tl;dr: Follow the money. The devs and hackers going after bug bounties certainly will.

One of my favorite authors in the crypto space is Trent McConaghy, CTO of Ocean Protocol (discl: I own a tiny amount of it)

I recently read one of his latest posts, On Verifying Token-Based Systems, which really helped me think about the design of crypto-economic systems (‘token-based’) from an engineering perspective.

Trent carefully lays out the process for designing, building, verifying, and validating these networks where the consequences of not doing so can be dramatic, the infamous DAO hack being the biggest one.

In the article, Trent differentiated two terms that I typically use interchangeably, verify and validate.

He writes:

Validation asks “am I building the right product” and verification asks “am I building the product right?” [Ref].

https://blog.oceanprotocol.com/on-verifying-token-based-systems-c33eca757ecf

It’s a subtle, but critical difference and one I hadn’t thought of particularly deeply before, but it sure was helpful.

It was in the verification that I had a mini-epiphany about the security of crypto-economic/token-based systems. (For the record, I also use those interchangeably and I may be mistaken in that regard).

Bug Bounties

A “bug bounty” program incentivizes developers to find security holes in software and earn rewards for doing so. These have been around for a while.

What makes crypto bug bounties so interesting is that gratification is instant.

In traditional software design, a developer/engineer/researcher/hacker finds a bug in the software at say Google, Microsoft, etc. and then submits a claim. Eventually it is paid or it is not, but there’s friction. This is an “explicit bug bounty.”

In a crypto system, if you find the bug (aka ‘security hole’), you get the money immediately.

This system isn’t perfect, of course, and there’s plenty of risk, as those who deposited funds in the bzx smart contract discovered not long ago discovered.

Still, the fact that the money is sitting there, for the immediate taking, is a competitive differentiator for decentralized token-based networks. No forms to fill out, no claims to make. If you get access to the smart contract by finding a bug, the money is yours.

Crypto Bug Bounties

Trent offers some examples of different types of bounties currently in play in crypto-land.

For example

• “Built-in bug bounties. 
  When Bitcoin launched, it had security flaws that allowed double-spends and more. BTC had negligible value. But as more people discovered Bitcoin, BTC gained in value, and more energy was spent to fix Bitcoin’s security vulnerabilities. To this day, if anyone finds the right flaw, they could make millions. Bitcoin has built-in bug bounties. From a verification standpoint: Bitcoin ratcheted up value-at-risk over time. We can also call this “security bootstrapping” or “grow security” culture.
• Explicit bug bounties. 
  Gnosis DutchX started with a testnet, giving a bounty of $150K for finding major security flaws. A flaw was found. Gnosis fixed it, then launched a second testnet. No flaws were found this time, then the mainnet was launched.
• Emergency fixes. Shortly after deployment, Spankchain was hacked; however the team quickly did an emergency fix and the project was saved. Some people gamed Balancer’s liquidity mining program in its early days, so a quick fix was introduced. When MakerDAO lost its peg to the USD, people proposed emergency fixes.
• Canary Networks. Web3 Foundation launched the Kusama “canary” network, with 1% of the value of the eventual Polkadot mainnet. Cosmos’ Game of Zones and Game of Stakes series each had skin-in-the-game testing out incentives.”
  
  source

What’s powerful here is the use of existing bug bounty structures (explicit and fixes) with new crypto-native bug bounty programs (canary networks and built-in).

If You Build It, They Will Try to Hack It

My hypothesis is that these new types of challenges will be attractive to hackers (they are essentially financial honeypots), gaining their attention and interest.

Most will fail to take the bounties, by definition, but the bounties serve as a “lead generation” program for developers and security engineers to introduce/on-board them to the networks.

As the value of the network grows, e.g. Bitcoin, the number of attacks/efforts to break the smart contracts or protocol will only increase. While some networks will perish because of these, that’s ultimately a good thing. They weren’t secure enough for the next level anyway. Those that survive are the battle-hardened ones.

When all is said and done (and that could be a while), the security incentives that “come standard” with crypto economic networks will leave to some losers, for sure, but much, much stronger winners.

In an era where a Twitter hack could lead to horrific consequences (imagine someone using Trump’s account to say “we launched nukes at North Korea”), the importance of security is becoming (again) more and more obvious.

Fortunately, Adam Smith’s capitalist instinct helps us here. Help yourself, help others.

In this case, put a pile of money out there for developers to get…if they break the code.

If they break it, we all win (well, most of us) because the network wasn’t secure enough.

If they don’t, we all win (well, except the devs who fruitlessly tried to crack it) because the network is secure.

I just think the numbers are in favor of the crypto economic networks.

More to come on Trent’s article. It’s an absolute gem and recommended reading.