White-hat hackers compensated for protecting over $25 billion in crypto assets
Since its creation in 2020, Immunefi, the top bug bounty program for the cryptocurrency sector, has paid out a total of $65 million to white hat hackers.
These hackers are compensated for finding vulnerabilities in smart contracts and blockchain applications and reporting them to Immunefi. This aids in protecting the assets of users and deters thieves from taking money.
According to Immunefi, 58.3% of the paid reports and 728 submissions were for smart contract vulnerabilities. There were 488 entries in the Websites and Applications category, representing 39.1% of the total, and 32 submissions in the Distributed Ledger Technology/Blockchain category, representing 2.6% of the total.
However, although Websites and Applications had the second-most submissions, they only accounted for 2.9% of the awards, while smart contract flaws accounted for 89.6% of the payouts.
Some ventures have yielded greater rewards than others. In 2021, Aurora, Wormhole, Optimism, Polygon, and an unknown firm provided a total of $30,280,000 in bounties, with an average payout of $52,800 and a median reward of $2,000.
Immunefi provided over $52 million in payouts to white hat hackers in 2022 as a consequence of an increase in crypto attacks that led to the loss of over $3 billion in assets.
The largest bounty of the year was a $10 million payout for a vulnerability uncovered in the Wormhole decentralized communications system, while another $6 million was awarded for a flaw detected in the Ethereum-compatible Aurora layer-two scaling solution.
Due to the enormous sums of wealth maintained in smart contracts, Web3 bug bounties tend to be bigger than those for Web2.
According to Immunefi, a $5,000 reward award for a serious vulnerability may work in the web2 world, but not in the web3 one. If a web3 vulnerability may result in a direct loss of up to $50 million, it seems sensible to pay a considerably greater prize to encourage good behaviour.
Intriguingly, the Wormhole payout exceeds the $8.7 million given out by Google’s Vulnerability Reward Programs over the last year.