Ethical crypto hackers win $52 million in bug bounties via Immunefi in 2022

Quick Take

  • Immunefi rewarded ethical hackers with $52 million for finding bugs in crypto projects in 2022.
  • The largest bounty paid via Immunefi was worth $10 million for a vulnerability discovered in Wormhole.

Immunefi, a crypto-focused bug bounty platform, paid over $52 million to ethical hackers for finding bugs in blockchain and cryptocurrency apps in 2022, a year that has seen the value of crypto hacks top more than $3 billion.

In 2022, malicious actors increasingly used advanced tactics to exploit weaknesses in decentralized apps, opening the opportunity for crypto bug bounty players like Immunefi. Such platforms reward so-called white hat hackers for discovering and reporting security vulnerabilities. 

Immunefi currently dominates the web3 bug bounty space. While it has awarded $52 million to hackers this year, the second-most popular platform, HackenProof, has paid out less than $850,000 since its launch in 2017, according to its website.

According to Immunefi, the dollar value of web3 bug bounties easily surpass those paid by large tech giants active in the web2 space. The web3 space is unique because vulnerabilities in code can result in a direct loss of funds. As such, the incentives to exploit projects in web3 are significantly larger, primarily due to the amount of capital held in smart contracts, the Immunefi team explained. 

Wormhole bounty


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The highest bounty Immunefi paid in 2022 was the $10 million award for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol. This reward alone was larger than the total of $8.7 million paid out by Google's Vulnerability Reward Programs in 2021. Immunefi also awarded a $6 million bounty for a vulnerability discovered in Aurora, a bridge and a scaling solution for Ethereum.

“A $5,000 bounty payout for a critical vulnerability may work in the web2 world, for example, but it does not work in the web3 world. If the direct loss of funds for a web3 vulnerability could be up to $50 million, then it makes sense to offer a much larger bounty size to incentivize good behavior,” Immunefi noted.

Since it was founded in 2020, Immunefi has paid more than $65 million in rewards for securing $25 billion in total value, the firm claimed. During this period, it has worked with notable players in the space, including Chainlink, Wormhole, MakerDAO, Compound, Synthetix, Polygon and ApeCoin DAO. In September, Immunefi raised $24 million in a Series A round led by Framework Ventures.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Andrew Rummer at
[email protected]