The average bug bounty payout over 1,248 confirmed reports was $52,800.
According to a new report released on Dec. 21, blockchain security firm Immunefi has processed more than $65.9 million in crypto bounties paid to ethical hackers over 1,248 reports since its inception on Dec. 9, 2020. Web3 projects list bounty programs on ImmuneFi to encourage white hat hackers to report vulnerabilities and claim monetary rewards, which the company then facilitates.
The payouts appear to be concentrated in nature, with bounty programs operated by Wormhole, Aurora, Polygon, Optimism and an undisclosed firm accounting for $30.2 million worth of rewards in the past year. The median payout was $2,000, and the average payout was $52,800. A small number of critical vulnerability bug reports received the highest rewards.
“A $5,000 bounty payout for a critical vulnerability may work in the web2 world, for example, but it does not work in the web3 world. If the direct loss of funds for a web3 vulnerability could be up to $50 million dollars, then it makes sense to offer a much larger bounty size to incentivize good behavior.”
In terms of vulnerability notifications, “smart contract” issues took the lead, with a total of 728 submissions, accounting for 58.3% of paid reports. Meanwhile, the “websites and applications” and “blockchain/distributed ledger technology” categories totaled 488 submissions (39.1%) and 32 submissions (2.6%), respectively. Interestingly, despite having a high number of submissions, website and application reports only represented 2.9% of total white hat payouts, whereas smart contract bugs accounted for 89.6% of payments.
The bounty programs detected high-vulnerability reports, such as the case in Pods Finance, for a logic error that allowed for the theft of yield or abuse of the rewards system on the protocol. Another includes Mushrooms Finance’s vulnerability, which could be potentially exploited via a miner-extractable value attack with flash bots.
The report also dedicated a portion to ransom analysis, revealing that malicious hackers have returned $32.7 million in funds illicitly gained from decentralized finance protocols across five specific situations in 2022. Hackers have kept $6,44 million in total ransom payments. Some experts say that the payment of ransom to hackers amounts to giving into extortion, but nearly all agree that it’s much better to instate a bug bounty program ex ante facto. Immunefi currently offers $144 million in bounty rewards through Web3 projects listed on the platform.