Ethical crypto hackers win $52 million in bug bounties via Immunefi in 2022

Quick Take

  • Immunefi rewarded ethical hackers with $52 million for finding bugs in crypto projects in 2022.
  • The largest bounty paid via Immunefi was worth $10 million for a vulnerability discovered in Wormhole.

Immunefi, a crypto-focused bug bounty platform, paid over $52 million to ethical hackers for finding bugs in blockchain and cryptocurrency apps in 2022, a year that has seen the value of crypto hacks top more than $3 billion.

In 2022, malicious actors increasingly used advanced tactics to exploit weaknesses in decentralized apps, opening the opportunity for crypto bug bounty players like Immunefi. Such platforms reward so-called white hat hackers for discovering and reporting security vulnerabilities. 

Immunefi currently dominates the web3 bug bounty space. While it has awarded $52 million to hackers this year, the second-most popular platform, HackenProof, has paid out less than $850,000 since its launch in 2017, according to its website.

According to Immunefi, the dollar value of web3 bug bounties easily surpass those paid by large tech giants active in the web2 space. The web3 space is unique because vulnerabilities in code can result in a direct loss of funds. As such, the incentives to exploit projects in web3 are significantly larger, primarily due to the amount of capital held in smart contracts, the Immunefi team explained. 

Wormhole bounty

The highest bounty Immunefi paid in 2022 was the $10 million award for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol. This reward alone was larger than the total of $8.7 million paid out by Google's Vulnerability Reward Programs in 2021. Immunefi also awarded a $6 million bounty for a vulnerability discovered in Aurora, a bridge and a scaling solution for Ethereum.

Start your day with the most influential events and analysis happening across the digital asset ecosystem.

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

“A $5,000 bounty payout for a critical vulnerability may work in the web2 world, for example, but it does not work in the web3 world. If the direct loss of funds for a web3 vulnerability could be up to $50 million, then it makes sense to offer a much larger bounty size to incentivize good behavior,” Immunefi noted.

Since it was founded in 2020, Immunefi has paid more than $65 million in rewards for securing $25 billion in total value, the firm claimed. During this period, it has worked with notable players in the space, including Chainlink, Wormhole, MakerDAO, Compound, Synthetix, Polygon and ApeCoin DAO. In September, Immunefi