Bug bounty

From DefiLlama
Jump to navigation Jump to search

A bug bounty is a countermeasure developers can implement to incentivize white hat hackers to disclose exploits discreetly without actually triggering them. Generally speaking, bug bounties strictly apply to specified smart contract repositories. There are two types of bug bounty: static or active. Active bug bounties are listed in a centralised place and hackers are driven towards them by directing organisations (such as Immunefi). Static bug bounties are simply mentions of a bug bounty in documentation.


A significant number of chains and protocols use bug bounties. These can range from a few thousand dollars to up to ten million dollars (at time of writing). Different bug bounties are listed on websites such as immunefi.com. By their count alone, some $135,000,000 are available for hackers to claim.

A notable strengthening of existing bug bounty programs is how Nexus Mutual will often double or triple the value of these existing bug bounties.


There are many cases of bug bounties successfully preventing exploits:

  • Trail of Bits disclosed a vulnerability in AAVE nearly launched version[1]
  • OpenZeppelin disclosed a multisig vulnerability in Convex[2].

A memorable example of the effectiveness of a high bug bounty is how armor.fi increased their bug bounty by a factor of twenty and just a day a critical and likely bug was discovered, disclosed and fixed.


Sometimes anonymous developers do not have a way to verify their anonymous counter party will not simply exploit the code when disclosing it. This is the case with OpenZeppelin's recent attempt to disclose a 10 figure vulnerability in Convex.

In addition, static bug bounties can often be exploited by developers who receive a tip off and fix the code without actually paying the entity who disclosed it. This undermines the utility and good faith of bug bounty programs and may cause people to be less willing to disclose these bugs. This is why neutral third parties often arbitrate these discussions.


Immunefi lists and organises all bug bounties in a web2, centralised company way. Hats.finance provides a similar offering though it does this in a decentralised way.