Published in


Theoretical Bugs With No Impact Don’t Get Paid — Here’s Why

As a whitehat, it’s easy to want to submit as many bugs as possible to a project — especially projects on Immunefi, because the bounties are so large. The largest in the world, in fact.

But at the same time, it’s important to have correct expectations about which submissions will be paid and which won’t be. Before submitting a bug, always carefully check the project’s bug bounty page on Immunefi to check which assets and impacts are in scope. Each project is unique in its requirements and expectations. Following those requirements and expectations is how you win.

Aside from checking whether the bug you’re submitting is in scope, there’s one other thing you need to do: make sure the bug is not a purely theoretical one.

Whitehats sometimes submit theoretical bugs and become disappointed when projects don’t pay out, so in this article, we’re going to focus on the category of theoretical bugs and why they are out of scope by default, so you can spend your time hunting more effectively.

Theoretical bugs, defined as attacks that are either impossible or non-profitable to execute, are out of scope by default and there is no expectation for a project to reward them.

In other words, in a theoretical attack, all planets would have to align for it to be successful. And as we know, planets only align in the movies.

Sometimes, a project may decide to reward them, but they are not at all obligated to do so. So, it’s important to have manage your own expectations. If you decide to submit a theoretical bug, your default expectation should be that the project is not going to pay.

What’s an example of a theoretical submission?

Here are some cases of bugs that count as theoretical submissions and are therefore not in scope:

  • A bug that requires $1 trillion USDC to exist, in order for an attack to be successful. This amount of USDC does not exist and is not likely to exist for a very, very long time, if ever. This is a theoretical submission because it is not possible as an attack at present.
  • A bug where $1,000 could be stolen, but $100,000 has to be paid in fees first. This is a theoretical submission, as defined above, because it is not profitable. No attacker would execute this attack in the wild and therefore is out of scope.
  • A bug that requires a 51% attack
  • Any bug that may be exploitable in the future under various conditions, but isn’t exploitable now

We’re writing this article because your time is valuable, and we want you to spend it effectively and efficiently in hunting for bug bounties. If you follow this advice, you’ll be one step closer to claiming a big bug bounty on Immunefi and letting the world know just how skilled you are.

🔒 For more guides on how to secure smart contracts, analysis of past hacks, and information on the latest bounties, make sure you follow us on Twitter and join our whitehat Discord community.

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.




Immunefi is the premier bug bounty platform for smart contracts and DeFi projects, where security researchers review code, disclose vulnerabilities, get paid, and make crypto safer. Immunefi removes security risk through bug bounties and comprehensive security services.

Recommended from Medium

Beosin’s Analysis of the ZEED Exploit : The hacker has self-destructed the contract before…

Making $102 Daily with ApeCoin Miner

A Research Into NFT Whitelist Bypass Vulnerability (1)

Network Security in Azure SQL simplified….


GoBlabber Security Audit

Solving Big Problems in Cybersecurity

{UPDATE} NBTD FreeCell Lite Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.

More from Medium

APWine Incorrect Check of Delegations Bugfix Review

MistTrack Analysis of the $90 Million Stolen from Liquid Exchange

Fairyproof Smart Contract Defender Program

Ronin Exploit, Largest Crypto Hack to Date