Cryptocurrency security audit company CertiK has recently been embroiled in a dispute with Kraken after infiltrating the exchange, and is now accused of running a “bug bounty” program to collect vulnerabilities for various platforms instead of allowing security researchers to submit these vulnerabilities directly to the companies.
The allegations center around “OpenBounty,” operated by the ShenTu chain of businesses. ShenTu chain was previously known as “CertiK chain” and operated by the CertiK Foundation. Archived versions of the CertiK Foundation website clearly indicate that it was founded by Ronghui Gu and Shao Zhong, both of whom are still listed as co-founders of CertiK.
In addition to the apparent connections between these entities, others have emphasized that bug bounty submissions are being directed to URLs containing CertiK in the name.
In many cases, OpenBounty appears to have effectively re-posted bug bounties from other platforms such as ImmuneFi. The bug bounty page for Arbitrum explicitly states that you should refer to the ImmuneFi website for more information.
An executive at ImmuneFi emphasized on X (formerly known as Twitter) that ImmuneFi “has no relationship with Open Bounty/ShenTu, and we always recommend submitting through the ImmuneFi program.”
The recent dispute between CertiK and Kraken has further heightened concerns about submitting critical vulnerabilities to CertiK, especially if the project itself is unaware that these vulnerabilities were solicited through OpenBounty.
Other projects have expressed disappointment with CertiK’s “sky net” project, accusing them of giving poor ratings if the project has not undergone a CertiK audit.
Protos reached out to CertiK and ShenTu Chain to clarify the relationship between the two and why these bug bounty posts are appearing on the platforms. At the time of publication, neither party has responded.
Got a tip? Email us or proton mail. For more information, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.
