If you’re technically minded and enjoy pulling protocols apart line by line, crypto bug bounties are a great way of proving your skills and making a living.
Bug bounty programs can assume many forms, but they share this much in common: they’re incentivized. That means that in exchange for testing out various crypto platforms and protocols and identifying any flaws in them, you’ll be recompensed for your efforts.
From the perspective of the projects issuing the bounties, it’s a small price to pay for having hundreds of pairs of eyes scrutinizing their platform to identify any weak links. Community members who have been the earliest supporters of a new project are typically the first to be invited to participate in a bounty program. You’ll almost certainly need developer experience to be able to get involved, however.
In return for pen-testing smart contracts; exploring a testnet; or trying to exploit a dApp, you could earn rewards running into the thousands of dollars. Here are six of the best crypto bounty programs that are currently open to the public.
L2 scaling solution Boba is going from win to win right now, with a flurry of projects making use of its hybrid compute solution for multi-chain dApps. On January 13, it launched a new bounty program with a maximum payout of a whopping $1M. Rewards are paid out on the basis of the threat severity of the vulnerability discovered.
Boba is utilizing a five-level scale to rate the seriousness of any bugs identified including those affecting the protocol itself as well as the smart contracts and apps built using Boba. With a minimum reward of $50,000, there are ample incentives for experienced devs to run a fine tooth comb over Boba and see what they can uncover.
Astar provides the infrastructure for building dApps with EVM and WASM smart contracts. It offers developers true interoperability with cross-consensus messaging (XCM) and a cross-virtual machine (XVM). There are a lot of moving parts with Astar and thus it’s essential that its tech stack is vulnerability-free.
Like Boba, Astar is running its bug bounty program on Immunefi, the maximum payout is capped at a generous $1M. This is a job for experienced bug-seekers only, as a Proof of Concept will be required to qualify for the highest possible payout. It’s particularly interested in identifying vulns involving a direct loss of user funds, double spending, or the minting of tokens.
Balancer’s multi-chain liquidity protocol is extensively battle-tested and has been copied more times than almost any other DeFi codebase. That doesn’t mean its team is taking anything for granted when it comes to threat identification though. Its Immunefi bounty program pays out between $50,000 and $1M depending on the severity of any vulnerabilities identified.
For medium-level threats, no Proof of Concept is required, but the maximum payout for these is capped at 25 ETH. Higher-level threats require a PoC but come with a greater reward attached. High-severity smart contract vulnerabilities are capped at 10% of economic damage.
Ankr provides the decentralized infrastructure for web3 including RPCs, liquid staking, and tools for GameFi developers looking to bring web2 games to web3. Its bounty program has a maximum payout of $500,000 and all submissions require a PoC detailing the vulnerability.
There’s a minimum reward of $10,000 for critical smart contract vulnerabilities and there’s no shortage of them to analyze. Due to the wide-ranging scope of Ankr’s work, it has an array of protocols and smart contracts, including staking contracts, to secure.
Rootstock, better known as RSK, is the smart contract network anchored by Bitcoin. Its EVM-compatible smart contract platform leverages the security of the Bitcoin network while allowing assets to be moved from Ethereum with the RSK-ETH token bridge.
IOVLabs, the lead developer of RSK, has its own bug bounty program. It invites security experts, software developers, and hackers to put the RSK blockchain to the test and submit any vulnerabilities they may find. Anonymous submissions are accepted, but in such cases, IOVLabs will donate any bounty payout to charity.
Built on Avalanche, Dexalot is a decentralized exchange that mimics the look and feel of a centralized exchange, complete with a central limit order book. Users can trade crypto securely and efficiently, with no slippage or custody risk. On January 13, Dexalot launched its bug bounty with a reward of up to $100,000 per critical bug identified.
Developed in partnership with HackenProof, the program will award anywhere from $1,000 for a low-level vuln all the way up to $100,000 for a critical bug. Eligible vulnerabilities will include those pertaining to stealing or loss of funds; unauthorized transactions; and transaction manipulation.
If you’re technically minded and enjoy pulling protocols apart line by line, bug bounties are a great way of proving your skills. Stumble across a particularly juicy vulnerability and you could even walk away with a handsome reward. Fire up your Github and start downloading those repos.