Port Finance, a Solana-based lending protocol, has paid out a $630,000 bounty to a white hat hacker who helped prevent a potential $25 million vulnerability from the platform, cybersecurity firm Halborn revealed Wednesday.
The hacker received $450,000 in PORT, the utility token powering the lending protocol, and $180,000 in fiat, marking the end of the project’s bounty program.
A white-hat hacker is a computer hacker who uses their technical knowledge and experience to improve security by uncovering bugs and loopholes.
How it Happened
Halborn explained on Twitter that the white hat named nojob discovered a loophole in Port Finance that could have led to a $25 million loss if exploited by bad actors. If that had happened, Port would have been just another victim of the unending DeFi hacks in the crypto industry.
The white-hat hacker discovered the bug in March while surfing the internet and immediately reported it to the Solana-based platform through ImmuneFi, a web3 bug bounty platform.
Halborn noted that an attack on Port would have been possible because the design of the protocol allows “pools to set a bonus rate for liquidating assets and a threshold that makes loans vulnerable to liquidation.” In addition, the protocol allows a liquidator to withdraw up to “50% of the borrowed value of an obligation and the indicated bonus.”
Most cryptocurrency DeFi lenders offer loans where the loan-to-value (LTV) ratio is less than one, meaning the collateral is more valuable than the loan itself. The loan becomes liquidatable if its collateral value drops too low due to high LTV, Halborn explained.
For instance, an attacker would have been able to use this method to exploit the Port Finance by going to reserves with high bonus rates R1 and low LTV, where the values are summed more than 100%. Then deposit some funds to R1 and several larger amounts to R2.
The exploiter would then take a loan from R2, the same amount of funds locked in R1, and then go further to clear the R2 collateral, making the obligation liquidatable.
The cybersecurity firm noted that Port Finance has fixed the bug by “changing the calculation of the maximum withdrawal value from 50% to be based on the relationship between the maximum allowed borrow value for an obligation, the actual borrowed value, and the reserve’s L2V.”
Meanwhile, this is not the first time a white hat hacker has been rewarded for identifying a bug. Earlier this year, leading cryptocurrency trading platform Coinbase paid a $250,000 bounty to a white hat for helping to avert a “market-nuking” bug on the exchange.