Immunefi, a leading bug bounty platform for the cryptocurrency industry, has paid out a total of $65 million to white hat hackers since its founding in 2020.
These ethical hackers search for vulnerabilities in smart contracts and blockchain projects and are rewarded for reporting them to Immunefi. This helps to secure users’ assets and prevent bad actors from stealing funds.
Smart Contract Bugs Account for Majority of Paid Reports
According to Immunefi, 58.3% of the paid reports were for smart contract vulnerabilities, with 728 submissions. There were 488 submissions for cases in the Websites and Applications category, making up 39.1% of the total, and 32, or 2.6%, for Distributed Ledger Technology/Blockchain cases.
However, while Websites and Applications had the second highest number of submissions, they only accounted for 2.9% of the payouts, while smart contract bugs represented 89.6% of the payments.
Some projects have paid out more in bounties than others. Aurora, Wormhole, Optimism, Polygon, and an unnamed company offered $30.2 million in payments through their bounty programs in 2021, with an average payout of $52,800 and a median payout of $2,000.
Over $52M Paid This Year
In 2022, Immunefi facilitated over $52 million in payments to white hat hackers due to the increase in crypto hacks that resulted in a loss of over $3 billion in assets.
The highest paid bounty of the year was a $10 million reward for a vulnerability discovered in the Wormhole decentralized messaging protocol, and another $6 million was paid for a bug found in the Aurora Ethereum-compatible layer-two scaling solution.
Web3 Bug Bounties Higher Than Those for Web2
Web3 bug bounties tend to be larger than those for Web2, due to the large amounts of capital held in smart contracts.
As Immunefi explains, “A $5,000 bounty payout for a critical vulnerability may work in the web2 world, but it does not work in the web3 world. If the direct loss of funds for a web3 vulnerability could be up to $50 million, then it makes sense to offer a much larger bounty size to incentivize good behavior.”
Interestingly, the Wormhole bounty alone is larger than the $8.7 million paid out by Google’s Vulnerability Reward Programs in the past year.