Traditional Web site and app bug bounty platforms, such as HackerOne and BugCrowd, have been successful in that old-world model. But there is a massive difference between the existing "Web 2.0" bug bounties and the new era of "Web 3.0" bugs associated with blockchains and crypto. In the era of Decentralised Finance (DeFi), Web 3.0 bug bounties take on the critical nature of being associated with actual monetary value, not just software bugs.
This would perhaps explain why Immunefi, one of the emerging bug bounty and security services platforms for DeFi, has now raised $5.5 million in funding led by Electric Capital. Also participating is Blueprint Forest, Framework Ventures, Bitscale Capital, P2P Capital, IDEO Colab, The LAO, BR Capital, 3rd Prime Ventures, North Island Ventures and other individual investors.
With DeFi, billions of dollars in user funds are locked in smart contracts, visible and accessible to all. And the stakes are high. In 2020, hackers stole about $120 million from DeFi protocols in 15 separate attacks. And the problems are only getting bigger. Hackers have netted more than $1.7 billion this year. Polygon, which connects Ethereum blockchain networks, paid out $2,000,000 via Immunefi to a white-hat hacker who discovered a vulnerability that had put approximately $850 million of capital at risk.
Immunefi says its bug bounty platform for smart contracts and crypto projects enables security researchers to review code, disclose vulnerabilities and get paid to do so. It also allows companies to access security talent.
Mitchell Amador, founder and CEO of Immunefi, said: “DeFi is unique because vulnerabilities in code represent a possibility of a direct loss of users’ money. Bug bounty programs are open invitations to security researchers to find those vulnerabilities in exchange for a reward… We believe that by helping launch such programs on Immunefi, we contribute not only to protecting DeFi projects for today, but also to shaping the tech industry for the future.”
Clients for its platform include Synthetix, Chainlink, SushiSwap, PancakeSwap, Bancor, Cream Finance, Compound, Alchemix and other projects.
The company says that recently Belt Finance paid out $1,050,000 to a white-hat hacker, via Immunefi, who had discovered a critical vulnerability in its protocol which put more than $10 million of capital at risk.
Roy Learner, principal at Framework Ventures said: “This year, Immunefi succeeded in becoming DeFi’s leading bug bounty platform, gaining the trust of key industry players, and we are confident Immunefi is just getting started.”
Speaking to TechCrunch, Amador added: “The reality is that Web 3 is a far more adversarial environment, which means every part of the bug bounty process works differently from before, from the submission and processing of a report, to the validation of a report, to the negotiation for a payout. Where traditional Web 2 bug bounties are a convenient bug fixing tool, our Web 3 bug bounties are a far more critical emergency response system for DeFi projects.”