Cryptocurrency security audit company CertiK has recently been embroiled in a dispute with Kraken after infiltrating the exchange. They are now accused of running a “bug bounty” program, collecting vulnerabilities for various platforms instead of allowing security researchers to submit these vulnerabilities directly to the companies.
The accusations are centered around the “OpenBounty” operated by the ShenTu chain. ShenTu chain was previously known as “CertiK chain” and was operated by the CertiK Foundation. Archived versions of the CertiK Foundation website clearly indicate that it was founded by Ronghui Gu and Shao Zhong, who are still listed as co-founders of CertiK.
Apart from the apparent connections between these entities, others emphasize that bug rewards submissions are directed to URLs with CertiK in the name.
In many cases, OpenBounty seems to effectively repost bug rewards from other platforms such as ImmuneFi. The bug rewards page for Arbitrum explicitly states that you should refer to the ImmuneFi website for more information.
An executive from ImmuneFi emphasized on X (formerly Twitter) that ImmuneFi “has no collaboration with OpenBounty/ShenTu, and we always recommend submitting through the ImmuneFi program.”
The recent dispute between CertiK and Kraken has further heightened concerns about submitting critical vulnerabilities to CertiK, especially if the projects themselves are unaware that these vulnerabilities were solicited through OpenBounty.
Other projects have expressed disappointment in CertiK’s “sky net” program, accusing that projects that do not undergo CertiK audits receive poor ratings.
Protos reached out to CertiK and ShenTu chain to clarify the relationship between the two and why these bug reward posts are appearing on the platforms. As of the time of publication, neither party has responded.
Got a tip? Email us or proton mail. For more information, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.