Bugs

The average bug bounty payout over 1,248 confirmed reports was $52,800.

According to a new report released on Dec. 21, blockchain security firm Immunefi said that it has processed more than $65,918,994 crypto bounties paid to ethical hackers over 1,248 reports since its inception on Dec. 9, 2020. Web 3.0 projects list bounty programs on ImmuneFi to encourage whitehat hackers to report vulnerabilities and claim monetary rewards, which the company then facilitates.

The payouts appear to be concentrated in nature, with bounty programs operated by Wormhole, Aurora, Polygon, Optimism, and an undisclosed firm accounting for $30.2 million worth of rewards in the past year. The median payout was $2,000, and the average payout was $52,800. A small number of critical vulnerability bug reports received the highest rewards. 

"A $5,000 bounty payout for a critical vulnerability may work in the web2 world, for example, but it does not work in the web3 world. If the direct loss of funds for a web3 vulnerability could be up to $50 million dollars, then it makes sense to offer a much larger bounty size to incentivize good behavior."

In terms of vulnerability notifications, Smart Contracts issues took the lead, with a total of 728 submissions, accounting for 58.3% of paid reports. Meanwhile, the Websites and Applications and Blockchain/Distributed Ledger Technology (DLT) categories totaled 488 submissions (39.1) and 32 submissions (2.6%), respectively. Interestingly, despite having a high number of submissions, Website and Applications reports only represented 2.9% of total whitehat payouts, whereas Smart Contract bugs accounted for 89.6% of payments.

The bounty programs detected high vulnerability reports, such as the case in Pods Finance, for a logic error that allowed for theft of yield or abuse of the rewards system on the protocol. Another includes Mushrooms Finance's vulnerability which could be potentially exploited via a miner-extractable value attack with flash bots.

The report also dedicated a portion of ransom analysis, revealing that malicious hackers have returned $32.7 million in funds illicitly gained from decentralized finance (DeFi) protocols across five specific situations in 2022. Hackers have kept $6,44 million in total ransom payments. Some experts say that the payment of ransom to hackers amounts to giving into extortion, but nearly all agree that it's much better to instate a bug bounty program ex ante facto. Immunefi currently offers $144 million in bounty rewards through Web 3.0 projects listed on the platform.