ImmuneFi, one of the most notable Web3 bug bounty protocols has announced the launch of a new Leaderboard feature for ethical hackers in Web3.
As announced by the outfit, the Leaderboard will pull 20 of the most versatile Whitehat hackers in the Web3 ecosystem and rank them in order of the critical bugs they report through the ImmuneFi platform.
“We’re proud to release the Immunefi Whitehat Leaderboard showing the top 20 whitehats in web3!” ImmuneFi shared the announcement via its Twitter page
Bug bounties have become a thing in the web3 ecosystem as protocols incentivize experienced hackers to help scour through their codes to see if there are vulnerabilities therein. As the industry evolved, ImmuneFi emerged, helping to organize Whitehat events in a way that was easy for both the protocols and the participants.
Whitehats are typically rewarded for their participation, and with this new feature, ImmuneFi said it will be giving the top hackers additional benefits.
“Whitehats who earn their spot through genius and hard work are eligible for further rewards, exclusive merch, paid trips, speaking opportunities, and more,” ImmuneFi affirmed.
ImmuneFi said the ranking for whitehats who submit bug reports through its platform will be based on three crucial factors including, the number of paid reports, the severity of paid reports, and total earnings.
While the new leaderboard feature may not be an extra motivation for Whitehats to intensify their activities in the space, it certainly creates room for respect amongst the most elite of solution providers to hacking problems in the industry.
The appreciation of Whitehats cannot be overemphasized, a move that was recently underscored by the ApeCoin DAO. The ApeCoin DAO recently passed a vote that will see 1 million APE tokens set aside as bug bounty on ImmuneFi to incentivize whitehats to pour through its forthcoming staking protocol in a bid to see if there is a weak leak that might cause fund drain in the near future.
ApeCoin DAO, the Decentralized Autonomous Organization that is in charge of overseeing the development of APE, the native token of the Bored Ape Yacht Club (BAYC) ecosystem, has approved the allocation of $4.4 million to conduct a bug bounty program on ImmuneFi.
According to the snapshot of the votes cast which ended today, as many as 3.9 million APE tokens were cast in favor of the proposal, dubbed AIP-134.
The votes in favor ended at 57.92% as compared to 42.08% for those who committed 2.9 million APE against the proposal.
The essence of the bug bounty is to carve out an extra security layer for the much anticipated ApeCoin staking service that is billed to go live in December. The ApeCoin DAO wants experienced hackers to help search out the loopholes or any porous avenues in the staking smart contract that may cause headaches later on.
The bounty, now that it has been approved can be launched on ImmuneFi with the 1 million APE tokens earmarked for the bounty set to be drafted from the protocol’s treasury.
“As we near the launch of the ApeCoin staking system outlined in AIP-21 and AIP-22, we propose taking additional measures to ensure the DAO is following smart contract security best practices. This proposal uses treasury assets to fund a 1 million $APE bug bounty program with Immunefi, and partners with Llama to help design, implement, and run operations of these initiatives,” a snapshot from the proposal reads.
The DeFi ecosystem has not been spared from the wranglings and inconveniences caused by hackers this year. That there is a security loophole in most emerging smart contracts is not a question up for debate, whether founding teams have the right model to prevent exploitation remains a major bone of contention.
As one of the most prestigious NFT collections, Bored Ape users have been a major target of cybercriminals, and hopefully, the bug bounty will help tighten all loose ends ahead of the launch of the staking product.
WormHole, a Decentralized Finance (DeFi) bridge protocol, has paid out $10 million in Whitehat bounty.
As announced by ImmuneFi, the platform that helped organize the bounty program, the cash reward was paid out to a programmer known as satya0x as he was able to identify a bug that would have or resulting in the exploitation of the Wormhole Bridge.
“A whitehat who goes by the pseudonym satya0x responsibly disclosed a critical bug in the Wormhole core bridge contract on Ethereum. This bug was an upgradeable proxy implementation self-destruct bug that helped prevent a potential lockup of user funds,” ImmuneFi said in its update about the entire event.
DeFi protocols have been at the mercy of hackers recently, and Wormhole as a bridge has suffered a massive exploit that led to the loss of over $320 million.
Besides Wormhole, the Ronin Bridge, solely used by the Axie Infinity protocol, has also been exploited by what is suspected to be a group of North Korea-backed Lazarus Group. The Ronin hack drew $625 million away from the protocol, a sum that has notably impacted the bridge’s operations.
In a bid to wade off these attacks, the first required caution is to eliminate any inherent bugs that can be a gateway for cybercriminals. While bugs are notably ubiquitous and difficult to detect, the bug bounty organized by ImmuneFi on behalf of Wormhole has notably achieved its goal.
Immunefi said no funds were lost before the bug was flagged, verified, and fixed. The stakeholders involved believe related bug bounties of this nature with the whitehat community could help prevent many more attacks on DeFi protocols across the board.
“Wormhole paid satya0x a record bug bounty of $10 million for the find. It’s one thing to create a program with a really high top payout, but Wormhole has proven that they are very serious about paying top-dollar to help mitigate security issues in partnership with the whitehat community,” the ImmuneFi statement reads.
MakerDAO has announced that it will begin offering a maximum of $10 million bounty to white hat hackers and cybersecurity specialists who point out legitimate security threats in its smart contracts.
Maker’s (MAKER) plan to front-run attacks on its smart contracts is the largest ever on the bug bounty platform Immunefi. In fact if someone claimed the lot, it would equal the total amount of $10 million that Immunefi has paid out to date from active and inactive events. Its website claims the bugs found have averted up to $20 billion in damages from hacks.
Whitehat hackers stand to gain payouts ranging from $1,000 for low-level vulnerabilities thought to a maximum of $10 million for critical issues found in Maker’s smart contracts and apps. The payouts will be made in DAI stablecoins. The next largest bug bounty on Immunefi is a $3.3 million bounty from Olympus DAO.
MakerDAO is the community that governs how DAI is collateralized and spent from Maker’s treasury. DAI is currently the fifth largest stablecoin with a $9.7 billion market cap according to CoinGecko.
The Maker Foundation had previously controlled aspects of governance on Maker before its CEO and founder Rune Christensen announced the dissolution of the foundation in July 2021, making the DAO “fully self-sufficient”.
Immunefi co-founder Travin Keith said in a Feb. 11 statement,
“We’re glad to announce one of the key pillars of our mandate, which is to launch and maintain a bug bounty program that will help MakerDAO ensure its safety.”
This new bug bounty comes at a time when smart contract exploits appear to be on the increase with hundreds of millions of dollars in losses over the past two weeks alone. Yesterday, hackers withdrew over $10 million from Dego Finance through a smart contract exploit.
Related:ImmuneFi report $10B in DeFi hacks and losses across 2021
On Feb. 7, token bridge Meter.io’s smart contracts were hacked, causing $4.4 million in losses. On Feb. 2, the Wormhole token bridge’s smart contracts on Solana (SOL) were exploited to the tune of $321 million, which is the largest single loss in a hack so far this year.
Decentralized finance, or DeFi, security platform and bug bounty service ImmuneFi published an official report on Thursday which calculated the total volume of losses in the cryptocurrency markets in 2021. According to its report, the company found that losses resulting from hacks, scams and other malicious activities exceeded $10.2 billion dollars over the past year.
Responsible for protecting over $100 billion worth of assets for a number of well-established DeFi protocols, including Synthetix, Chainlink, SushiSwap and PancakeSwap, among others, ImmuneFi has regularly facilitating seven-figure pay-outs to whitehat hackers and other good-willed entities for preventing protocol compromises.
According to the report, across 2021 there were 120 instances of crypto exploits or fraudulent rug-pulls, the highest valued hack being Poly Network at $613 million, followed by Venus and BitMart with $200 million and $150 million, respectively.
Other notable entries to the list were Alpha Finance and Cream Finance who were both hacked for $37.5 million, yearn.finance’s $11 million, Furucombo’s $14 million evil contract exploit, as well as the infamous Alchemix reverse rug in which the platform’s users claimed a welcome fortune due of $6.5 million after a withdrawal issue arose with one of the platform’s smart contracts synthetic assets, alETH.
The year of 2021 saw a stark rise in both the frequency and volume of security breaches in comparison to the previous year which recorded 123 incidences totalling $4.38 billion, a 137% percentage increase.
We’ve just released our report for 2021 on crypto losses stemming from hacks and scams.
In total, the DeFi ecosystem saw a loss of $10,210,188,549
Read more facts and figures here:https://t.co/gCWiOqjhhZ pic.twitter.com/zEX28yg0vD
— Immunefi (@immunefi) January 7, 2022
In conversation with Cointelegraph, CEO and Founder of Immunefi, Mitchell Amador, spoke of his optimism for the future of onchain security, despite what he described as a “year of dramatic losses” for the industry.
“Despite the appearance of entirely new vulnerabilities in the onchain economy, the community is adapting rapidly. At Immunefi alone, we saved double the amount lost to exploitation this year, and security best practices are circulating throughout the community.”
Amador cited ImmuneFi’s role in facilitating Polygon’s recent $3.47 million pay-out to two whitehat hackers for their instrumental role in averting what was described as “critical” vulnerability in the network’s proof-of-stake Genesis contract placing almost all of the MATIC token supply of $10 billion at risk.
In September last year, ImmuneFi organized what was reported at the time as being the largest bounty in the history of DeFi to renowned white hat programmer Alexander Schlindwein for averting a potential $10-million bug crisis in automated market maker, or AMM, protocol Belt Finance.
Schlindwein received a compensation of $1.05 million in total, $1 million of which was granted by Belt Finance with ImmuneFi acting as the middleman, and the remaining $50,000 offered by Binance Smart Chain’s Priority One program.
In October, ImmuneFi announced a $5.5 million capital raise from a number of institutional investors, including Blueprint Forest, Electric Capital, with the intention of expanding its security services across the DeFi industry in a concerted effort to lower the prevalence and financial impact of benevolent security exploits in the space.
Decentralized finance (DeFi) security platform Immunefi has announced a $5.5 million fundraise from a group of 11 institutional investors, including Blueprint Forest, Electric Capital, Framework Ventures and Bitscale Capital, in addition to a series of private individuals.
Immunefi will utilize the funds to advance its services in DeFi security, providing asset protection to smart contract protocols, as well as implementing financial incentives to benevolent hackers.
The service is reportedly responsible for protecting more than $50 billion in protocol assets from projects such as Synthetix, Chainlink, SushiSwap and PancakeSwap. It has paid out $7.5 million in bug bounties throughout its history.
According to analytical data from DeFiYield’s “REKT Database,” the DeFi space has experienced malicious hacks totaling more than $1.74 billion throughout its lifespan, a vast proportion of which has been witnessed in the months since July 2021.
The $609-million hack of cross-chain protocol Poly Network in early August 2021 bears the undesirable crown for the industry’s largest-ever hack. However, in welcomely unusual circumstances, Mr. White Hat — as they came to be known — returned all of the available funds, the remaining balance being the $33 million in Tether (USDT) initially frozen.
Over the past year, the prevalence and severity of financial breaches within the DeFi space have established a surging demand for security services such as Immunefi.
Related: White hat hacker paid DeFi’s largest reported bounty fee
Mitchell Amador, founder and CEO of Immunefi, spoke on the importance of offering DeFi protective measures:
“DeFi is unique because vulnerabilities in code represent a possibility of a direct loss of users’ money. Bug bounty programs are open invitations to security researchers to find those vulnerabilities in exchange for a reward, and have proved one of the most effective ways to deal with critical security holes.”
In late September, a $1.05 million bug bounty fee was paid to renowned white hat programmer Alexander Schlindwein in the aftermath of the Belt Finance saga for his instrumental role in preventing a potential $10 million downfall for the protocol. The claim was facilitated through Immunefi’s specialist bounty program.
More recently, white hat hacker Gerhard Wagner pocketed a cool $2 million for diligently advising a solution to a “double-spend” flaw on the Polygon network, preventing a potentially catastrophic $850 million exploit, with the bounty now standing as an industry record.
Immunefi’s Amador also commented on the potential impact a service such as Immunefi could have on the wider technology landscape:
“We believe that by helping launch such programs on Immunefi, we contribute not only to protecting DeFi projects for today, but also to shaping the tech industry for the future.”
A Whitehat hacker, Gerhard Wagner, has received the largest bug bounty in history after he discovered a vulnerability in Polygon’s plasma bridge.
According to Immunefi, a bug bounty platform for smart contracts and DeFi projects, the identified bug would have cost the protocol as much as $850 million in losses if discovered by a knowledgeable hacker.
Immunefi said the report on the faulty codes in the plasma bridge was first reported on October 5, and the Immunefi triaging team verified the claims. The vulnerability allowed an attacker to exit their burn transaction from the bridge multiple times, up to 223 times. There was around $850M at risk. Having just $100k to launch the attack would result in $22.3M in losses! This means the DepositManager for the Plasma Bridge could be depleted with a sufficient amount.
The risk was then escalated to Polygon, who also confirmed it and promptly fixed the vulnerability. As its policy to reward such reports on faulty codes, Polygon agreed to pay its highest listed amount for such related bug bounties, and Wagner was notably paid a $2 million sum.
The potential security of decentralized finance (DeFi) protocols became a subject of debate amongst experts following a series of hacks that were reported in the past months. Back in August, Blockchain.news reported the Poly Network hack, which was credited for being the largest blockchain exploitation with over $610 million stolen. While the event behind this hack ended in the interoperable protocol’s favour as the Whitehat hacker returned all stolen funds, other projects have not been as lucky.
Despite the veracity of hacking in blockchain-related protocols surging in the past months, mainstream tech firms are also experiencing their fair share of the exploitations. Tech giant T-Mobile was also hacked for at least 6 BTC back in August, lending voice to the position that more Whitehat hackers are needed across every inch of the tech ecosystem.
Polygon has patched a critical bug on its Plasma Bridge.
The vulnerability put $850 million at risk, though the issue was resolved before any funds were lost.
Polygon has paid a record $2 million bounty to the hacker who spotted the issue.
Share this article
Polygon has patched a critical vulnerability that affected its Plasma Bridge.
Polygon Pays $2 Million Bounty
Ethereum sidechain Polygon has patched a critical bug on its Plasma Bridge contract.
A postmortem report from the bug bounty platform Immunefi revealed that it had discovered the issue and it was patched before any hack or funds were lost.
Polygon is the largest sidechain network on Ethereum. It operates the Plasma Bridge, a two-way token gateway that lets users transfer assets from Ethereum mainnet to Polygon and withdraw them back on Ethereum.
Polygon’s Plasma Bridge has a security exit mechanism that involves burning tokens that have been requested to be withdrawn to mainnet. On Oct. 5, the whitehat hacker Gerhard Wagner found a security vulnerability that could let malicious hackers bypass the bridge’s exit mechanism.
The main vulnerability affected WithdrawManager, a specific function in the bridge contract that authenticates burn transaction in previous blocks for withdrawing assets back to Ethereum.
No user funds were lost
Thank you @g3rh4rdw4gn3r for responsibly disclosing the bug, and @immunefi for facilitating the bug bounty of $2,000,000
👷♀️Let’s build and make web 3.0 more resilient from such future attacks.
You can read the detailed postmortem of the exploit here 👇 https://t.co/svhfo2cewS
— Polygon | $MATIC (@0xPolygon) October 21, 2021
Wagner reported the vulnerability to Immunefi, which then notified Polygon. Per the Immunefi postmortem, the Polygon team “immediately began fixing the underlying issue” and it was safely patched soon after. The bug was reportedly severe enough that it could have allowed hackers to drain the entire value locked on Plasma Bridge, which was around $850 million at the time.
The Polygon team has rewarded Wagner with $2 million, the highest bounty paid in the crypto space to date.
In a statement shared with Crypto Briefing, Polygon co-founder Jaynti Kanani said that security should not be an afterthought when building the Web 3. Commenting on the issue, Kanani added that Immunefi had helped the Polygon team “connect with security researchers to make the Polygon Proof-of-Stake network more resilient.”
The incident serves as a reminder of security issues with interoperability bridges. As a variety of Layer 1 blockchains have seen explosive growth, bridges have soared in popularity. However, there are major security issues with many bridges, which has led to several attacks in which hackers have exploited vulnerabilities. In one notable incident, $611 million was stolen from a cross-chain bridge service called PolyNetwork. Other cross-chain bridge incidents on pNetwork and Thorchain also suffered multi-million dollar losses in recent months.
Disclosure: At the time of writing, the author of this feature owned ETH.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
Another Polygon Yield Farm Crashes to Zero After Exploit
PolyYeld Finance was exploited today, leading to a price collapse of its native token. Attacker Exploits PolyYeld Vulnerability PolyYeld Finance’s native token has collapsed to zero after attackers took advantage…
$12.4M Lost as DeFi Platform pNetwork Suffers Exploit
pNetwork is the latest cross-chain DeFi project to suffer a multi-million dollar hack. pNetwork Suffers Hack pNetwork, a cross-chain asset transfer protocol, has suffered an exploit. The DeFi project announced…
The Top Bridges for Interoperability With Ethereum
Bridges offer a way to migrate assets between blockchains. Crypto Briefing unpacks some of the top bridges offering interoperability between Ethereum and other chains. Ethereum Bridges Usher in Multi-Chain Era…
What is a Crypto Airdrop: Why Projects Airdrop Crypto
Crypto airdrops occur when new tokens are freely distributed to different wallets in order to drive initial growth and build a community. They represent a popular marketing tactic that new projects use to spread…
Welcome to the latest edition of Cointelegraph’s decentralized finance (DeFi) newsletter.
DYdX surpassed Coinbase in daily trading volume for the first time this week. Read on to discover why this was a seminal moment for the project’s founder.
What you’re about to read is the concise version of this newsletter. For the full breakdown of DeFi’s developments over the last week — released with more anticipation than a layer-two airdrop — register below.
dYdX surpasses Coinbase in trading volume for first time
Decentralized derivatives exchange dYdX has risen to prominence through 2021 as an alternative to the hegemony and governmental transparency of centralized exchanges. It was revealed that dYdX surpassed the daily trading volume of crypto exchange stalwart Coinbase for the first time in its history.
Analytical data from CoinGecko revealed that dYdX facilitated in excess of $4.3 billion trading activity on Sept. 26, eclipsing Coinbase’s output of $3.7 billion by almost 15%.
This marks a full-circle moment for dYdX founder Antonio Juliano, who previously applied his trade at Coinbase. He recalled a time when he first spoke to CEO Brian Armstrong about his ambitions to launch a company in the future, receiving the response, “That’s awesome, let’s see how we can help you do that.”
Juliano celebrated the landmark in a series of tweets last Sunday:
5 years ago I left @coinbase and eventually founded dYdX
Today, for the first time, @dydxprotocol is doing more trade volume than Coinbase pic.twitter.com/QzoKAUpH29
— Antonio | dYdX (@AntonioMJuliano) September 26, 2021
Cardano to enable new DeFi stablecoin with Coti
It was announced this week that Cardano’s payment gateway provider, Coti, is expected to issue a new stablecoin called Djed to support the ecosystem’s ambitions in ensuring price stability and increasing the transparency of gas fees on the network.
According to Djed’s research paper released in August, its stablecoin protocol will behave like an “autonomous bank that buys and sells stablecoins for a price in a range that is pegged to a target price.” The stablecoin will operate by maintaining a reserve of base coins while minting and burning various other stable assets and reserve coins.
Cardano founder Charles Hoskinson believes that the Djed stablecoin could be revolutionary for the crypto space, as it appeals to an “entirely new audience at a time when the industry is already experiencing astronomical growth.”
White hat hacker paid DeFi’s largest reported bounty fee
Automated market maker protocol Belt Finance offered the largest reported bounty in the history of DeFi this week to a white hat hacker responsible for discovering a bug that, if exploited, could have exposed $10 million in assets.
For his good-willed efforts, industry programmer Alexander Schlindwein received a generous compensation of $1.05 million, $1 million of which was granted by software security platform Immunefi, while the additional $50,000 was offered by Binance Smart Chain’s Priority One program upon which Belt Finance is built.
Cointelegraph spoke to Schlindwein for an exclusive insight into the timeline of events, as well as the wider implications of bounty programs on DeFi’s security landscape:
“I am strongly convinced of the importance of bug bounties and initiatives such as bounty funds. Bug bounties are the last line of defense should an issue slip through the overlying layers with the potential to prevent a devastating hack while instead seriously fixing the issue and compensating the finder.”
Schlindwein concluded, “It’s great to see hundreds of projects launching their bug bounty nowadays, which will certainly bring DeFi security forward in the long run.”
Token performances
Analytical data reveals that DeFi’s total value locked has increased 15.34% across the week to a figure of $121.41 billion.
Analytical data on Cointelegraph Markets and TradingView reveals that DeFi’s top 50 tokens by market capitalization largely struggled across the last seven days, with a handful of prominent exceptions.
DYDX secured the podium’s top spot with an impressive 82.39%. UNI came a respectable second with 23.88%, while PERP bagged third with 21.45%. Fourth and fifth place were claimed by FTM and XTZ with 11.62% and 8.67%, respectively.
Extra DeFi stories from the week:
Thanks for reading our summary of this week’s most impactful DeFi developments. Join us again next Friday for more stories, insights and education in this dynamically evolving ecosystem.
Belt Finance, an automated market maker (AMM) protocol operating a yield optimization strategy on Binance Smart Chain (BSC), claims to have paid the largest bounty in the history of decentralized finance (DeFi) to a whitehat hacker who averted a $10 million bug crisis.
Industry whitehat programmer Alexander Schlindwein discovered the vulnerability in Belt Finance’s protocol this week and reported the news to the team. For his efforts, Schlindwein received a generous compensation of $1.05 million, the majority of which ($1 million) was granted by Immunefi, with the additional $50,000 offered by Binance Smart Chain’s Priority One program.
Immunefi is one of the market leaders in software security for cryptocurrency projects. Since its inception, the platform has reportedly paid out in excess of $3 million to whitehat hackers who have successfully identified technical infrastructure flaws in smart contracts and crypto platforms.
Priority One is a BSC initiative launched in July to enhance the security of dApp’s within the platform’s native ecosystem. Mirroring the structure of Immunefi, the service provides a $10 million incentive fund to blockchain bounty hunters who successfully contribute to the avoidance of security breaches across 100 dApps.
Alexander Schlindwein told Cointelegraph about how he discovered the vulnerability:
“I went through the list of bug bounties on Immunefi and picked Belt Finance as the next one to work on. While I was studying their smart contracts I noticed a potential bug in the internal bookkeeping which keeps track of each user’s deposited funds. Playing the attack through with pen and paper gave me more confidence in the existence of the bug. I continued by producing a proper proof-of-concept which undoubtedly confirmed its validity and economic damage.”
“The next step was to create an official report on Immunefi including the PoC and an extensive description of the exploit, “ Schlindwein said, adding, “Immunefi reacted immediately to the critical report and within three minutes after submission, it was escalated to the Belt team. Shortly after, Belt confirmed the validity of the report and began implementing a fix which then patched the vulnerability.”
Related: The perfect storm: DeFi hacks will advance the crypto sector moving forward
Although DeFi’s security breaches remain a prevalent concern, it has been argued by some that the nascent ecosystem will benefit from such incidents in the long term, as areas of weaknesses are starkly highlighted.
Cointelegraph asked Schlindwein his perspective on the importance of bounty programs in supporting DeFi’s antifragile ambitions:
“I am strongly convinced of the importance of bug bounties and initiatives such as bounty funds. DeFi security consists of multiple layers, starting with peer review and unit testing to external audits and formal verification. Bug bounties are the last line of defense should an issue slip through the overlying layers with the potential to prevent a devastating hack while instead seriously fixing the issue and compensating the finder.”
“Bug bounties in DeFi have been a rare sight before Immunefi existed, only offered by the ‘Crème de la Crème’ of projects. It’s great to see hundreds of projects launching their bug bounty nowadays which will certainly bring DeFi security forward in the long run,” Schlindwein concluded.
