Web3 bug bounty and security services platform Immunefi has surpassed $100 million in ethical hacker and researcher payouts, according to data the firm shared with The Block.

The milestone was reached around three years after Immunefi launched in December 2020, resulting from over 3,000 paid bug bounty reports, the team said.

Bug bounty programs invite developers and security researchers to examine a project's code, identify vulnerabilities and receive payment for their discoveries.

Smart contract bugs represent the highest proportion of Immunefi’s total $100.21 million in payouts, accounting for $77.97 million (77.5%) of the bounties. Vulnerabilities related to blockchain and distributed ledger technology protocols accounted for $18.76 million (18.6%), followed by website and application bug reports worth $3.85 million (3.8%). Some $19,550 worth of payouts were marked as “undefined.”

Of the total bug bounties, 641, worth $88.34 million, were marked as “critical” in severity, accounting for 87.8% of all bounties paid out. 559 ($7.45 million) were classified as “high” severity, 723 ($3.34 million) as “medium” severity, 656 ($1 million) as “low” severity and 458 ($566,000) as “informational.”

Bug bounty report payouts by severity. Image: Immunefi.

The highest overall payout relating to the same bug was $14.82 million connected to a critical vulnerability in January 2021, according to the data. The lowest was just $25.

“We work tirelessly to safeguard the onchain ecosystem, and this achievement is a testament to the effectiveness of our bug bounty programs and the dedication of our community of researchers,” Immunefi founder and CEO Mitchell Amador told The Block. “Their work is essential in preventing substantial financial losses in web3, and we will continue to innovate and support them in safeguarding the next generation of projects and users.”

Immunefi claims to operate the largest blockchain security community with over 45,000 researchers, saving more than $25 billion in user funds across protocols like Polygon, Optimism, Chainlink, The Graph, Synthetix and MakerDAO from being stolen. The highest white hat hacker bounty facilitated by Immunefi was a $10 million award for a vulnerability discovered in Wormhole’s cross-chain protocol. 

Start your day with the most influential events and analysis happening across the digital asset ecosystem.

By signing-up you agree to our Terms of Service and Privacy Policy

Also receive The Scoop, The Funding, and our weekly Data & Insights newsletters

By signing-up you agree to our Terms of Service and Privacy Policy

However, despite the crypto industry’s ethical hacking efforts, more than $3.4 billion in funds have been stolen by DeFi attackers over the past four years, according to The Block’s data dashboard.

In March, Immunefi reported that crypto losses due to hacks and scams hit $336 million in Q1 this year alone.

White hat hacking in the spotlight

On Wednesday, the white hat crypto scene erupted with allegations from Kraken that researchers at a blockchain security firm had withdrawn nearly $3 million from its wallets related to a bug disclosure, refusing to return the funds.

CertiK later came forward as that firm, alleging Kraken’s security team had “threatened” individual employees to repay a “mismatched” amount of crypto in an “unreasonable” time frame of six hours without providing a repayment address.

CertiK said it was transferring the funds to an account that Kraken could access based on its records. Meanwhile, the crypto community alleged that CertiK’s timeline of events did not match up with onchain activity and that addresses connected to the withdrawals had also interacted with the U.S.-sanctioned mixer Tornado Cash and swapped assets using ChangeNOW — a pattern of activity not typical of white hat hackers.

CertiK did not respond to a request for comment from The Block regarding the allegations.