LayerZero and Immunefi Unveil $15m Bug Bounty

LayerZero and Immunefi Unveil $15m Bug Bounty

LayerZero Labs and Immunefi have announced their collaboration to launch an unprecedented $15 million bug bounty program. The initiative sets a new benchmark in the crypto industry, surpassing the previous record holder, MakerDAO’s $10 million bug bounty.

LayerZero Labs, renowned for its omnichain interoperability protocol LayerZero, and Immunefi, a leader in bug bounty and security services, have partnered to stimulate the work of smart contract information security researchers and white hat hackers in identifying potential vulnerabilities and attack vectors on blockchain protocols such as LayerZero. The sheer size of this bounty sets it apart from LayerZero’s previous initiatives and underlines its prioritization of smart contract security.

The reward fund is earmarked to come from the equity entity of LayerZero Labs. LayerZero's CEO, Bryan Pellegrino, emphasized the commitment to security over all other facets:

“The security of [a] protocol comes before anything else.”

Immunefi, on the other hand, is no stranger to the security challenges of the crypto sector. Providing security services for over $60 billion in user funds across a wide range of crypto-based projects and blockchain firms such as SushiSwap, Optimism, Polygon, Synthetix, and Chainlink, among others, Immunefi has paid out over $75 million in bug bounties to date.

LayerZero's recent $120 million Series B funding round has catapulted its valuation to $3 billion. Its distinctive messaging protocol allows for various types of message exchanges between blockchains, eliminating the need for intermediaries. LayerZero currently connects over 30 mainnet blockchains, including two non-Ethereum Virtual Machines (EVMs) and Aptos.

However, the crypto world hasn't been without its fair share of financial damages of late. According to Immunefi’s Crypto Losses 2022 report, over $3.9 billion was "lost" last year. Notably, this represents a 51.2% reduction compared to 2021's loss figures. Specifically, $3.77 billion of the 2022 losses resulted from 134 hacking incidents, and fraud accounted for another $175 million lost over 34 incidents.

LayerZero, launched in March 2022, has seen a transaction volume exceeding $15 billion within its first 14 months. Demonstrating its stringent adherence to security measures, LayerZero has not experienced a security exploit or hack since inception. Last year, the blockchain infrastructure firm invested around $5 million in auditing to ensure the security of its code before its release to the public.

While the overall crypto market has seen fewer losses recently, the actual amounts involved are still substantial. For instance, in March, a massive $200 million was pilfered from the crypto lending platform, Euler Finance. This exploit, albeit substantial, only ranks among the top 20 in recent crypto history.

Security stands as a paramount concern for anyone involved in the crypto space. As Pellegrino asserts:

“For anyone building in the space, security should be the priority above all else. If you don’t have good security, eventually you will be hacked.”

The bug bounty program offers a substantial maximum reward of $15 million for the discovery of a high-severity vulnerability. The precise payout is determined based on the Immunefi Vulnerability Severity Classification System, which assesses the impact of the identified vulnerability.

Bug reports submitted to the program need to include a viable proof-of-concept (PoC) that demonstrates a tangible impact on the scoped assets. The terms explicitly state that theoretical explanations or statements alone cannot be accepted as PoCs – concrete code is required.

The program outlines that critical smart contract vulnerabilities found on major blockchains and Layer 2 protocols such as Ethereum, BNB Chain, Avalanche, Polygon, Arbitrum, Optimism, and Fantom may garner a reward of either $250,000 or 10% of the endangered asset's value at the time of reporting, whichever is higher. For all other chains, the payout for critical vulnerabilities starts at $25,000. Rewards for non-critical vulnerabilities are evaluated based on internal criteria.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Related Topics: 

You may like