In general, the financial risk to the attacker is only a valid reason to downgrade a bug report payment if the risk massively outweighs the reward.
Blackhats are willing to risk their money when they believe there’s a chance they’ll make a profit, and they will take such risks in an intelligent and patient manner, just as often as they will take risks in a foolish manner. For example, in the very notable Nomad Bridge hack from August 2022, the hacker was willing to spend $350,000 in gas on a failed attack before continuing to attack Nomad Bridge until they were able to successfully siphon out $190m in funds. Blackhat tolerance for risk is extremely high.
So, the low return on investment (ROI) of an attack is not a valid reason on its own to downgrade a bug report, unless there is also a significant financial risk to the attacker.
Neither is the high financial risk involved in an attack a valid reason to downgrade a bug report if the attack also has a high ROI.
In most cases, risk is at least partially subjective and must be evaluated on a case-by-case basis. That said, Immunefi bases its evaluations on objective data as far as possible. These are common questions Immunefi will investigate when evaluating risk:
- What would cause the attack to fail?
- What percentage of the attacker’s investment capital would they lose if the attack failed?
- What conditions would cause the attacker to lose money from a failed attack?
Immunefi evaluates a bug report’s ROI and financial risk to the attacker only from an external user’s point of view, not based on information only the project would know or have access to.
The reason for this is that an attacker’s decision on whether to exploit an impactful bug is based on the information they have available to them as an external, outside user. So, even if the project could prove that the risk extremely outweighs the reward based on the information they have available to them as insiders, this is irrelevant as to whether or not the attacker would try to exploit the impactful bug.
Comments
0 comments
Article is closed for comments.