Web3 bug bounty platform Immunefi exists because it’s impossible to write completely secure code, said co-founder and CEO Mitchell Amador on the latest episode of gm from Decrypt podcast.

But with billions of dollars running through the pipelines of cryptocurrency protocols, finding and fixing vulnerabilities has become a costly problem to solve. Just last month, Immunefi published a report showing the number of hacks and scams in the first quarter of 2023 rose 192% compared to the same period last year. 

Number of Crypto Hacks, Scams Jumped 192% Year-Over-Year, Reports Immunefi

The number of attacks in the crypto industry has risen 192% year-over-year from 25 to 73 this past quarter, per research from Immunefi. Despite this hefty rise, the total amount of money lost is actually down by 64.4%—likely due to market conditions. Immunefi assessed the total amount of crypto funds lost by the community due to hacks and scams by reviewing, validating, and classifying publicly available data. They have been conducting similar reports since 2021. Crypto losses fall into two cate...

Immunefi acts as a bug bounty crowdsourcing platform. Web3 and decentralized finance (DeFi) developers post bounties, or rewards, for reports of vulnerabilities found in their code. Then computer security experts—or white hat hackers—stab and poke at codebases until they find a vulnerability. If their report checks out, they collect the bounty and get a tally added to their score on the leaderboard. 

The highest-earning hacker on the platform has earned $13 million from submitting four reports so far. And Immunefi has paid out more than $75 million total since it launched in 2021. Although the company is beginning to flourish now, for the first two years it struggled to gain traction.

According to Amador, the issue was that it was more financially profitable to exploit a cryptocurrency protocol and steal millions rather than report a bug and claim a bounty. But that’s how Amador learned how to hone his don’t-be-a-bad-guy elevator pitch.

“Imagine we go to that same guy, and we say instead of $200 million, we'll pay you $10 million. We'll make you famous. We’ll glorify you. We’ll help you build your career—and there's no risk attached with this,” he said. “Nobody's going to come after you. Nobody's going to follow you. Nobody's going to look for you and break your legs. Nobody's going to file a criminal case and nobody's going to send you to jail. None of the bad stuff. Instead, you're going to be a hero.”

The framing used by ImmuneFi is that the risk associated with stealing from a cryptocurrency protocol is simply too big, no matter what the financial reward might be. A black hat hacker will always be looking over his shoulder.

'Rogue Developers' Drain Merlin DEX of $1.82 Million

Newly launched decentralized exchange Merlin was drained of around $1.82 million from its liquidity pool on Wednesday, with auditor CertiK—who completed an audit of the DEX just before its launch—blaming "rogue developers" for the hack. In a post on Twitter, the auditor said that, "Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down," and urged them to accept a 20% white hat bounty. Merlin itself accused "sever...

Instead, Amador’s project offers a financial reward for finding vulnerabilities and pre-emptively warning protocols, but mainly appeals to more personal values such as career satisfaction and peer recognition.

“Why do you do it? Because there are other values in life, other things that are worth more. And because the downsides to engaging in the action are very substantial,” he said. “You steal that money, you have a life of looking over your shoulder. It's not always going to be worth it. Is that risk better? I don't think for most people.”