Zengo Wallet Offers Unique Bug Bounty Challenge: Crack the Code, Keep the Bitcoin
Summary:
Zengo Wallet is offering a unique bug bounty, placing 10 Bitcoin (BTC) in a developer-controlled account, rather than the standard method of financial rewards. The firm announced that any hacker successful in extracting the Bitcoin can keep it. The 15-day bounty begins on January 9 and concludes on January 24. The wallet uses a multi-party computation (MPC) network to validate transactions and a three-factor authentication method for further security. The bounty underscores the security advantages of MPC wallets over traditional alternatives and aims to stimulate discussions about MPC technology in the cryptocurrency community.
The creators of Zengo Wallet are offering a unique bug bounty. Instead of traditional monetary rewards for white hat hackers who locate security flaws, the firm has transferred 10 Bitcoin (BTC) (currently worth more than $430,000) into a developer-managed account. The company declared on January 7 that any infiltrator successful in withdrawing the Bitcoin can retain it.
The bounty challenge will run for 15 days, commencing on January 9 and concluding on the morning of January 24. On the first day, the fund's Bitcoin address will be exposed with 1 BTC (around $43,000) in it. Later, on January 14, Zengo will deposit an extra 4 BTC ($172,000) and share one of the “security factors” used to protect the account. On January 21, Zengo will top up another 5 BTC ($215,000), making the total balance 10 BTC ($430,000). A second security factor will also be disclosed at this juncture; the wallet has three security factors in total.
Hackers then have until 4 pm UTC, on January 24 to decode the wallet. Whoever succeeds within this period is entitled to the 10 BTC balance.
Zengo, the architect of a wallet that claims to have “no seed phrase vulnerability,” does not require users to write down seed words when creating an account, nor does the wallet keep a key vault file.
As detailed on its formal website, the wallet utilizes a multi-party computation (MPC) infrastructure to validate transactions. Instead of generating a private key, the wallet creates two discrete “secret shares.” One share is kept on the user's mobile device, the other on the MPC network.
User's share is additionally fortified through three-factor (3FA) verification. To retrieve their share, users must access an encrypted back-up file from their Google or Apple account, along with the email used to set up the wallet. Additionally, they must complete a facial scan on their mobile device, which serves as a third cryptographic factor required to reconstruct their share.
Zengo also has a backup plan for the MPC network’s share. The company alleges that a “master decryption key” was given to an independent law firm. If the MPC network’s servers go down, the law firm will publish the decryption key on a GitHub repo. This action will prompt the app to enter “recovery mode,” allowing users to rebuild the MPC network’s share related to their account. After obtaining both shares, users can generate a conventional private key and import it into another wallet app, enabling them to regain access to their account.
Zengo’s chief marketing officer Elad Bleistein told Cointelegraph that the company hoped the on-chain bounty would stimulate debates about MPC technology among cryptocurrency enthusiasts. He added that the Zengo Wallet Challenge aimed to underline the security advantages of MPC wallets over traditional hardware alternatives, and eagerly awaited engaging discussions with participants.
The crypto fraternity has grown increasingly concerned about wallet security following a recent Atomic Wallet breach which led to over $100 million losses by crypto users. To improve future security, the company subsequently initiated a bug bounty program. Additionally, users of the Libbitcoin Explorer wallet library reported losses amounting to $900,000 due to hacks in 2023.
Published At
1/7/2024 5:00:00 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.