Bug Bounties Hit Limits as AI Puts Crypto Hackers on Equal Footing
Security researchers sound the alarm as artificial intelligence levels the playing field between white-hat hackers and malicious actors.
The New Arms Race
Traditional bug bounty programs—where companies pay ethical hackers to find vulnerabilities—are struggling to keep pace with AI-powered attack tools. What used to require elite technical skills now gets automated by machine learning algorithms scanning millions of lines of code.
Defense Budgets Stretched Thin
Major crypto protocols report tripling their security budgets while seeing fewer critical vulnerabilities discovered through bounty programs. The math doesn't work—unless you're a hedge fund manager used to paying seven figures for mediocre returns.
Adapt or Get Rekt
Security teams are racing to deploy their own AI defense systems, creating an algorithmic arms race where the house doesn't always win. When both sides have access to the same tools, the advantage goes to whoever moves fastest—and crypto has never been about playing it safe.
Bug bounties hit a wall
Immunefi has facilitated over $100 million in payouts to white-hat hackers, with steady monthly distributions ranging from $1 million to $5 million. However, Amador told Decrypt that the platform has "hit the limits" as there aren't "enough eyeballs" to provide the necessary coverage across the industry.
The constraint isn't just about researcher availability, as bug bounties face an intrinsic zero-sum game problem that creates perverse incentives for both sides, according to Amador.
Researchers must reveal vulnerabilities to prove they exist, but they lose all leverage once disclosed. Immunefi mitigates this by negotiating comprehensive contracts that specify everything before disclosure occurs, Amador said.
Meanwhile, Matviiv told Decrypt that he doesn't think "we're anywhere close to exhausting the global pool of security talent," noting that new researchers join platforms annually and progress quickly from “simple findings to highly complex vulnerabilities.”
"The challenge is making the space attractive enough in terms of incentives and community for those new faces to stick around."
Bug bounties have likely reached their "zenith in efficiency" outside of net-new innovations that don't even exist in traditional bug bounty programs, Amador added.
The company is exploring hybrid AI solutions to give individual researchers greater leverage to audit more protocols at scale, but these remain in R&D.
Bug bounties remain essential as "a diverse, external community will always be best positioned to discover edge cases that automated systems or in-house teams miss," Matviiv noted, but they'll increasingly work alongside AI-powered scanning, monitoring, and audits in "hybrid models."
The biggest hacks aren't coming from code
While smart contract audits and bug bounties have matured considerably, the most devastating exploits are increasingly bypassing code entirely.
The $1.4 billion Bybit hack earlier this year highlighted this shift, Amador said, with attackers compromising Safe's front-end infrastructure to replace legitimate multi-sig transactions rather than exploiting any smart contract vulnerability.
"That wasn't something that WOULD have been caught with an audit or bug bounty,” he said. “That was a compromised internal infrastructure system."
Despite security improvements in traditional areas like audits, CI/CD pipelines, and bug bounties, Amador noted that the industry is "not doing so hot" on multi-sig security, spear phishing, anti-scam measures, and community protection.
Immunefi has launched a multi-sig security product that assigns elite white-hat hackers to manually review every significant transaction before execution, which it said would have caught the Bybit attack. But he acknowledged it's a reactive measure rather than a preventative one.
This uneven progress explains why 2024 became the worst year for hacks despite improvements in code security, as hack patterns follow a predictable mathematical distribution, making single large incidents inevitable rather than anomalous, Amador said.
"There's always going to be one big outlier," he said. "And it's not an outlier, it's the pattern. There's always one big hack per year."
Smart contract security has matured considerably, Matviiv said, but "the next frontier is definitely around the broader attack surface: multi-sig wallet configurations, key management, phishing, governance attacks, and ecosystem-level exploits."
Effective security requires catching vulnerabilities as early as possible in the development process, Amador told Decrypt.
"Bug bounty is the second most expensive, the most expensive being the hack," he said, describing a hierarchy of costs that increases dramatically at each stage.
“We're catching bugs before they hit production, before they even hit an audit,” Amador added. “It would never even be included in an audit. They wouldn't waste their time with it."
While hack severity remains high, Amador said that "the incidence rate is going down, and the level of severity of most of the bugs is going down, and we're catching more and more of these things in the earlier stages of the cycle."
When asked what single security measure every project at Token2049 should adopt, Amador called for a “Unified Security Platform,” addressing multiple attack vectors.
That’s essential, as fragmented security essentially forces projects to "do the research yourself" on products, limitations, and workflows, he said.
"We are not yet to the point where we can handle trillions and trillions of assets. We're just not quite there at prime time."
