypto bounties, grants and requests for proposal (RFPs) as a means to connect grantees to grantors and their funding opportunities.



Blockworks <a href="https://blockworks.co/grants">Grantfarm</a> organizes and tracks a list of programs and available RFPs. Individual and team users can filter results based on grant type, ecosystem and reward size.



The platform is free, and additional features are planned in the coming months.&nbsp;



&#8220;It&#8217;s our goal to provide a comprehensive public good that proactively tracks all grants programs,&#8221; Blockworks co-founder Jason Yanowitz said. &#8220;We believe this is an enormous value-add to our space, and we look forward to working with programs directly to keep their entries current over time.&#8221;



Blockworks’ director of grants and governance, who goes by the name Sov, joined the company in January to lead the effort.&nbsp;



Though sites such as <a href="https://sovs.notion.site/The-Common-Good-5f456493a9c44474a054d3d82c19ab56" target="_blank" rel="noreferrer noopener">The Common Good</a> and <a href="https://wiki.defillama.com/wiki/LlamaoGrants" target="_blank" rel="noreferrer noopener">LlamaoGrants</a> were well received by the community, Sov said, Grantfarm seeks to differentiate itself by including grant programs, as well as individual RFPs and bounties — and by allowing “dynamic search.”



One can narrow a search by selecting from five grant types: analytics, community, content, development or other. Project category buckets on the site include artificial intelligence, DeFi, centralized exchanges, NFTs, oracles, stablecoins and more than a dozen others.&nbsp;&nbsp;&nbsp;&nbsp;



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1600" height="900" src="https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=1024&amp;h=1024" alt="" class="wp-image-49682" srcset="https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=1600 1600w, https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=300 300w, https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=1024 1024w, https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=768 768w, https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=1536 1536w, https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=428 428w, https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=464 464w, https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=389 389w, https://blockworks-co.imgix.net/wp-content/uploads/2023/03/grantfarm_programs-1.jpg?w=80 80w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /><figcaption class="wp-element-caption">Screenshot of the Grantfarm database</figcaption></figure>



In addition to providing a place for these listings, Blockworks intends to feature content for grant programs on its website, including research, reports, and announcements from active programs in the sector.



“By providing a comprehensive, evolving list of grants, we can help give clarity to applicants and greater visibility and awareness to grant programs,” Sov said.&nbsp;



The launch comes 10 months after Blockworks <a href="https://blockworks.co/news/blockworks-unveils-new-research-offering">unveiled a new research offering</a> during its inaugural Permissionless event in Palm Beach, Florida.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

New ‘Grantfarm’ Platform to Track Crypto Grants

Bessie Liu

<div id="highlights-block_632c547e14184" class="highlights">
 <ul>
 <li>Most recently Immunefi facilitated a 400 ETH transaction from Arbitrum to a white hacker</li>
 <li>Investors that participated in the round include Electric Capital, Polygon Ventures and Samsung Next</li>
 </ul>
 
</div>



Immunefi, a Web3 bug bounty platform adopted by prominent projects including MakerDAO, Compound and Chainlink, has secured a $24 million Series A led by Framework Ventures.



Framework Ventures previously led Immunefi’s seed round in May last year, but the latest round will be the largest check the prominent venture capital firm has ever publicly written, Roy Learner, principal at Framework Ventures said in a statement.



“As it stands, Immunefi is by far and away the most widely adopted solution in the crypto security and bug bounties space,” Learner said. “We’re excited to see the company scale and amass talent as more and more key projects onboard into their ecosystem.”



Other investors that participated in the round include Electric Capital, Polygon Ventures and Samsung Next.



Mitchell Amador, co-founder of Immunefi came up with the idea for the company after losing a significant amount of money to smart contract hacks.



“There is a whole world that is enabled by [blockchain] technology and it can not exist without security…we mapped the whole stack and concluded that the most critical piece, which the space will not solve on its own, is the disclosure layer — the 911,” Amador said.



The security company rewards white hat hackers for reviewing blockchain projects and disclosing vulnerabilities — creating monetary incentives for experts to make dapps safer. It currently boasts a community of over 11,000 developers, auditors, CTOs and hackers.



According to Amador, rewards can range from a few thousand dollars to upwards of millions of dollars for a single bug report.



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">“If you do good for the community, not only will you become rich, but you will also become a hero,” Amador said.</blockquote>



Immunefi has previously facilitated a $10 million bug bounty payment for a vulnerability discovered in the cross-chain messaging solution Wormhole, and a $6 million exposure discovered on a bridge and scaling solution Aurora.&nbsp;



Most recently, Arbitrum, a layer-2 Ethereum scaling solution, <a href="https://cms.blockworks.co/arbitrum-saved-from-major-eth-loss-by-white-hat-hacker/" target="_blank" rel="noreferrer noopener">paid 400 ETH</a> (almost $550k USD) to a white hat hacker through Immunefi as a reward for uncovering a vulnerability.



The latest fundraise will be going toward growing the Immunefi team, Amador said.&nbsp;



“We need better technical expertise — we cannot keep up with the level of activity,” Amador said. “We just need more people.”



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Framework Makes its Largest Single Bet Yet on Immunefi

Macauley Peterson

<div id="highlights-block_6308bd1b44346" class="highlights">
 <ul>
 <li>All testnets have been successfully merged</li>
 <li>Proof-of-work mining on Ethereum will soon be no more</li>
 </ul>
 
</div>



Ethereum’s Merge — years in the making as one of cryptocurrency’s most complicated endeavors yet — is moving ahead apace.



Like NASA’s Artemis 1 rocket <a href="https://www.kennedyspacecenter.com/launches-and-events/events-calendar/2022/august/rocket-launch-nasa-sls-artemis-i" target="_blank" rel="noreferrer noopener">on the launch pad</a> at Cape Canaveral, Florida ahead of a launch to orbit the moon, preparations for the Merge — slated for Thursday, Sept. 15 — are also in the final stages. 



The long-awaited transition from the blockchain’s founding proof-of-work transaction validating mechanism to proof-of-stake is now slated for Sept. 15. In the weeks leading up to the Merge, there’s been <a href="https://cms.blockworks.co/what-could-happen-to-the-ether-price-following-the-merge/">a notable uptick</a> in both ether spot trading volumes and derivatives bets, wagers hinging on its outcome, as big-money traders put substantial capital behind their predictions.&nbsp;&nbsp;



Ethereum has successfully Merged the <a href="https://cms.blockworks.co/ethereum-ropsten-testnet-successfully-merged-to-proof-of-stake/" target="_blank" rel="noreferrer noopener">Ropston</a> and <a href="https://cms.blockworks.co/ethereum-steps-closer-to-pos-as-goerli-testnet-merge-goes-live/" target="_blank" rel="noreferrer noopener">Goerli</a> testnets, as well as 11 “<a href="https://cms.blockworks.co/shadow-forks-and-testnets-the-ethereum-merge-approaches/" target="_blank" rel="noreferrer noopener">shadow forks</a>” — the latest of which occurred last week ahead of a meeting of the protocol’s core developers.



The final Merge-ready clients were <a href="https://blog.ethereum.org/2022/08/24/mainnet-merge-announcement" target="_blank" rel="noreferrer noopener">unveiled</a> Tuesday by the Ethereum Foundation’s <a href="https://blog.ethereum.org/2022/08/24/mainnet-merge-announcement/" target="_blank" rel="noreferrer noopener">mainnet Merge announcement</a>.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">.<a href="https://twitter.com/ethereum?ref_src=twsrc%5Etfw">@Ethereum</a>’s transition to proof-of-stake is happening 🎉 Client releases are out &#8211; update your node! First part of The Merge, Bellatrix, happens on Sept 6. Full transition ETA: Sept 15. Mark your calendar 📆! <a href="https://t.co/X0DKUmcZHJ">https://t.co/X0DKUmcZHJ</a>&mdash; Tim Beiko | timbeiko.eth 🐼 (@TimBeiko) <a href="https://twitter.com/TimBeiko/status/1562418377582419968?ref_src=twsrc%5Etfw">August 24, 2022</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



An Ethereum client “verifies data against the protocol rules and keeps the network secure,” the Foundation <a href="https://ethereum.org/en/developers/docs/nodes-and-clients" target="_blank" rel="noreferrer noopener">said</a>.



The Merge requires updates to clients both on the Beacon Chain — the new proof-of-stake (PoS) consensus layer — and the execution layer, clients that currently run decentralized applications (dapps) on the blockchain’s existing proof-of-work (PoW) mainnet.



<h3 class="wp-block-heading">A snag in Geth</h3>



Unlike many blockchains, the Ethereum Community deliberately encouraged multiple independent developer teams to write client software.



Even so, on the execution layer, Geth — short for <a href="https://twitter.com/peter_szilagyi/status/1562372292612587520" target="_blank" rel="noreferrer noopener">Go Ethereum</a> — currently accounts for an overwhelming majority, <a href="https://ethernodes.org/" target="_blank" rel="noreferrer noopener">75%</a>, of all Ethereum nodes. The rationale behind promoting client diversity was on display as the Geth team uncovered <a href="https://twitter.com/peter_szilagyi/status/1561947614471507968" target="_blank" rel="noreferrer noopener">a critical bug</a> in what was supposed to be a Merge-ready release.



Ether declined nearly 3% in short order after news of the large security vulnerability spread Tuesday.



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="698" src="https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png" alt="Ether 10-minute chart from Aug. 23" class="wp-image-29402" srcset="https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=1024 1024w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=300 300w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=768 768w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=377 377w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=383 383w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=321 321w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=80 80w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=50 50w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-18.46.20-1024x698.png?w=1232 1232w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption>Ether 10-minute chart from 5:10 to 6:10 UTC; Source: TradingView</figcaption></figure>



The software <a href="https://twitter.com/peter_szilagyi/status/1562369620740276224" target="_blank" rel="noreferrer noopener">was quickly patched</a> and should have no adverse effect on the Merge. The Ethereum Foundation has turbo-charged <a href="https://ethereum.org/en/bug-bounty/" target="_blank" rel="noreferrer noopener">a bug bounty program</a> through Sept. 8, earmarking up to $1 million for developers who uncover critical Merge-related bugs.



<h3 class="wp-block-heading">What happens next?</h3>



The Beacon Chain is <a href="https://twitter.com/JBSchweitzer/status/1562416320611852290" target="_blank" rel="noreferrer noopener">scheduled to undergo</a> an upgrade called Bellatrix on Sept. 6. That will activate the Merge transition on the PoS chain.



The PoW mainnet doesn’t have a fixed time to execute the Merge, but instead uses a scary sounding technical term — Terminal Total Difficulty — to determine when exactly the magic happens. That figure is now set, and it puts <a href="https://bordel.wtf/" target="_blank" rel="noreferrer noopener">the best estimate</a> for the consummation of these parallel chains — known as the Paris upgrade — at shortly after 1:00 am ET on Sept. 15.



The precise time will fluctuate based on the mining hashrate between now and then. But, so far, the impending end of PoW mining on Ethereum hasn’t <a href="https://ycharts.com/indicators/ethereum_network_hash_rate">put much of a dent</a> on its hashrate, which has remained stable between 900 and 950 terahashes per second (Th/s).



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="270" src="https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png" alt="Ethereum mining hashrate" class="wp-image-29403" srcset="https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=1024 1024w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=300 300w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=768 768w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=1536 1536w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=428 428w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=470 470w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=389 389w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=80 80w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=50 50w, https://blockworks-co.imgix.net/wp-content/uploads/2022/08/Screenshot-2022-08-25-at-19.09.57-1024x270.png?w=1848 1848w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /><figcaption>Ethereum mining hashrate, past 30 days in terahashes per second (Th/s); Source: <a href="https://ycharts.com/indicators/ethereum_network_hash_rate">ycharts</a></figcaption></figure>



Miners have a financial incentive to continue processing Ethereum transactions until the very last second before the Merge — so, while some winding down of mining is expected, it’s unlikely to significantly delay things.



If Artemis 1 encounters snags, it will have <a href="https://www.space.com/nasa-artemis-1-sls-moon-rocket-launch-webcasts">two further chances</a>, on Sept. 2 and Sept. 5, to pull it all off. Since this maiden voyage is uncrewed, if it also goes wrong, the only casualty is money.



Ethereum’s design gives developers more leeway to delay the Merge, if needed. A market cap of $200 billion is riding on a smooth launch.



If recent history is any guide, though, the clock will inexorably tick down toward Ethereum’s <a href="https://cms.blockworks.co/seven-crypto-miners-show-disturbing-energy-use-lawmakers-say/" target="_blank" rel="noreferrer noopener">politically palatable</a> energy-efficient future. A crypto moon mission for which <a href="https://cms.blockworks.co/crypto-markets-bet-big-on-whats-next-for-ethereum-miners/" target="_blank" rel="noreferrer noopener">everyone but PoW miners</a> are on board.



Update: Aug. 29 at 8:45 am ET: The Artemis I rocket launch <a href="https://twitter.com/CNET/status/1564232050684608512" target="_blank" rel="noreferrer noopener">has been scrubbed</a> for today due to a technical glitch. NASA may be able to reschedule for Sept. 2, pending evaluation of current data and the severity of the problem.



<hr class="wp-block-separator has-alpha-channel-opacity"/>



Get the news in your inbox. Explore Blockworks newsletters:



<ul class="wp-block-list">
<li><a href="https://blockworks.co/newsletter/the-breakdown">The Breakdown</a>: Decoding crypto and the markets. Daily.</li>



<li><a href="https://blockworks.co/newsletter/0xresearch">0xResearch</a>: Alpha in your inbox. Think like an analyst. </li>
</ul>

Ethereum Merge Countdown at T-20 Days

Sam Martin

<div id="highlights-block_616f463ba7861" class="highlights">
 <ul>
 <li>Hidenburg announces a $1,000,000 bounty program for any individuals with knowledge of the reserves backing the world’s largest stablecoin</li>
 <li>Despite numerous probes, fines, and questionable activities surrounding Tether Limited, they have yet to be proven guilty of any major wrongdoing</li>
 </ul>
 
</div>



Forensic financial research and famous short selling firm, Hindenburg Research, announced a <a href="https://hindenburgresearch.com/tether-tos/" target="_blank" rel="noreferrer noopener">Tether Bounty Program</a> with a reward of up to $1 million for anyone who can provide deeper insight into the backing of the largest stablecoin in the digital asset space.



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="550" data-dnt="true">We have doubts about the legitimacy of Tether, so today we announce the Hindenburg Tether Bounty Program, a reward of up to $1,000,000 for details on Tether’s backing. (1/x)<a href="https://t.co/DP5dWDcYmJ">https://t.co/DP5dWDcYmJ</a>&mdash; Hindenburg Research (@HindenburgRes) <a href="https://twitter.com/HindenburgRes/status/1450562260993298433?ref_src=twsrc%5Etfw">October 19, 2021</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div></figure>



The stablecoin issuer had long claimed to be backed one-to-one by traditional currency reserves. However, the company has since revealed that it is only backed by a small percentage of what many people consider to be traditional currencies.&nbsp;



<div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="512" height="383" src="https://blockworks-co.imgix.net/wp-content/uploads/2021/10/Tether.jpg" alt="" class="wp-image-9611" srcset="https://blockworks-co.imgix.net/wp-content/uploads/2021/10/Tether.jpg?w=512 512w, https://blockworks-co.imgix.net/wp-content/uploads/2021/10/Tether.jpg?w=300 300w, https://blockworks-co.imgix.net/wp-content/uploads/2021/10/Tether.jpg?w=344 344w, https://blockworks-co.imgix.net/wp-content/uploads/2021/10/Tether.jpg?w=349 349w, https://blockworks-co.imgix.net/wp-content/uploads/2021/10/Tether.jpg?w=293 293w, https://blockworks-co.imgix.net/wp-content/uploads/2021/10/Tether.jpg?w=80 80w" sizes="auto, (max-width: 512px) 100vw, 512px" /></figure></div>



Tether has been under scrutiny for quite some time, with the tempo increasing this year as regulators have directed a regulatory hammer towards the company. They have <a href="https://cms.blockworks.co/tether-settles-with-cftc-for-42-5m/" target="_blank" rel="noreferrer noopener">paid out</a> numerous fines, <a href="https://cms.blockworks.co/tether-remains-stable-amid-reports-of-doj-probe/" target="_blank" rel="noreferrer noopener">been probed</a> by the DOJ, and reportedly <a href="https://cms.blockworks.co/celsius-reportedly-borrowed-1b-from-tether-with-bitcoin-as-collateral/" target="_blank" rel="noreferrer noopener">lent out USDT</a> in exchange for cryptocurrencies used as collateral.



On October 18, the New York Attorney General <a href="https://cms.blockworks.co/new-york-attorney-general-orders-crypto-lending-platforms-to-halt-operations-in-state/" target="_blank" rel="noreferrer noopener">took aim</a> at the crypto lending industry, announcing investigations into Nexo and Celsius, and probing ties to Tether Limited.



Upon Tether’s release of information regarding its reserves, there have been <a href="https://www.ft.com/content/342966af-98dc-4b48-b997-38c00804270a" target="_blank" rel="noreferrer noopener">reports</a> of Tether being among the largest holders of commercial paper in the world.&nbsp;



<h3 class="wp-block-heading">Regulatory attention</h3>



Lately, Tether has garnered the attention of <a href="https://cms.blockworks.co/secs-gensler-stablecoins-are-poker-chips/" target="_blank" rel="noreferrer noopener">regulators</a> who worry that the stablecoin could present systemic issues in debt markets if there were ever to be a bank-run situation where Tether was forced to liquidate their reserves to pay out redemptions.&nbsp;



According to Hindenburg&#8217;s <a href="https://hindenburgresearch.com/tether/" target="_blank" rel="noreferrer noopener">press release</a>, the bounty program incentivizes users to submit any relevant information on Tether’s backing for a chance to earn up to $1 million if the information is deemed useful.&nbsp;



“We feel strongly that Tether should fully and thoroughly disclose its holdings to the public. In the absence of that disclosure, we are offering a $1,000,000 bounty to anyone who can provide us exclusive detail on Tether’s supposed reserves,” said Hindenburg Research founder, Nathan Anderson.&nbsp;



Hindenburg claims they are seeking to advance the public knowledge of a growing threat to crypto markets. The firm also <a href="https://twitter.com/HindenburgRes/status/1450562266919841798?s=20" target="_blank" rel="noreferrer noopener">disclosed</a> that they do not hold positions, either long or short, in Tether, bitcoin or any cryptocurrency.



As of press time, <a href="https://coinmarketcap.com" target="_blank" rel="noreferrer noopener">Tether</a> has a market capitalization of $69,050,000,000, making it the fifth-largest cryptocurrency in the entire digital asset market.



<hr class="wp-block-separator"/>



Are you a UK or EU reader that can’t get enough investor-focused content on digital assets?&nbsp;<a target="_blank" href="https://cms.blockworks.co/events/das-london/" rel="noreferrer noopener">Join us</a>&nbsp;in London on November 15th and 16th for the Digital Asset Summit (DAS) London. Use code ARTICLE for £75 off your ticket.&nbsp;<a target="_blank" href="https://cms.blockworks.co/events/das-london/" rel="noreferrer noopener">Buy it now</a>.



<hr class="wp-block-separator"/>

bug bounty

Newsletter

Blockworks Research