Sei pays out $2M bug bounty

Original Article ↗ Hacker News Discussion ↗

Scope and Visibility of the $2M Bounty

  • Bounty was advertised in advance via the project’s bug-bounty page and Immunefi.
  • Commenters list common discovery channels: SECURITY.txt, Immunefi (crypto), BugCrowd, HackerOne.
  • Some note the main risk isn’t finding the bug but whether the project actually pays; one cites a past case of being heavily underpaid.

Payout Details and “Magic-Bean” Concerns

  • Initial skepticism that payouts might be in illiquid project tokens.
  • In this case, the reporter states they were paid 2,000,000 USDC (dollar-pegged stablecoin).
  • Immunefi listing later changed: max bounty reduced to $1M and payout currency to the project token, showing terms can be updated post hoc.

Why Crypto Bounties Are So Large

  • Crypto teams can quantify risk clearly: paying a few million to avoid potential billions in losses is seen as rational.
  • Several note many DeFi/crypto bounties at or above $1M, with some programs up to $10–15M.
  • Contrast with big tech (Apple, Microsoft, Chrome, iOS) where official bounties are much lower than what exploit brokers pay.

Technical Nature of the Bug

  • Simplified description: a transfer path allowed sending a negative amount, effectively siphoning a victim’s entire balance to the attacker.
  • Compared to old game bugs that allowed “negative debt” to become profit.
  • Highlighted as an example of unsafe error handling and misuse of panics in Go.

Crime vs. Bounty Tradeoffs

  • Exploiting such a bug could plausibly net tens to hundreds of millions but carries serious legal risk (wire fraud, theft).
  • Commenters emphasize that “code is law” is not accepted in courts; similar exploits have led to convictions.
  • Discussion frames the choice as: guaranteed legal $2M vs. risky, hard-to-launder illicit gains and lifelong paranoia.

Careers, Incentives, and Ecosystem

  • Crypto security seen as extremely lucrative but niche; some argue traditional zero-days are better for long-term career reputation.
  • Path described: competitive security platforms → reputation → private audits/consulting.
  • Concerns raised about whether very large bounties might incentivize planting bugs, countered by detection risk and high engineer salaries.