This is not only a classic security value calculation problem in the cryptocurrency industry, but other industries also face the same dilemma. Don't worry about other industries for now, as many have mature laws to regulate and control them. The cryptocurrency industry, such as DeFi scenarios, promotes the so-called Code is Law spirit. As far as I know, there is no existing law that can be directly applied to profiting from smart contract vulnerabilities. Many cases are interpreted based on relevant legal provisions from the past and potential enforcement actions are taken. Many people who play security do not trust the project team to generously offer rewards, so they will adopt a direct hacking approach, taking away the funds first, and then choosing whether to negotiate and receive the full reward. If this kind of behavior were to invade or embezzle funds in other industries, it would immediately be a criminal case. After negotiation, forgiveness is an exaggeration. But in the DeFi scenario, without direct legal provisions to explain, there may be a lot of room for operation. It's not that this is completely outside the law, it depends on whether stakeholders are serious or not The operable space is created through realistic operations. Very subtle. How to solve the trust problem of hackers in project parties and vulnerability bounty platforms through vulnerability bounty design mechanism, whether the bounty meets their expectations, and whether they can truly be exempted from liability, this challenge is quite big, and the process may not be so easy. So some hackers directly adopt the shortest path guided by the spirit of Code is Law, preparing for independent environments, hanging agents, Tornado Cash withdrawal gas, sending and utilizing tx on the chain, and transferring profits Choose whether to negotiate or not, and if so, receive a refund of 10% or even more of the bounty. You see, the GMX vulnerability bounty is actually set at a high enough limit of $5 million. However, in the end, the hacker chose the shortest and roughest path, which is to hack first and then proceed ... and chose to turn the white hat, also taking away a bounty of 5 million US dollars. Slow Mist and I won't take this route. It's just a personal choice, there's no right or wrong, but as long as we switch to the white hat, I personally will give it a thumbs up.