Zengo wallet's developers are adopting an innovative strategy to identify vulnerabilities by offering a unique bug bounty. Instead of the traditional method of paying hackers to find flaws, they have placed 10 Bitcoins, valued at over $430,000, in a developer-controlled account. Announced on January 7, any hacker who successfully drains this Bitcoin will be allowed to keep it.
This bounty challenge will be open for 15 days, starting from January 9 and ending on the morning of January 24. The account's address, containing 1 BTC (around $43,000), will be disclosed on January 9. On January 14, an additional 4 BTC ($172,000) will be added, along with disclosure of one of the account’s security factors. On January 21, 5 more BTC ($215,000) will be added, making the total 10 BTC ($430,000), and a second security factor will be revealed. The wallet is secured using three security factors in total.
Once the second factor is revealed, hackers will have until 4 pm UTC on January 24 to attempt a breach. Successful hackers can keep the 10 BTC. Zengo boasts a wallet free from mnemonic vulnerabilities, eliminating the need for seed word copying or keystore file storage.
Zengo's wallet operates on a multi-party computation (MPC) network for transaction signing, creating two separate "secret shares" instead of a traditional private key. One share is kept on the user's mobile device, and the other on the MPC network. These shares are backed up using a three-factor authentication method, involving an encrypted backup file on Google or Apple accounts, the user's email address, and facial scans on mobile devices.
In case of MPC Network server issues, a backup method is in place. A "master decryption key" is held by a third-party law firm, ready to be published on GitHub for recovery mode activation in the app, allowing users to recreate their MPC network share and recover accounts using traditional private keys in other wallet apps. Zengo's CMO Elad Bleistein hopes this on-chain bounty will foster discussions about MPC technology in the crypto community, making complex concepts like MPC and TSS more tangible and demonstrating MPC wallets' security benefits over traditional hardware wallets.
Amid growing concerns about wallet security in the crypto community, highlighted by breaches like the Atomic Wallet incident that resulted in losses over $100 million, and $900,000 losses in Libbitcoin Explorer wallet library hacks in 2023, Zengo's challenge is a novel approach to ensuring and discussing wallet security.
