Breaking into Cloud Wallets: Findings from 3 years spent Hacking Crypto Web Apps

Presented at Kernelcon 2022, April 1, 2022, 10:15 a.m. (60 minutes)

In 2018, after being invited to an HackerOne program, a friend and I realized that there was nearly 1 billion dollars sitting behind an Apache web server. This led us down a rabbit hole exploring the security of cryptocurrency exchanges, KYC platforms, monetary providers, brokerages, NFT platforms, smart contracts, and the hundred other services all built to support the nearly 2 trillion dollars tied up in cryptocurrency. We began hacking on the bug bounty programs for these services and, after working with a large number of entities, discovered that there were traditional vulnerabilities, novel techniques, and lots of room for interesting research against this newer environment. This talk explores the nearly 3 years of stories hacking cryptocurrency websites and our outlook for the future of cryptocurrency security from the perspective of traditional security consultants and bug bounty hunters.

Presenters:

• Sam Curry
  Sam Curry is the founder of Palisade, LLC, a security consultancy specialized in securing blockchain based web applications. Prior to Palisade, he worked as a full time bug bounty hunter for 4 years, a security analyst at HackerOne, and a security consultant at TrustFoundry. Sam runs a blog at samcurry.net discussing web security research and bug bounty findings.

Similar Presentations:

• Black Hat USA 2022 / Bug Bounty Evolution: Not Your Grandson's Bug Bounty
• CarolinaCon 11 (2015) / Cryptocurrency Laundering Theory for Fun and Retirement
• DerbyCon 3.0 All in the Family (2013) / Decoding Bug Bounty Programs