Immunefi launched in December 2020, to provide smart contract security via bug bounties. More importantly, they already claim to be the world’s premier bug bounty platform! Immunefi has ambitions to curb the DeFi hacking problem. To accomplish this goal, it provides blockchain projects with consultation services, bug triaging, program management, and, most importantly, an army of white hat hackers. Immunefi seeks to connect DeFi protocols with hackers to protect assets, and their timing couldn’t be better.
Immunefi Needs White Hat Hackers
Bug bounties are essential for crypto and especially for the decentralized finance (DeFi) sector. That’s because so far in 2021, DeFi is responsible for over 75% of all crypto hacks. That percentage leads to an amount of $361 million, which is nearly three times more than in 2020, according to the August 2021 “Cryptocurrency Crime and Anti-Money Laundering Report by Cipher Trace.”
Furthermore, suppose you’ve been paying attention to the news. In that case, you know about the latest exploit where an anonymous hacker (or group) stung the Poly Network for over $600 million worth of crypto assets. However, they claim to have hacked the multi-chain DeFi platform only to teach them a lesson but, they are returning the money.
Whether or not stealing money was the motive behind the Poly Network hack, we know that the attacker(s) exploited a bug to transfer money to themselves, which is where Immunefi comes in.
If you’d like to digest research from some of the biggest DeFi hacks, read our article: “DeFi Deep Dive – Top DeFi Hacks of 2020.” Or dig deeper with the “DeFi 101” and “DeFi 201” courses at Ivan on Tech Academy.
What are Bug Bounties?
Bug bounty programs offer security researchers rewards to uncover potential vulnerabilities to smart contracts and applications. Furthermore, bounties incentivize white hat hackers to find and report bugs to projects that, in turn, pay them based on the vulnerability’s severity.
Immunefi didn’t invent bug bounties, but they seek to remedy some of the problems associated with them.
Although the world divides hackers between white and black, most operate in the gray area. A hacker who discovers an exploit that can earn a quick $5 million can find himself in a bit of a quandary in terms of sheer economics. Does he want to do the right thing and haggle with the affected company to collect a $5k bug bounty, maybe? Or should he act on the vulnerability himself? Without a consistent and equitable reward system for white hats, the temptation to drift over to the dark side will remain.
Blockchain projects typically don’t have anyone in charge of handling bug bounties. So if a white hat tries to report a vulnerability, they can get caught in a series of dead ends trying to find the decision-maker. Also, if the tech lead receives a tip from an outsider that their code is flawed, it’s easy for their ego to take over and dismiss the bounty hunter as a nuisance.
Even if everything gets reported to the proper channels, there is no guarantee the company will pay up. The finance department may disagree with the development team over what the bug bounty is worth, if anything.
Immunefi’s Elevator Pitch
So, Immunefi’s sales pitch to potential clients might sound something like this, “Bug bounties are a pain. Let us take care of them for you.” To other bounty hunters, their pitch could be, “Looking for bug bounty projects is a pain (not to mention negotiating the reward). Let us take care of it for you.”
In short, Immunefi handles the communication and negotiates payments on behalf of their white hats, which can be a huge relief – especially for uber-geeks who can barely cope with other human beings. Moreover, Immunefi lets hackers remain anonymous and doesn’t require KYC documentation to participate.
Immunefi’s Bounty Program
The Immunefi platform already has some lucrative bounties with clients like xDai, which offers up to $2 million in rewards. Other notable bounty offerings come from C.R.E.A.M. Finance worth up to $1.5 million, SushiSwap up to $1.25 million, and PancakeSwap and Armor.Fi each posting $1 million in bounties. In addition, Armor.Fi has already paid $1.5 million to an Immunefi white hat in February 2021.
Immunefi recommends a bug bounty of 10% of the total value locked (TVL) in the protocol for significant vulnerabilities for their clients. That percentage may seem too steep for protocols with massive amounts in TVL. Take THORChain, for example. After their second attack, they posted a $500k bug bounty on Immunefi. Although this is a generous bounty, it works out to more like 5% since their TVL is $100 million.
With $31 million in bounties currently available, Immunefi wants to change bug bounty hunting from a hobby to a viable career. The platform has thus far paid out more than $3 million and saved their clients $1 billion in losses. All in all, Immunefi boasts that its average payout is in the tens of thousands of dollars which dwarfs other bug bounty platforms.
Hacking as an Evolutionary Process
A more controversial outlook on hacking is that although exploits are expensive and painful for the victims, they are only possible because of hastily coded smart contracts. In this regard, hacks are a necessary but painful step to producing “unhackable” code. Such an outlook can seem harsh, especially for the projects and users losing loads of crypto assets.
From this viewpoint, any hack can be considered a bug bounty that helps “armor the sheep” in the future. With each hack, the offending vulnerability dies. In other words, hacks produce a Darwinian survival of the fittest process. Weak projects face an early demise which helps harden the entire system with secure code.
So, every time a project such as Poly gets hacked, other projects learn from it (hopefully), which quickly makes that exploit extinct. Having explored that thought process, $600 million is still a painful lesson and quite an exorbitant bug bounty. Immunefi hopes to succeed with a less costly alternative to keep bank balances and reputations intact.
Immunefi’s Benefits to Blockchain Projects
The best protection against costly vulnerabilities is getting expert eyes to look at code. One benefit for projects that work with Immunefi is getting some of DeFi‘s top security talent to put their eyes on your code.
Another benefit for clients is round-the-clock access to Immunefi’s secure bug dashboard. The dashboard is where Immunefi’s “triagers” escalate bugs and bring them to the client’s attention. Immunefi also offers access to their “War Room Alpha,” where their top white hat hackers and crisis management experts stand, ready to help out if the worst-case scenario materializes.
Bug Bounty Hunting with Immunefi
If you like to dig into code and solve some of the most exciting puzzles anywhere, you may be interested in bug bounty hunting. To make a living out of it, however, is not so easy. The initial learning process involves studying lots of articles and tutorials. After learning how to code, fledgling bounty hunters can start competing in “Capture The Flag (CTF)” events.
Capture the Flag (CTF) Competitions
CTF contests are cybersecurity competitions that challenge participants to solve security problems and capture and defend computer systems. They’re good training for the fledgling bounty hunter. However, moving on to real-world bug bounty hunting will be more challenging than organized competitions. For one thing, in a CTF event, there is a solution to each challenge. With bug bounties, the path is not so clear.
Smart Contract Vulnerabilities
The next step for aspiring bug bounty hunters is to learn what types of smart contract vulnerabilities exist. The most damaging attacks are:
1. Reentrancy Attacks.
2. Integer Overflows and Underflows.
4. Oracle Manipulation.
Hunting Bugs with Immunefi
There are four steps for bug bounty hunters when joining Immunefi.
Step 1 – Explore Bounty Opportunities – White hat hackers can scan Immunefi’s list of bounties that best match their skillset.
Step 2 – Review the Code – The next step is to review the bounty requirements and the code.
Step 3 – Submit Bug Reports – Bug hunters can submit their findings via the Immunefi app after locating a vulnerability.
Step 4 – Payment – Immunefi will confirm the bug’s validity and liaison with the project’s team to acquire payment for the bounty hunter.
Understand the Project
Once you’ve mastered the prerequisites, you’ll need to follow a system so you don’t waste time chasing bugs that don’t exist.
Some of the top bounty hunters have found success by thoroughly understanding a project before looking for bugs in the code. They want to understand everything about the application and what it’s supposed to do. Although it sounds like a lot of extra preliminary work, if there is a bug, this approach increases the chances of finding it.
Chasing bug bounties demands one to take creative and unique approaches. It requires one to assume the mindset of a black hat hacker, how they might exploit an app, and then try different attack vectors. Every project will be unique, so there isn’t a “one-size-fits-all” when it comes to cracking a project’s vulnerable points.
Immunefi CEO, Mitchell Amador
The Perils of Bug Bounty Hunting on Immunefi
Trying to understand a system fully is just one of the challenges white hackers face. Below are some others.
Chasing Rewards and Burnout
Patience is a crucial attribute when starting because you’ll spend most of your time reading secure and acceptable code. You may put in hours of code review only to find that the project is rock solid. That’s why it’s essential to work on projects you’re interested in instead of chasing big payouts. Otherwise, the necessary early failures can burn you out more quickly.
For the sake of longevity, it’s vital that you put the learning aspect at the forefront of your journey and not the million-dollar payoff fantasies.
Out of Scope Bugs
This situation can occur when you find a valid bug outside the project scope or is not important enough to be considered dangerous. After all, the decision as to whether or not you get paid resides with the project’s team.
Dealing with Duplicates
Now, let’s say that you successfully find a bug and it’s within the project’s scope. The next problem is, what if another researcher beat you to the punch reporting the same bug? “Duplicates” are the nightmare that haunts every bug bounty hunter.
In such cases, you need to keep a positive attitude and reframe the situation. Yes, you found a bug. Yes, you won’t get paid for it. But you did learn a lot in the process.
The Luck Factor
Unfortunately, luck does play a role in bug bounty hunting. The prize does not always go to the most skilled or talented. There are things you can do, however, to enhance your chances of success. Constantly improving your skills is one way. Automating some of your redundant tasks is another.
After all, successful bounty hunting depends on some other developer making a mistake. Further, that mistake has to slip past multiple pairs of eyeballs checking the code, or you’ll have nothing to discover.
Tearing Down the Castle
When a bug bounty hunter starts a new project, examining the code can look like one giant, imposing castle. Remind yourself that you don’t need to tear the whole thing down. One open window or crack in the castle wall is all you need to get in. A tiny hole can have a significant impact on data leaks. Keep that in mind as you experiment and test out systems.
What is Immunefi? – Conclusion
As the general public gets more reliant on DeFi to handle their investments, loans, trades, and other personal banking applications, they’re going to want smart contracts that are unhackable. This task may seem impossible with all the recent hacks going on. But with both black and white hat hackers hard at work, blockchain networks will harden as developers build more reliable code.
Immunefi has chosen the path to empower white hat hackers and hopefully entice some black hats to cross over as well. To sum up, now is the time to start your blockchain career. Whether you decide to code smart contracts, audit them, or become a bug bounty hunter, there is a class for you. Check out the list of blockchain courses at Ivan on Tech Academy. Enroll and get started today!