Opinion by: Mitchell Amador, founder and CEO of Immunefi
The most effective defense for crypto against severe hacks is not solely about code; it hinges on incentives. Bug bounties have saved billions, and it’s crucial to note that these amounts could have been lost to exploits if the correct incentives weren’t in place. This safeguard only functions when the rewards for ethical behavior significantly surpass those for exploitation, and current market trends are adversely affecting that balance.
The scalable bug bounty standard dictates that the reward should increase with the capital at risk. For instance, if a vulnerability could lead to a loss of $10 million, the bounty should be as high as $1 million. These substantial incentives motivate security researchers to disclose issues rather than exploit them, and they are cost-efficient for protocols in comparison to the catastrophic consequences of a hack. This scalable method shields entire protocols from damage and supports the ongoing advancement of on-chain finance.
However, market competition is distorting these incentives. Some platforms are linking their most affordable service tiers to limited bounty rewards, sometimes capping them at $50,000. This pricing model pressures protocols to lower rewards and cut costs, setting the stage for a potential catastrophic breach.
Bug bounties as defensive tools
A recent example of this is the $12-million hack of Cork Protocol. The protocol had established a critical bug bounty of just $100,000, which is a small fraction of the funds at stake. This disparity creates a straightforward economic equation: Why invest hundreds of hours hunting for a vulnerability if the maximum payout is 120 times less than the potential exploit value? Such logic does not deter exploitation; rather, it incentivizes it.
Bug bounties are vital defensive tools that only succeed when they align with risk levels. When protocols holding tens of millions in total value locked offer bounties in the low five figures, they are effectively gambling that hackers will opt for ethics over financial gain. That’s not a valid strategy; it’s merely hopeful optimism.
The million-dollar benchmark exists for a reason
Crypto’s security standards emerged through significant monetary milestones. MakerDAO established a $10-million bounty to define what protection should entail. Wormhole’s $10-million payout following a major exploit established the precedent that real security requires substantial incentives. Security researchers need transformative reasons to favor disclosure over destruction in an industry where exploits can deplete treasuries rapidly.
This scalable approach has proven effective. When critical vulnerabilities could threaten millions in user funds, bounties should provide proportional rewards, generally around 10% of the capital at risk. These economic principles help ensure that top researchers remain engaged within the ecosystem and are motivated to report vulnerabilities.
Market dynamics are creating perilous norms
The competition for market dominance has led some platforms to prioritize pricing over security outcomes. By tying platform fees to capped bounty rewards, they create a distorted incentive landscape; protocols are prompted to offer lower rewards to reduce costs, not because the risk justifies it, but because the pricing encourages such behavior. This represents a fundamental misapprehension of what bug bounties are. They aren’t mere expenses; they serve as insurance policies whose value must correspond to what they protect.
Related: SuperRare $730,000 exploit was easily preventable — Experts weigh in
Additionally, some security platforms now require exclusivity contracts that limit where researchers can operate. Others permit post-disclosure price adjustments that erode researcher trust. These actions undermine the social contract that is essential for bug bounties to work effectively. If skilled researchers lose faith in the fairness of the system, their options narrow: they may stop hunting, switch to private audits, or withdraw entirely.
The outcome is a chilling effect: Protocols reduce rewards to minimize expenses. Researchers opt out because the potential benefits no longer justify the effort. Critical vulnerabilities remain undetected. Exploits occur. Protocols further diminish security budgets. It’s a downward spiral that serves no one but malicious actors.
A cautionary tale from Web2
The similarities to Web2’s failures with bug bounties are concerning. Persistent underpayment and inadequate treatment of researchers caused many talented white hats to abandon public programs altogether. The crypto sector cannot afford to repeat this mistake, especially with trillions in value poised to transition on-chain and institutions observing closely.
Some claim that early-stage teams are unable to manage high bounties. However, the reality is that the cost of a single successful hack will always surpass that of a well-aligned bug bounty. Losing funds is costly; losing trust is disastrous.
The way forward necessitates industry collaboration
Safeguarding crypto’s security framework requires an acknowledgment that bug bounties rely on trust and incentives. Each undervalued program weakens the social contract that keeps talented researchers aligned with the law.
The remedy is not extreme. Maintain bounty rewards that correspond with actual risk levels. Ensure fair and transparent treatment of researchers. Avoid treating security as merely a cost center instead of a value driver.
Importantly, platforms need to stop incentivizing protocols to underfund their own defenses.
The decentralized economy thrives only when trust grows alongside it. If we want crypto to flourish with the confidence of users, regulators, and institutions alike, we require bounty systems that are practical and effective, not just theoretically sound. Crypto can only prosper as long as its defenders are empowered to take action.
Opinion by: Mitchell Amador, founder and CEO of Immunefi.
This article is for general informational purposes and is not intended to be, nor should it be taken as, legal or investment advice. The views, thoughts, and opinions expressed here are those of the author alone and do not necessarily represent the views and opinions of Cointelegraph.
