An Introduction to ImmuneFi: The World’s Leading Bug Bounty Platform
The blockchain industry is no stranger to attacks, mainly since it stores and protects billions of digital assets. Over $55 million was lost in just October alone due to hacks on projects like Radiant Capital and Morpho Labs. These hacks target bugs in the original project’s code, looking for loopholes and backdoors to infiltrate.
Recognizing the need for a decentralized solution to mitigate this, Mitchell Amador founded ImmuneFi to protect blockchain projects from bugs that could cause issues, no matter how small they are. Thus, we need to understand what ImmuneFi does and how it benefits the blockchain community.
What is ImmuneFi?
Source: immunefi
Immunefi is a security platform that protects Web3 projects by identifying and addressing bugs in blockchain systems, smart contracts, and decentralized applications (dApps). Bugs are simply flaws or vulnerabilities within a system’s code. Essentially, ImmuneFi incentivizes white hat hackers to find and report bugs and reward them based on the severity of the vulnerability.
In addition to its bug bounty services, Immunefi provides various tools to enhance blockchain security. These tools include network hosting, management of the triage process for bug reports, and oversight of entire security programs for different projects. Their smart contract services are especially useful for conducting code reviews and detecting vulnerabilities, which helps protect against malicious actors. Immunefi also boasts an ecosystem of over 35,000 security researchers, with more than 1,000 of them having discovered critical bugs on the mainnet.
History of ImmuneFi
ImmuneFi was founded by Mitchell Amador, who launched the platform on December 9, 2020. The idea for ImmuneFi struck Amador during a hiking trip in the Swiss Alps in early 2020, when he discovered that a different cryptocurrency project had fallen victim to a hacking incident. This incident highlighted the urgent need for improved security in the DeFi and Web3 spaces, as no existing solutions addressed these vulnerabilities.
Recognizing that the talent to tackle this issue existed within the community, Amador realized that a unifying platform was necessary to incentivize hackers to help protect projects. This led to the creation of Immunefi, a bug bounty platform dedicated to enhancing the security of Web3 applications.
Since its inception, ImmuneFi has established a strong reputation, partnering with prominent projects such as Synthetix, TheGraph, Polygon, MakerDAO, Nexus Mutual, SushiSwap, Vesper Finance, Bancor Network, and Chainlink. Today, ImmuneFi is the leading bug bounty platform in Web3, serving over 330 projects.
The impact of ImmuneFi has been significant, with the platform reportedly saving more than $25 billion in user funds from potential hacks and disbursing over $100 million in bounties. Currently, the platform plays a crucial role in protecting more than $190 billion in user assets, reinforcing the importance of community-driven security in the ever-evolving world of cryptocurrency.
How Does ImmuneFi Work?
ImmuneFi runs a transparent bug bounty system supported by a proof-of-concept consensus mechanism. A proof of concept is a basic, functional code written by a white hat highlighting flaws in a smart contract or blockchain system. It is created to show how those flaws can be exploited without causing issues in a live environment. As such, they serve as the standard way to provide evidence of a bug’s potential impact on a project. They are also required by almost all the bug bounty programs on ImmuneFi.
ImmuneFi’s operations cater to both whitehat hackers and project owners. Whitehats are ethical hackers who identify and address vulnerabilities in systems and software before malicious actors can exploit them. Those malicious actors are known as blackhats, and while they engage in illegal activities for personal gain, whitehats operate within legal boundaries and often collaborate with organizations to enhance their security.
On one hand, whitehat hackers (cybersecurity professionals who identify and fix system vulnerabilities) explore a selection of bug bounties worth over $162 million from reputable projects in the Web3 space. Once they find a program that matches their skill set, participants can review the bounty requirements and examine the specific code eligible for review. However, only bugs discovered within the code specified in the bounty scope will be rewarded.
After finding a bug, the whitehat hacker must create an account and submit the bug through the ImmuneFi bugs platform. As soon as the ImmuneFi team confirms the validity of the bug, they will work hand in hand with the bounty hunter and the client to address the issue, after which payments will be made.
On the project owners’ side, they would have to fill out a bug bounty onboarding form, after which they will receive a questionnaire. ImmuneFi will then use the answers to the questionnaire to draft a bug bounty program. Afterward, the project sends the bug bounty draft to the client for review. If everything is good, the bounty is handed over to the launch specialist, who will work with the client’s marketing team to decide the best launch time and other marketing details.
As client service, ImmuneFi writes bugfix reviews for vulnerabilities to remind the larger crypto community about the project’s commitment to security. They also provide PR assistance and advice on effectively communicating patch vulnerabilities.
ImmuneFi also uses a severity classification system to manage bug reports efficiently. This system categorizes vulnerabilities based on their potential impact on user funds, network functionality, and overall protocol security. Each project within the ImmuneFi network is assigned a severity level, found in the “Rewards by Threat Level” section on the project’s bug bounty program page.
The latest version of the Immunefi Vulnerability Severity Classification System (v2.3) uses a four-tier scale: Critical, High, Medium, and Low. Critical vulnerabilities could lead to severe consequences, such as total network outages or significant fund theft, while lower categories focus on less severe issues, like minor bugs in smart contracts.
The system also outlines areas considered out of scope, including vulnerabilities in test files, governance-related attacks, and economic risks outside ImmuneFi’s jurisdiction. This framework helps developers enhance their project security by providing standard guidelines for classifying and addressing vulnerabilities. It also specifies all prohibited conduct within bug bounty programs to ensure ethical and safe security testing practices.
Main Features of ImmuneFi
ImmuneFi is home to several interesting features, including:
ImmuneFi Profiles
Source: immunefi
ImmuneFi Profiles help whitehats showcase their achievements to the world, including the vulnerabilities they’ve reported, their earnings, the badges and awards they’ve earned, and their rank on the ImmuneFi leaderboard.
While it is still the first version, profiles will be available to all white hats with at least one paid report on ImmuneFi. However, in the coming updates, the entire research community can access Profiles. The new version will also include new features, such as a Contribution Feed, which displays reports over time so users can track their impact.
ImmuneFi has six badges that will be attached to the participant’s profile. These include:
- One Of Us: This badge is awarded upon completing your Immunefi profile, including all your social media links.
- Bought The BMW: When you’ve earned over $100,000 on ImmuneFi.
- There’s Grass Outside, You Know: When you’ve earned over $1,000,000.
- Friends In High Places: After you’ve linked your Immunefi profile to your Twitter bio (it may take up to 24 hours to show, but usually registers in 10 minutes).
- High Five: After receiving five bounties on Immunefi.
- Rocketman: When you identify a valid bounty from a Boost.
More badges, boost cards, and achievements will be added in later updates.
Audit Competitions
Source: immunefi
An Audit Competition is a time-sensitive code review with a designated reward pool for whitehats. During these events, ethical hackers report security vulnerabilities and the rewards are allocated based on the impact and severity of their discoveries, as determined by Immunefi’s grading system.
Immunefi partners with each blockchain project to customize the competition, including deciding on the reward pool size and event duration and providing expert marketing assistance to attract adept researchers.
Once the competition concludes, participants are rewarded for their contributions, and projects receive a comprehensive summary report that outlines the key findings and insights gleaned during the event.
Developers can launch audit competitions in days and get real-time updates while the competition is ongoing. They are also more economical than most audit contests, offering 20% cheaper fees and connecting developers with a broader, more skilled community of security researchers.
Another notable feature is the leaderboard, which allows participants to track their performance and compare themselves. Moreover, developers can still receive rewards even if another researcher discovers a bug first. The prize is shared among all who can identify the same issue, thus alleviating the pressure to rush and promoting teamwork.
Whitehat Awards
Source: medium
The Immunefi Whitehat Awards are designed to celebrate the outstanding efforts of whitehats who played a vital role in enhancing Web3 security. These awards recognize individuals for their responsible reporting of security vulnerabilities and offer different forms of recognition, such as digital NFTs and luxury merchandise.
The awards follow a tiered structure, incentivizing hackers to hit specific goals, like submitting reports that qualify for payment or achieving certain bounty thresholds. The tiers are currently divided into the Initiate Tier, for whitehats who have earned over $50,000 on ImmuneFi, and the Elite Tier, for those who have earned over $100,000. However, more tiers, such as the Master Tier (over $1 million in earnings) and the Grandmaster Tier (over $10 million in earnings), are expected to be announced soon.
Whitehat Hall of Fame Collection
Source: immunefi
The Whitehat Hall of Fame is an NFT collection for the world’s most acclaimed white hats. Holders of this Hall of Fame card are considered the world’s most talented and important hackers. They receive custom-designed NFTs to immortalize their contributions to Web3 security.
Each NFT is unique and minted specifically for each significant and successful bug report. Holders can keep it free of charge or sell it to collectors interested in celebrating historic moments in Web3 security.
Invite Only
Source: immunefi
The ImmuneFi Invite Only Program is designed to select only the most qualified researchers for specific bug bounty projects. This selection process considers each project’s technical requirements and ecosystem, ensuring that the researchers’ expertise aligns well with the project’s needs for an effective audit or bug bounty engagement.
The main feature of this program is its commitment to maintaining privacy and confidentiality. Project teams can tailor their protocols to include specific agreements regarding confidentiality, control over asset visibility, and preferences related to the publication of findings. This ensures that any sensitive information is handled securely, allowing projects to work with top-tier security experts while upholding their privacy standards.
By concentrating on critical vulnerabilities and significant security issues, the Invite-Only Program effectively minimizes the time frame in which potential threats can emerge. This leads to quicker detection and resolution of security concerns, ultimately enhancing the overall security of the blockchain project.
ImmuneFi Vaults
Source: immunefi
ImmuneFi Vaults are designed to increase transparency and trust between whitehats and project owners by helping them securely manage bug bounty assets and payments. Projects can deposit and withdraw funds from their vaults, and the balance allocated for bounties is visible to whitehats. This level of transparency helps build trust, as whitehats will be encouraged to submit top-tier bug reports since they are confident that the project has enough money to pay for bugs.
Projects can set up their vaults in less than 10 minutes. After verifying a valid bug report, payments are issued directly from the project’s vault, making transactions seamless and secure. This system also includes features like wallet verification to prevent errors or wrong payments.
The Vaults are currently available on Ethereum and Optimism, and it is expected to other EVM chains like Polygon, Gnosis Chain and Arbitrum. Projects can deposit stablecoins, ETH, and any other asset on Uniswap’s token list. They can also pay rewards with one or more assets in a single transaction.
ImmuneFi Safe Harbor
Source: immunefi
ImmuneFi Safe Harbor is a legal framework created by the Security Alliance (SEAL) to enable whitehats protect a project’s funds when it is under attack from blackhats, or malicious actors. This framework allows them to recover funds that are at risk during such attacks and safely redirect those funds back to a designated Vault managed by Immunefi. In return, these researchers can earn up to 60% of the maximum critical reward available for the project.
Immunefi also integrated Safe Harbor into existing bug bounty programs. Safe Harbor also uses the existing bug report dashboard, so projects can use the same emergency alert system and security personnel that they are comfortable with. As such, Safe Harbor acts as an extension of ImmuneFi’s bug bounty programs.
Common Bugs Found By Immune Fi Hackers
Reentrancy
Reentrancy vulnerabilities happen when a smart contract can be called multiple times before the first execution is completed. This allows attackers to insert malicious code that repeatedly calls the same contract, draining funds or altering its state. A famous example is the 2016 DAO hack, which targeted the early Ethereum network. To avoid reentrancy issues, developers can use reentrancy guards to prevent multiple calls during a single operation.
Oracle/Price Manipulation
Price oracles feed critical market data, such as token prices, to smart contracts. Thus, oracle manipulation involves attackers exploiting these data feeds to supply false information, leading to inaccurate price calculations. For instance, tampering with the oracle allows an attacker to inflate token prices and profit during transactions. To prevent this, developers use decentralized oracles that aggregate data from multiple sources.
Weak Access Control
Most systems adopt strict access control measures, such as role-based permissions and robust authentication, to protect against unauthorized access. These controls ensure that users and processes are only granted permissions necessary for their specific roles. Documenting each role’s capabilities and limitations helps identify potential vulnerabilities, enabling more effective unit testing and conflict resolution. This process helps ensure the system operates as intended, reducing the risk of critical vulnerabilities caused by negligence or misconfigurations.
Additionally, it’s essential to limit each role’s authority. Granting excessive permissions or relying too heavily on centralized control can cause significant damage if an account or private key is compromised. Breaking down roles into smaller segments will reduce the impact of such breaches, enhancing the system’s stability.
Frontrunning
Frontrunning happens when an attacker exploits the public nature of blockchain transactions. Attackers observe pending transactions in the mempool (a temporary area for storing unexecuted transactions on the blockchain), then place their transactions with higher gas fees to execute ahead of the victim’s transaction. This is particularly common in decentralized exchanges, where timing can affect trade outcomes.
Uninitialized Proxy
Uninitialized proxy contracts occur when the storage variables within a proxy contract are not set up correctly before use. This lack of proper configuration can lead to security risks since these uninitialized variables might hold important data or influence key contract functions. Malicious hackers could exploit these vulnerabilities, manipulating the uninitialized variables to gain unauthorized access.
News on ImmuneFi
In the October 2024 edition of its crypto losses report, ImmuneFi shared some interesting statistics on the losses the crypto community has faced this year. According to the report, the crypto community has lost up to $1,400,073,177 to hacks and rug pulls as of October 2024 across 179 incidents. This is a one percent decrease from October 2023, when losses were up to $1,414,641,935.
In October 2024, the crypto community experienced losses of up to $55,138,600 due to hacks across seven incidents, with no fraud reported. This marked a 114% increase from October 2023 but a 56.6% decrease from September 2024. The most significant losses were from Radiant Capital ($50 million) and Tapioca DAO ($4.4 million). DeFi was the only sector affected, with BNB Chain being the most targeted, accounting for 50% of the total losses. ImmuneFi has paid over $100 million in bounties and saved over $25 billion in user funds.
Is ImmuneFi a Good Investment?
ImmuneFi has built a reputation as the leading bug bounty program in the crypto industry. It offers general scope bug bounty programs and tailored solutions like the Invite Only program. ImmuneFi is the meeting point for whitehat hackers and project owners, helping projects stay secure. As such, with its security expertise and flexible approach, ImmuneFi helps projects build more secure ecosystems.
Articoli correlati
What Is Ethereum 2.0? Understanding The Merge
What Is a Cold Wallet?
What is Stablecoin?
An Introduction to ImmuneFi: The World’s Leading Bug Bounty Platform
What is ImmuneFi?
How Does ImmuneFi Work?
Main Features of ImmuneFi
ImmuneFi Vaults
ImmuneFi Safe Harbor
Common Bugs Found By Immune Fi Hackers
News on ImmuneFi
Is ImmuneFi a Good Investment?
The blockchain industry is no stranger to attacks, mainly since it stores and protects billions of digital assets. Over $55 million was lost in just October alone due to hacks on projects like Radiant Capital and Morpho Labs. These hacks target bugs in the original project’s code, looking for loopholes and backdoors to infiltrate.
Recognizing the need for a decentralized solution to mitigate this, Mitchell Amador founded ImmuneFi to protect blockchain projects from bugs that could cause issues, no matter how small they are. Thus, we need to understand what ImmuneFi does and how it benefits the blockchain community.
What is ImmuneFi?
Source: immunefi
Immunefi is a security platform that protects Web3 projects by identifying and addressing bugs in blockchain systems, smart contracts, and decentralized applications (dApps). Bugs are simply flaws or vulnerabilities within a system’s code. Essentially, ImmuneFi incentivizes white hat hackers to find and report bugs and reward them based on the severity of the vulnerability.
In addition to its bug bounty services, Immunefi provides various tools to enhance blockchain security. These tools include network hosting, management of the triage process for bug reports, and oversight of entire security programs for different projects. Their smart contract services are especially useful for conducting code reviews and detecting vulnerabilities, which helps protect against malicious actors. Immunefi also boasts an ecosystem of over 35,000 security researchers, with more than 1,000 of them having discovered critical bugs on the mainnet.
History of ImmuneFi
ImmuneFi was founded by Mitchell Amador, who launched the platform on December 9, 2020. The idea for ImmuneFi struck Amador during a hiking trip in the Swiss Alps in early 2020, when he discovered that a different cryptocurrency project had fallen victim to a hacking incident. This incident highlighted the urgent need for improved security in the DeFi and Web3 spaces, as no existing solutions addressed these vulnerabilities.
Recognizing that the talent to tackle this issue existed within the community, Amador realized that a unifying platform was necessary to incentivize hackers to help protect projects. This led to the creation of Immunefi, a bug bounty platform dedicated to enhancing the security of Web3 applications.
Since its inception, ImmuneFi has established a strong reputation, partnering with prominent projects such as Synthetix, TheGraph, Polygon, MakerDAO, Nexus Mutual, SushiSwap, Vesper Finance, Bancor Network, and Chainlink. Today, ImmuneFi is the leading bug bounty platform in Web3, serving over 330 projects.
The impact of ImmuneFi has been significant, with the platform reportedly saving more than $25 billion in user funds from potential hacks and disbursing over $100 million in bounties. Currently, the platform plays a crucial role in protecting more than $190 billion in user assets, reinforcing the importance of community-driven security in the ever-evolving world of cryptocurrency.
How Does ImmuneFi Work?
ImmuneFi runs a transparent bug bounty system supported by a proof-of-concept consensus mechanism. A proof of concept is a basic, functional code written by a white hat highlighting flaws in a smart contract or blockchain system. It is created to show how those flaws can be exploited without causing issues in a live environment. As such, they serve as the standard way to provide evidence of a bug’s potential impact on a project. They are also required by almost all the bug bounty programs on ImmuneFi.
ImmuneFi’s operations cater to both whitehat hackers and project owners. Whitehats are ethical hackers who identify and address vulnerabilities in systems and software before malicious actors can exploit them. Those malicious actors are known as blackhats, and while they engage in illegal activities for personal gain, whitehats operate within legal boundaries and often collaborate with organizations to enhance their security.
On one hand, whitehat hackers (cybersecurity professionals who identify and fix system vulnerabilities) explore a selection of bug bounties worth over $162 million from reputable projects in the Web3 space. Once they find a program that matches their skill set, participants can review the bounty requirements and examine the specific code eligible for review. However, only bugs discovered within the code specified in the bounty scope will be rewarded.
After finding a bug, the whitehat hacker must create an account and submit the bug through the ImmuneFi bugs platform. As soon as the ImmuneFi team confirms the validity of the bug, they will work hand in hand with the bounty hunter and the client to address the issue, after which payments will be made.
On the project owners’ side, they would have to fill out a bug bounty onboarding form, after which they will receive a questionnaire. ImmuneFi will then use the answers to the questionnaire to draft a bug bounty program. Afterward, the project sends the bug bounty draft to the client for review. If everything is good, the bounty is handed over to the launch specialist, who will work with the client’s marketing team to decide the best launch time and other marketing details.
As client service, ImmuneFi writes bugfix reviews for vulnerabilities to remind the larger crypto community about the project’s commitment to security. They also provide PR assistance and advice on effectively communicating patch vulnerabilities.
ImmuneFi also uses a severity classification system to manage bug reports efficiently. This system categorizes vulnerabilities based on their potential impact on user funds, network functionality, and overall protocol security. Each project within the ImmuneFi network is assigned a severity level, found in the “Rewards by Threat Level” section on the project’s bug bounty program page.
The latest version of the Immunefi Vulnerability Severity Classification System (v2.3) uses a four-tier scale: Critical, High, Medium, and Low. Critical vulnerabilities could lead to severe consequences, such as total network outages or significant fund theft, while lower categories focus on less severe issues, like minor bugs in smart contracts.
The system also outlines areas considered out of scope, including vulnerabilities in test files, governance-related attacks, and economic risks outside ImmuneFi’s jurisdiction. This framework helps developers enhance their project security by providing standard guidelines for classifying and addressing vulnerabilities. It also specifies all prohibited conduct within bug bounty programs to ensure ethical and safe security testing practices.
Main Features of ImmuneFi
ImmuneFi is home to several interesting features, including:
ImmuneFi Profiles
Source: immunefi
ImmuneFi Profiles help whitehats showcase their achievements to the world, including the vulnerabilities they’ve reported, their earnings, the badges and awards they’ve earned, and their rank on the ImmuneFi leaderboard.
While it is still the first version, profiles will be available to all white hats with at least one paid report on ImmuneFi. However, in the coming updates, the entire research community can access Profiles. The new version will also include new features, such as a Contribution Feed, which displays reports over time so users can track their impact.
ImmuneFi has six badges that will be attached to the participant’s profile. These include:
- One Of Us: This badge is awarded upon completing your Immunefi profile, including all your social media links.
- Bought The BMW: When you’ve earned over $100,000 on ImmuneFi.
- There’s Grass Outside, You Know: When you’ve earned over $1,000,000.
- Friends In High Places: After you’ve linked your Immunefi profile to your Twitter bio (it may take up to 24 hours to show, but usually registers in 10 minutes).
- High Five: After receiving five bounties on Immunefi.
- Rocketman: When you identify a valid bounty from a Boost.
More badges, boost cards, and achievements will be added in later updates.
Audit Competitions
Source: immunefi
An Audit Competition is a time-sensitive code review with a designated reward pool for whitehats. During these events, ethical hackers report security vulnerabilities and the rewards are allocated based on the impact and severity of their discoveries, as determined by Immunefi’s grading system.
Immunefi partners with each blockchain project to customize the competition, including deciding on the reward pool size and event duration and providing expert marketing assistance to attract adept researchers.
Once the competition concludes, participants are rewarded for their contributions, and projects receive a comprehensive summary report that outlines the key findings and insights gleaned during the event.
Developers can launch audit competitions in days and get real-time updates while the competition is ongoing. They are also more economical than most audit contests, offering 20% cheaper fees and connecting developers with a broader, more skilled community of security researchers.
Another notable feature is the leaderboard, which allows participants to track their performance and compare themselves. Moreover, developers can still receive rewards even if another researcher discovers a bug first. The prize is shared among all who can identify the same issue, thus alleviating the pressure to rush and promoting teamwork.
Whitehat Awards
Source: medium
The Immunefi Whitehat Awards are designed to celebrate the outstanding efforts of whitehats who played a vital role in enhancing Web3 security. These awards recognize individuals for their responsible reporting of security vulnerabilities and offer different forms of recognition, such as digital NFTs and luxury merchandise.
The awards follow a tiered structure, incentivizing hackers to hit specific goals, like submitting reports that qualify for payment or achieving certain bounty thresholds. The tiers are currently divided into the Initiate Tier, for whitehats who have earned over $50,000 on ImmuneFi, and the Elite Tier, for those who have earned over $100,000. However, more tiers, such as the Master Tier (over $1 million in earnings) and the Grandmaster Tier (over $10 million in earnings), are expected to be announced soon.
Whitehat Hall of Fame Collection
Source: immunefi
The Whitehat Hall of Fame is an NFT collection for the world’s most acclaimed white hats. Holders of this Hall of Fame card are considered the world’s most talented and important hackers. They receive custom-designed NFTs to immortalize their contributions to Web3 security.
Each NFT is unique and minted specifically for each significant and successful bug report. Holders can keep it free of charge or sell it to collectors interested in celebrating historic moments in Web3 security.
Invite Only
Source: immunefi
The ImmuneFi Invite Only Program is designed to select only the most qualified researchers for specific bug bounty projects. This selection process considers each project’s technical requirements and ecosystem, ensuring that the researchers’ expertise aligns well with the project’s needs for an effective audit or bug bounty engagement.
The main feature of this program is its commitment to maintaining privacy and confidentiality. Project teams can tailor their protocols to include specific agreements regarding confidentiality, control over asset visibility, and preferences related to the publication of findings. This ensures that any sensitive information is handled securely, allowing projects to work with top-tier security experts while upholding their privacy standards.
By concentrating on critical vulnerabilities and significant security issues, the Invite-Only Program effectively minimizes the time frame in which potential threats can emerge. This leads to quicker detection and resolution of security concerns, ultimately enhancing the overall security of the blockchain project.
ImmuneFi Vaults
Source: immunefi
ImmuneFi Vaults are designed to increase transparency and trust between whitehats and project owners by helping them securely manage bug bounty assets and payments. Projects can deposit and withdraw funds from their vaults, and the balance allocated for bounties is visible to whitehats. This level of transparency helps build trust, as whitehats will be encouraged to submit top-tier bug reports since they are confident that the project has enough money to pay for bugs.
Projects can set up their vaults in less than 10 minutes. After verifying a valid bug report, payments are issued directly from the project’s vault, making transactions seamless and secure. This system also includes features like wallet verification to prevent errors or wrong payments.
The Vaults are currently available on Ethereum and Optimism, and it is expected to other EVM chains like Polygon, Gnosis Chain and Arbitrum. Projects can deposit stablecoins, ETH, and any other asset on Uniswap’s token list. They can also pay rewards with one or more assets in a single transaction.
ImmuneFi Safe Harbor
Source: immunefi
ImmuneFi Safe Harbor is a legal framework created by the Security Alliance (SEAL) to enable whitehats protect a project’s funds when it is under attack from blackhats, or malicious actors. This framework allows them to recover funds that are at risk during such attacks and safely redirect those funds back to a designated Vault managed by Immunefi. In return, these researchers can earn up to 60% of the maximum critical reward available for the project.
Immunefi also integrated Safe Harbor into existing bug bounty programs. Safe Harbor also uses the existing bug report dashboard, so projects can use the same emergency alert system and security personnel that they are comfortable with. As such, Safe Harbor acts as an extension of ImmuneFi’s bug bounty programs.
Common Bugs Found By Immune Fi Hackers
Reentrancy
Reentrancy vulnerabilities happen when a smart contract can be called multiple times before the first execution is completed. This allows attackers to insert malicious code that repeatedly calls the same contract, draining funds or altering its state. A famous example is the 2016 DAO hack, which targeted the early Ethereum network. To avoid reentrancy issues, developers can use reentrancy guards to prevent multiple calls during a single operation.
Oracle/Price Manipulation
Price oracles feed critical market data, such as token prices, to smart contracts. Thus, oracle manipulation involves attackers exploiting these data feeds to supply false information, leading to inaccurate price calculations. For instance, tampering with the oracle allows an attacker to inflate token prices and profit during transactions. To prevent this, developers use decentralized oracles that aggregate data from multiple sources.
Weak Access Control
Most systems adopt strict access control measures, such as role-based permissions and robust authentication, to protect against unauthorized access. These controls ensure that users and processes are only granted permissions necessary for their specific roles. Documenting each role’s capabilities and limitations helps identify potential vulnerabilities, enabling more effective unit testing and conflict resolution. This process helps ensure the system operates as intended, reducing the risk of critical vulnerabilities caused by negligence or misconfigurations.
Additionally, it’s essential to limit each role’s authority. Granting excessive permissions or relying too heavily on centralized control can cause significant damage if an account or private key is compromised. Breaking down roles into smaller segments will reduce the impact of such breaches, enhancing the system’s stability.
Frontrunning
Frontrunning happens when an attacker exploits the public nature of blockchain transactions. Attackers observe pending transactions in the mempool (a temporary area for storing unexecuted transactions on the blockchain), then place their transactions with higher gas fees to execute ahead of the victim’s transaction. This is particularly common in decentralized exchanges, where timing can affect trade outcomes.
Uninitialized Proxy
Uninitialized proxy contracts occur when the storage variables within a proxy contract are not set up correctly before use. This lack of proper configuration can lead to security risks since these uninitialized variables might hold important data or influence key contract functions. Malicious hackers could exploit these vulnerabilities, manipulating the uninitialized variables to gain unauthorized access.
News on ImmuneFi
In the October 2024 edition of its crypto losses report, ImmuneFi shared some interesting statistics on the losses the crypto community has faced this year. According to the report, the crypto community has lost up to $1,400,073,177 to hacks and rug pulls as of October 2024 across 179 incidents. This is a one percent decrease from October 2023, when losses were up to $1,414,641,935.
In October 2024, the crypto community experienced losses of up to $55,138,600 due to hacks across seven incidents, with no fraud reported. This marked a 114% increase from October 2023 but a 56.6% decrease from September 2024. The most significant losses were from Radiant Capital ($50 million) and Tapioca DAO ($4.4 million). DeFi was the only sector affected, with BNB Chain being the most targeted, accounting for 50% of the total losses. ImmuneFi has paid over $100 million in bounties and saved over $25 billion in user funds.
Is ImmuneFi a Good Investment?
ImmuneFi has built a reputation as the leading bug bounty program in the crypto industry. It offers general scope bug bounty programs and tailored solutions like the Invite Only program. ImmuneFi is the meeting point for whitehat hackers and project owners, helping projects stay secure. As such, with its security expertise and flexible approach, ImmuneFi helps projects build more secure ecosystems.
Articoli correlati
What Is Ethereum 2.0? Understanding The Merge
What Is a Cold Wallet?