Crypto whitehat hackers are mostly interested in the Ethereum blockchain.
That’s according to a breakdown of the ethical hacker ecosystem compiled by web3-focused bug bounty platform Immunefi in its 2023 report, aimed at mapping the interests, challenges and opportunities of whitehats in web3. But money isn’t everything, with the majority motivated by solving the technical challenges of decentralized applications.
Ethereum was the overwhelming preference among whitehats, with 92% of respondents attracted to the blockchain. Solana came in second place at 31%, with Avalanche (20.4%), Cosmos (13.3%) and Tezos (8%) making up the top five. Polygon, Arbitrum, Optimism, Near, Polkadot, BNB Chain, Fantom and zkSync were also on their radar.
However, interest in Ethereum fell from 96.4% in Immunefi’s previous survey. Solana witnessed the most significant decrease, down 51.6%, while Tezos saw the biggest spike, rising 122.2%.
Reentrancy attacks (enabling malicious parties to repeatedly drain funds from smart contracts by exploiting the code execution order) were cited as the most common vulnerability whitehats discovered when reviewing code (43.2%), followed by access control (18.2%), input validation (9.1%), oracle manipulation (6.8%) and logical errors (6.8%).
Most whitehats (76.1%) saw the attack surfaces in crypto growing. However, the majority (88.5%) also agreed that projects’ security measures were improving.
Bug bounty rewards
Bounty size was cited as the main factor (66.4%) for whitehats when selecting bounty programs, though trust, scope and efficient communication were also highly valued.
After paying out over $52 million in rewards to ethical hackers for finding vulnerabilities in web3 protocols last year, Immunefi has come to dominate crypto bug bounty rewards. In contrast, the second-most popular platform, HackenProof, has paid a total of $4.8 million to whitehats.
Immunefi claims to have paid out more than $65 million in total bounties since 2020, helping to secure $25 billion in user funds across protocols like Chainlink, MakerDAO, The Graph, Polygon and Synthetix. The highest bounty facilitated by Immunefi was a $10 million award for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol.
Last month, Immunefi reported that crypto ransomware payments generated more than $69.3 million from the top 10 attacks since 2020. In January, an Immunefi security researcher was awarded a $1 million bounty after saving a potential theft of $200 million from three Polkadot parachains.
Demographics and lifestyle
Most whitehats (54%) fall into the increasingly dominant 20-29-year old bracket, up from 45.7% in the previous period, with 21.2% of respondents between 30 and 39 and 12.4% between 40 and 49. Despite an increasing number of women joining the ethical hacker community, up 45.8% to 3.5%, male whitehats still make up the largest share (95.5%).
The majority of respondents have worked in crypto for around four years, and most (55.8%) considered hacking their primary job, though that’s down from 60.2% in the previous period. Outside of interest in solving technical challenges (77%) and gaining financial rewards (69%), career opportunities (62%) and community (38%) were also strong motivators.
Challenges and opportunities
When asked about the biggest challenges whitehats had experienced in web3 security, most respondents highlighted the steep learning curve required regardless of previous background or experience and a need for more available resources. The rapidly evolving nature of the technology was another pain point, along with the complexity of Solidity coding, protocols and possible attack vectors.
In terms of opportunities, respondents were excited about the challenge of learning and working on new technology, considering web3 a well-paid industry with long-term career potential in high-impact roles.