Cryptocurrency wallet provider Zengo is trying an unconventional tactic to test the security of its platform – placing 10 Bitcoins (worth over $430,000 at the time of writing) in a developer-controlled account and allowing any hacker who can drain the funds to keep them.
This unorthodox “bug bounty” program will run for 15 days starting January 9 until January 24, 2022. The bounty wallet’s address will be revealed on January 9 with 1 BTC deposited initially. On January 14, Zengo will add 4 more BTCs and provide one of three “security factors” used to control the account.
Five additional BTC will be deposited on January 21, bringing the total to 10 BTC under bounty. On this date, Zengo will reveal a second security factor for the wallet. After this point, hackers have until January 24 at 4 pm UTC to attempt cracking the wallet and withdrawing the 10 BTC bounty if successful.
Zengo utilizes multi-party computation (MPC) technology to secure its wallets instead of seed phrases or key files. User wallet keys are split into two “secret shares” – one stored on the user’s device, the other within Zengo’s MPC network. The user’s share has a 3-factor authentication backup method, while Zengo’s MPC network share has a “master decryption key” held by a third-party law firm.
With both shares, wallet owners can generate their private key to restore funds in other wallets if needed. According to Zengo co-founder Elad Bleistein, this on-chain bug bounty program aims to spur discussion around the security benefits MPC wallets provide over hardware wallets.
Wallet security has become a major concern after breaches of Atomic Wallet, Phantom, and others led to major crypto asset losses for users in 2022. MPC technology claims to offer superior protection against remote hacking by eliminating single-point-of-failure vulnerabilities.
Zengo’s bounty will put its “no seed phrase vulnerability” claim to the test in live conditions. Although risky, the move provides transparency into Zengo’s security model and incentives for hackers to fully probe the system. As MPC adoption increases, more attention to attack surface analysis and bug disclosure is necessary.
If Zengo’s bounty wallet remains unhacked through January 24th, it will provide strong proof that MPC systems can deliver robust security for crypto asset protection. However, if the bounty is successfully claimed, it will highlight areas requiring improvement. Either outcome stands to benefit the maturation of MPC and crypto custody security overall.
