Crypto Bug Bounty Hunting: An Overview Since 2020
This is article 2 of 4 for the BanklessDAO Writer’s Cohort.
Crypto used to be all about trading and hodling alt and shitcoins in the hopes of mooning. However, a growing number of people are making money off crypto — not in the usual way of HODLing or day trading — but through “bounties” hosted by crypto platforms. One such bounty is bug hunting, which has become quite popular recently with the rise of DeFi and the DeFi hacks ensued.
According to Cointelegraph, “the hacks have skyrocketed demand for blockchain security experts, with some auditors making upwards of $430,000 annually.” Fortunately for auditors and security experts in developing countries, crypto bounty hunting is becoming a highway out of poverty and mediocrity.
But then, how did it all start? How did the industry make this transition in just two years? The story can be traced back to 2017/2018, when Bounty0x, Gitcoin, and other bounty hosting platforms allowed bounty hosts to post bounties paid out in any cryptocurrency, such as Ethereum, stablecoins, or other tokens.
These bounties ranged from spotting vulnerabilities in general code to marketing services such as writing content and tweets. However, the focus started shifting with the emerging popularity of the Ethereum blockchain and its smart contracts. Soon projects started building on Ethereum, and there was an influx of dapps into the market.
This breakneck development soon led to complications — developers built the dapps with Ethereum code, which could be hacked or exploited. So began an infamous chain of dapp and smart contract attacks, all in a bid to drain their funds. We all are familiar with the DeFi summer of 2020. That year, nearly $100 million was lost due to bugs, exploits, and hacks. The protocols recovered some losses, but the hacks affected the industry’s outlook.
Projects like YAM, Soft yearn, bZx, Harvest, and Akropolis suffered losses in hundreds of thousands and millions. Some of these hacks were orchestrated by hackers who wanted to prove a point — that the protocols’ code base or security was insecure and they could get away with the hacks.
Enter Immunefi in December 2020.
The idea was to incentivize white hackers to safeguard protocols by finding and reporting exploitable bugs in the ecosystem. The idea quickly caught fire; Immunefi secured partnerships with scores of protocols, gained the DeFi community’s trust and onboarded many white hackers.
By the fall of 2021, Immunefi was reportedly responsible for protecting more than $50 billion in protocol assets from projects such as Synthetix, Chainlink, SushiSwap, and PancakeSwap. In addition, the OG bug bounty platform had paid more than $7.5m in bug bounties.
One of the most popular bugs found was on the Polygon network and was reported to have been at risk of $850 million being exploited. The bug was found by an Immunefi hacker, Gerhard Wagner, who promptly reported it and received a $2 million payout.
According to research undertaken by Immunefi, DeFi-related hacks and exploits have cost the sector over $10.2 billion. 2022 has had its fair share of hacks, from the Axis Ronin Bridge hack of about $600m to the Solana hack to the recent $160m Wintermute exploit.
These hacks all mean that the DeFi, crypto space still needs to be safeguarded. Immunefi has acted promptly by raising $24,000,000 to boost its security capabilities, a giant leap from its $5m 2021 raise. Immunefi claims to have paid over $60 million in total bounties since its December 2020 debut.
The platform also supports over 300 DeFi and crypto projects, including Big Names, Chain link, MakerDAO, and Compound while protecting $100 billion in assets. Note that there are other bug bounty platforms like Hackenproof and bugbounter, but Immunefi stands above them.
The crypto bug bounty space has improved greatly in two years, with white hat hackers receiving adequate payouts for securing protocols. There’s still a lot of work to be done, but with Immunefi, other bug bounty platforms, and the hackers, I daresay we are in safe hands.
New to trading? Try crypto trading bots or copy trading
