Web3 bug bounty platform Immunefi exists because it’s impossible to write completely secure code, said co-founder and CEO Mitchell Amador on the latest episode of gm from Decrypt podcast.
But with billions of dollars running through the pipelines of cryptocurrency protocols, finding and fixing vulnerabilities has become a costly problem to solve. Just last month, Immunefi published a report showing the number of hacks and scams in the first quarter of 2023 rose 192% compared to the same period last year.
Immunefi acts as a bug bounty crowdsourcing platform. Web3 and decentralized finance (DeFi) developers post bounties, or rewards, for reports of vulnerabilities found in their code. Then computer security experts—or white hat hackers—stab and poke at codebases until they find a vulnerability. If their report checks out, they collect the bounty and get a tally added to their score on the leaderboard.
The highest-earning hacker on the platform has earned $13 million from submitting four reports so far. And Immunefi has paid out more than $75 million total since it launched in 2021. Although the company is beginning to flourish now, for the first two years it struggled to gain traction.
According to Amador, the issue was that it was more financially profitable to exploit a cryptocurrency protocol and steal millions rather than report a bug and claim a bounty. But that’s how Amador learned how to hone his don’t-be-a-bad-guy elevator pitch.
“Imagine we go to that same guy, and we say instead of $200 million, we'll pay you $10 million. We'll make you famous. We’ll glorify you. We’ll help you build your career—and there's no risk attached with this,” he said. “Nobody's going to come after you. Nobody's going to follow you. Nobody's going to look for you and break your legs. Nobody's going to file a criminal case and nobody's going to send you to jail. None of the bad stuff. Instead, you're going to be a hero.”
The framing used by ImmuneFi is that the risk associated with stealing from a cryptocurrency protocol is simply too big, no matter what the financial reward might be. A black hat hacker will always be looking over his shoulder.
Instead, Amador’s project offers a financial reward for finding vulnerabilities and pre-emptively warning protocols, but mainly appeals to more personal values such as career satisfaction and peer recognition.
“Why do you do it? Because there are other values in life, other things that are worth more. And because the downsides to engaging in the action are very substantial,” he said. “You steal that money, you have a life of looking over your shoulder. It's not always going to be worth it. Is that risk better? I don't think for most people.”