In an unprecedented move in the world of cybersecurity, Zengo Wallet, a cryptocurrency wallet provider, has announced a unique bug bounty program that offers hackers the chance to win a substantial reward of 10 Bitcoin (BTC), currently valued at over $430,000. 

This unconventional approach aims to put the security of the Zengo Wallet to the ultimate test, providing a hefty incentive for potential vulnerabilities to be identified and exploited. The program is set to run for 15 days, starting on January 9th and concluding on January 24th, 2024.

Unlike traditional bug bounty programs that reward white hat hackers for discovering and responsibly disclosing vulnerabilities, Zengo Wallet takes a different path. Instead of paying hackers to identify and report bugs, the company is placing 10 Bitcoin into a developer-controlled account. 

The twist is that if a hacker successfully drains the Bitcoin from the account, they will be allowed to keep the entire sum.

The timeline of the bounty program

The Zengo Wallet bug bounty program is divided into several phases over 15 days, starting on January 9th. Here’s a breakdown of the program timeline:

January 9th: The account’s address will be revealed, and it will initially contain 1 BTC, approximately $43,000.

January 14th: Zengo Wallet will add an additional 4 BTC, totaling $172,000, to the account and provide one of the “security factors” used to secure the account.

January 21st: The team will add another 5 BTC, amounting to $215,000, to the wallet, and reveal a second security factor. The wallet relies on a total of three security factors.

Hackers who wish to participate will have until 4 pm UTC on January 24th to attempt to crack the wallet. If anyone succeeds in doing so during this time frame, they will be entitled to keep the entire 10 BTC reward.

Zengo Wallet’s unique security features

Zengo Wallet boasts a distinctive approach to security. It claims to be a wallet with “no seed phrase vulnerability,” a notable departure from conventional cryptocurrency wallets. Users are not required to copy down seed words during account creation, and the wallet stores no key vault file.

Zengo Wallet’s security core lies in its use of multi-party computation (MPC) network technology for transaction signing. Rather than generating a private key, the wallet creates two separate “secret shares.” The first share is stored on the user’s mobile device, while the second resides on the MPC network.

The user’s share is further secured through a three-factor authentication (3FA) method, which requires access to an encrypted backup file on their Google or Apple account, the email address linked to the wallet account, and a face scan on their mobile device. These three factors are crucial for reconstructing the user’s share.

Additionally, a backup method exists for the MPC network’s share. Zengo Wallet has entrusted a third-party law firm with a “master decryption key.” If the MPC network’s servers become inaccessible, this law firm can publish the decryption key on a GitHub repository. 

In such an event, the wallet app will automatically enter “recovery mode,” enabling users to reconstruct the MPC network’s share corresponding to their account. Once both shares are obtained, users can generate a traditional private key and import it into another wallet app, facilitating account restoration.

Zengo Wallet’s decision to opt for an unconventional bug bounty program raises significant interest in the cryptocurrency and cybersecurity communities. The unique approach challenges hackers to find and exploit vulnerabilities in a wallet that claims to offer higher security, particularly by eliminating the need for seed phrases and traditional private keys.

The cryptocurrency world will closely watch for any developments as the bug bounty program unfolds over the coming weeks. This innovative initiative tests the wallet’s security and pushes the boundaries of traditional bug bounty practices.