Immunefi launches on-chain bug bounties through ‘Vaults’ system

September 26, 2023 Coin Telegraph

black hat

The Web3 security platform now allows projects to deposit bounty funds to a Safe smart contract, proving the funds are available.

Blockchain security platform Immunefi has launched an on-chain system for bug bounties, according to a Sept. 26 announcement. The new system, called “Vaults,” allows Web3 developers to escrow funds in an on-chain address and use them to pay out bug bounties to white hat hackers.

Immunefi believes the new system will help projects “demonstrate to whitehats [...] that they have allocated sufficient funds to pay bounties,” which it hopes will result in “more top-tier bug reports” being submitted.

*List of Immunefi bug bounties. Source: Immunefi*

Software developers often offer rewards, called “bug bounties,” to hackers who discover exploits or other bugs in their software. This sometimes allows vulnerabilities to be found before bad actors can exploit them. Hackers who submit bug reports for rewards instead of taking advantage of an exploit are called “white hat” hackers, while “black hat” hackers use their knowledge for malicious purposes.

According to the announcement, the new Immunefi system allows projects to deposit their bug bounty funds to a Safe multisig smart contract (formerly called a “Gnosis Safe”). This provides white hats with on-chain proof that the funds are available. Once a bug is submitted and a project has confirmed it’s genuine, the project can release the funds to the bug reporter’s wallet.

During Vault’s launch, Ethereum infrastructure provider SSV posted a $1 million deposit to help pay bug bounties for its software. Decentralized exchange Ref Finance, which is on the Near network, also uses the new system. SSV DAO contributor Eridian claimed that on-chain bug bounties will help provide better security for the DAO’s validator services, stating:

“The Vaults System will help us provide added reassurance for any researcher engaging with our bounty program, and in turn help secure the protocol even further. A good win-win. Building further trust with the community by showcasing dedicated funding, and streamlining the payment process, will ultimately strengthen our security efforts.”

In December 2022, Immunefi reported that it had facilitated $66 million in bug bounty payouts since the platform’s inception. LayerZero released a $15 million bug bounty through Immunefi on May 17.

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.

More Than $23,000,000 Worth of Crypto Lost to Hacks and Frauds in August: Bug Bounty Platform Immunefi

September 1, 2023 The Daily Hodl

$16M in crypto lost to hacks in August — Report

August 31, 2023 Coin Telegraph

Coin Telegraph

Four security incidents took place on Coinbase's layer-2 solution Base shortly after its launch.

A total of $15.8 million in cryptocurrencies were lost to hacks or exploits in the month of August.

According to an Aug. 31 report by blockchain security firm Immunfi, a combined $23.4 million in crypto was lost to a combination of hacks and fraud, a significant decrease compared to the $320.5 million lost in July. All exploits consisted of attacks against decentralized finance (DeFi) protocols, and not a single incident affected centralized finance entities.

Of the 21 security incidents reported, five took place on the Ethereum blockchain, while four occurred on BNB Chain. Coinbase's highly anticipated layer-2 solution, Base, witnessed four security exploits shortly after its launch on Aug. 9.

Top losses include the Exactly Protocol hack on Aug. 18, where 4,323.6 Ether (ETH) ($7.2 million) in users' deposits were stolen via a malicious deposit contract.

Meanwhile, on Aug. 25, Magnate Finance, a borrowing and lending protocol deployed on Base, orchestrated an alleged $6.5 million exit scam after prominent DeFi sleuth zachXBT claimed the Magnate Finance deployer address was linked to the exit scam. All assets have since been removed from the protocol's smart contract, with its website and socials also offline.

Year-to-date, users have lost $1.25 billion in crypto due to hacks and fraudulent activities, according to Immunefi data. In March, DeFi protocol Euler Finance lost $195 million in a malicious flash loan attack. Less than one month later, the Euler hacker returned over 90% of users' assets after developers threatened them with legal action.

*DeFi August 2023 security incident report | Source: Immunefi*

Magazine: Should we ban ransomware payments? It’s an attractive but dangerous idea

Immunefi says it has facilitated $66M in bug bounty payouts to whitehats since inception

December 22, 2022 Coin Telegraph

Immunefi says it has facilitated M in bug bounty payouts to whitehats since inception

bounties

The average bug bounty payout over 1,248 confirmed reports was $52,800.

According to a new report released on Dec. 21, blockchain security firm Immunefi said that it has processed more than $65,918,994 crypto bounties paid to ethical hackers over 1,248 reports since its inception on Dec. 9, 2020. Web 3.0 projects list bounty programs on ImmuneFi to encourage whitehat hackers to report vulnerabilities and claim monetary rewards, which the company then facilitates.

The payouts appear to be concentrated in nature, with bounty programs operated by Wormhole, Aurora, Polygon, Optimism, and an undisclosed firm accounting for $30.2 million worth of rewards in the past year. The median payout was $2,000, and the average payout was $52,800. A small number of critical vulnerability bug reports received the highest rewards.

"A $5,000 bounty payout for a critical vulnerability may work in the web2 world, for example, but it does not work in the web3 world. If the direct loss of funds for a web3 vulnerability could be up to $50 million dollars, then it makes sense to offer a much larger bounty size to incentivize good behavior."

In terms of vulnerability notifications, Smart Contracts issues took the lead, with a total of 728 submissions, accounting for 58.3% of paid reports. Meanwhile, the Websites and Applications and Blockchain/Distributed Ledger Technology (DLT) categories totaled 488 submissions (39.1) and 32 submissions (2.6%), respectively. Interestingly, despite having a high number of submissions, Website and Applications reports only represented 2.9% of total whitehat payouts, whereas Smart Contract bugs accounted for 89.6% of payments.

*The Wormhole vulnerability discovery resulted in a $10 million bug bounty payout* | *Source: Immunefi*

The bounty programs detected high vulnerability reports, such as the case in Pods Finance, for a logic error that allowed for theft of yield or abuse of the rewards system on the protocol. Another includes Mushrooms Finance's vulnerability which could be potentially exploited via a miner-extractable value attack with flash bots.

The report also dedicated a portion of ransom analysis, revealing that malicious hackers have returned $32.7 million in funds illicitly gained from decentralized finance (DeFi) protocols across five specific situations in 2022. Hackers have kept $6,44 million in total ransom payments. Some experts say that the payment of ransom to hackers amounts to giving into extortion, but nearly all agree that it's much better to instate a bug bounty program ex ante facto. Immunefi currently offers $144 million in bounty rewards through Web 3.0 projects listed on the platform.

Crypto Exploits Hit $670M Q2 2022: ImmuneFi Report

July 6, 2022 The Crypto Briefing

Aurora pays $6M bug bounty to ethical security hacker through Immunefi

June 7, 2022 Coin Telegraph

Aurora

Over $200 million worth of users' funds could have been at risk if the whitehat chose to exploit the vulnerability for personal gain instead of reporting it to developers.

On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with $145+ million bounties available and $45+ million bounties paid out.

On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH in the Aurora Ethereum Virtual Machine as to drain and siphon the corresponding nested ETH (nETH) pool on NEAR. At the time of discovery, the pool contained more than 70,000 ETH worth at least $200 million.

Mitchell Amador, founder and CEO at Immunefi, said: "Hats off to Aurora and pwning.eth for the flawless overall processing of the report. The bug was quickly patched, with no user funds lost." Aurora had launched a bug bounty program with Immunefi just one week before discovering the security vulnerability. Meanwhile, Frank Braun, head of security at Aurora Labs, commented: "We look at the bug bounty program as the last step in a layered defense approach and will use this bug as a learning opportunity to improve earlier steps, like internal reviews and external audits.

Though arguably innovative, cross-chain communication protocols have been a prime target of hackers as of late. In February, one of the largest decentralized finance hacks occurred when the Wormhole token bridge was drained of over $321 million in digital assets after hackers exploited an infinite minting glitch between its wrapped ETH and ETH pool.

MakerDAO launches biggest ever bug bounty with $10M reward

February 11, 2022 Coin Telegraph

bug bounty

Immunefi’s largest bug bounty to date aims to help MakerDAO pinpoint potential vulnerabilities in its smart contracts and apps to prevent monetary losses.

MakerDAO has announced that it will begin offering a maximum of $10 million bounty to white hat hackers and cybersecurity specialists who point out legitimate security threats in its smart contracts.

Maker’s (MAKER) plan to front-run attacks on its smart contracts is the largest ever on the bug bounty platform Immunefi. In fact if someone claimed the lot, it would equal the total amount of $10 million that Immunefi has paid out to date from active and inactive events. Its website claims the bugs found have averted up to $20 billion in damages from hacks.

Whitehat hackers stand to gain payouts ranging from $1,000 for low-level vulnerabilities thought to a maximum of $10 million for critical issues found in Maker’s smart contracts and apps. The payouts will be made in DAI stablecoins. The next largest bug bounty on Immunefi is a $3.3 million bounty from Olympus DAO.

MakerDAO is the community that governs how DAI is collateralized and spent from Maker’s treasury. DAI is currently the fifth largest stablecoin with a $9.7 billion market cap according to CoinGecko.

The Maker Foundation had previously controlled aspects of governance on Maker before its CEO and founder Rune Christensen announced the dissolution of the foundation in July 2021, making the DAO “fully self-sufficient”.

Immunefi co-founder Travin Keith said in a Feb. 11 statement,

“We’re glad to announce one of the key pillars of our mandate, which is to launch and maintain a bug bounty program that will help MakerDAO ensure its safety.”

This new bug bounty comes at a time when smart contract exploits appear to be on the increase with hundreds of millions of dollars in losses over the past two weeks alone. Yesterday, hackers withdrew over $10 million from Dego Finance through a smart contract exploit.

On Feb. 7, token bridge Meter.io’s smart contracts were hacked, causing $4.4 million in losses. On Feb. 2, the Wormhole token bridge’s smart contracts on Solana (SOL) were exploited to the tune of $321 million, which is the largest single loss in a hack so far this year.

ImmuneFi report $10B in DeFi hacks and losses across 2021

January 7, 2022 Coin Telegraph

ImmuneFi report B in DeFi hacks and losses across 2021

Coin Telegraph

The research reveals that crypto losses in the nature of exploits and rug-pulls saw a 137% rise in comparison to figure calculated in 2020.

Decentralized finance, or DeFi, security platform and bug bounty service ImmuneFi published an official report on Thursday, which calculated the total volume of losses in the cryptocurrency markets in 2021. According to its report, the company found that losses resulting from hacks, scams and other malicious activities exceeded $10.2 billion dollars over the past year.

Responsible for protecting over $100 billion worth of assets for a number of well-established DeFi protocols, including Synthetix, Chainlink, SushiSwap and PancakeSwap, among others, ImmuneFi has regularly facilitated seven-figure pay-outs to whitehat hackers and other good-willed entities for preventing protocol compromises.

According to the report, across 2021, there were 120 instances of crypto exploits or fraudulent rug-pulls, the highest-valued hack being Poly Network at $613 million, followed by Venus and BitMart with $200 million and $150 million, respectively.

Other notable entries to the list were Alpha Finance and Cream Finance, who were both hacked for $37.5 million, Yearn.finance’s $11 million, Furucombo’s $14 million evil contract exploit, as well as the infamous Alchemix reverse rug in which the platform’s users claimed a welcome fortune due of $6.5 million after a withdrawal issue arose with one of the platform’s smart contracts synthetic assets, alETH.

The year 2021 saw a stark rise in both the frequency and volume of security breaches in comparison to the previous year, which recorded 123 incidences totaling $4.38 billion, a 137% increase.

We've just released our report for 2021 on crypto losses stemming from hacks and scams.

In total, the DeFi ecosystem saw a loss of $10,210,188,549

Read more facts and figures here:https://t.co/gCWiOqjhhZ pic.twitter.com/zEX28yg0vD
— Immunefi (@immunefi) January 7, 2022

In conversation with Cointelegraph, CEO and founder of Immunefi, Mitchell Amador, spoke of his optimism for the future of on-chain security, despite what he described as a “year of dramatic losses” for the industry.

“Despite the appearance of entirely new vulnerabilities in the onchain economy, the community is adapting rapidly. At Immunefi alone, we saved double the amount lost to exploitation this year, and security best practices are circulating throughout the community.”

Amador cited ImmuneFi’s role in facilitating Polygon’s (MATIC) recent $3.47 million pay-out to two whitehat hackers for their instrumental role in averting what was described as a “critical” vulnerability in the network’s proof-of-stake Genesis contract, placing almost all of the MATIC token supply of $10 billion at risk.

In September last year, ImmuneFi organized what was reported at the time as being the largest bounty in the history of DeFi to renowned white hat programmer Alexander Schlindwein for averting a potential $10-million bug crisis in automated market maker, or AMM, protocol Belt Finance.

Schlindwein received a compensation of $1.05 million in total, $1 million of which was granted by Belt Finance with ImmuneFi acting as the middleman, and the remaining $50,000 offered by Binance Smart Chain’s Priority One program.

In October, ImmuneFi announced a $5.5 million capital raise from a number of institutional investors, including Blueprint Forest, Electric Capital, with the intention of expanding its security services across the DeFi industry in a concerted effort to lower the prevalence and financial impact of benevolent security exploits in the space.

Immunefi to bolster DeFi security service with new funds

October 26, 2021 Coin Telegraph

Coin Telegraph

The platform has paid out more than $7.5 million in bug bounties since inception in December 2020.

DeFi security platform Immunefi has announced a $5.5 million funding from a panoply of eleven institutional investors including Blueprint Forest, Electric Capital, Framework Ventures and Bitscale Capital, in addition to a series of private individuals.

Immunefi will utilize the funds to advance its services in DeFi security, providing asset protection to smart contract protocols, as well as implementing financial incentives to benevolent hackers.

The service is reportedly responsible for protecting more than $50 billion in protocol assets from projects such as Synthetix, Chainlink, SushiSwap and PancakeSwap. It has paid out $7.5 million in bug bounties throughout its history.

According to analytical data from REKT Database, the DeFi space has experienced malicious hacks totaling more than $1.74 billion in its entire lifespan, a vast proportion of which has been witnessed in the months since July 2021.

The $609 million hack of cross-chain protocol Poly Network in early August this year bears the undesirable crown for the industry's largest-ever hack. However, in welcomely unusual circumstances, Mr. White Hat — as they came to be known — returned all of the available funds, the remaining balance being the $33 million USDT tokens initially frozen.

Over the past year, the prevalence and severity of financial breaches within the DeFi space have established a surging demand for security services such as Immunefi.

Founder and CEO of Immunefi, Mitchell Amador, spoke of the importance of offering DeFi protective measures:

“DeFi is unique because vulnerabilities in code represent a possibility of a direct loss of users’ money. Bug bounty programs are open invitations to security researchers to find those vulnerabilities in exchange for a reward, and have proved one of the most effective ways to deal with critical security holes.”

In late September, a $1.05 million bug bounty fee was paid to renowned white hat programmer Alexander Schlindwein in the aftermath of the Belt Finance saga, for his instrumental role in preventing a potential $10 million downfall for the protocol. The claim was facilitated through Immunefi’s specialist bounty program.

More recently, white-hat hacker, Gerhard Wagner, pocketed a cool $2 million for diligently advising a solution to a “double-spend” flaw on the Polygon network, preventing a potentially catastrophic $850 million, the former of which now stands as an industry record.

Immunefi’s Amador also commented on the potential impact a service such as Immunefi could have on the wider technology landscape:

"We believe that by helping launch such programs on Immunefi, we contribute not only to protecting DeFi projects for today, but also to shaping the tech industry for the future.”

Polygon Swerves $850M Hack on Ethereum Bridge

October 21, 2021 The Crypto Briefing

ImmuneFi

Share this video