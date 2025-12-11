Crypto has created a financial system that runs on code, moves vast sums at the speed of the internet, and can be attacked from anywhere.

A single missed check or stray line of code isn’t a minor bug — it can take down an entire protocol. Bug bounties began as an informal pact between developers and security researchers.

But as DeFi ballooned into a multibillion-dollar ecosystem, the threat landscape shifted.

Today’s adversaries include nation-state outfits, organised crime groups, and financial engineers who can drain a protocol in seconds. This escalating threat landscape demanded a more structured, scalable defence — something the early bug-bounty model wasn’t built for.

Into this gap steps Immunefi, an on-chain security platform focused on protecting crypto protocols from hacks and vulnerabilities, founded by Mitchell Amador.

Founded in Lisbon in 2020 — although now with a Singapore HQ — Immunefi has reportedly paid over $100 million in rewards to white-hat hackers. It coordinates some of the industry’s largest bug bounties while setting an industry standard and helps prevent billions in potential losses.

Further, it developed the internet’s first bug-bounty court to bring legal certainty, enforceability, and a sense of order to a space where a single dispute can shape the future of a project.

I spoke to Amador to learn all about it.

Enter the scaling bug bounty standard

Before introducing its Bug Bounty Court, Immunefi first set out to fix the incentives themselves with a new standard for how bug bounties should work.

A bug bounty is a reward offered by a company to security researchers (“ethical hackers”) who discover and responsibly report vulnerabilities in its software or systems.

However, traditional low bounties don’t incentivise top security researchers to responsibly disclose bugs. In turn, the Scaling Bug Bounty Standard is a DeFi security model where bounty payouts are tied to the real economic impact of a vulnerability, rather than a small fixed reward.

Instead of offering, say, $10k for a critical bug, a protocol sets the bounty as a percentage of the funds at risk (often up to ~10 per cent). DeFi systems can hold millions — or billions — of dollars in a single contract. By scaling rewards with potential damage, the model: makes ethical disclosure financially competitive with exploits,



Bug bounties attract better security talent, and significantly reduces the incentive to steal. But avoiding exploits also depends on preventing new bugs from shipping in the first place.

As part of this, Immunefi has developed a pull request (PR) review program that allows security researchers to earn bounties not by finding new bugs, but by reviewing code changes (pull requests) before they go live. According to Amador:

“PR Reviews is a CI/CD pipeline security tool. It integrates our AI systems and top human hackers into every step of code review."

Instead of waiting for a hack to happen or searching the entire codebase, researchers review the new or modified code that developers submit for release.

“We’re building the multi-layered SecOps stack that can get us there — multiple defensive layers powered by LLMs to customise every tool per protocol.



Think of it as a SecOps platform with an intelligence layer. With it, we can keep the industry safe scalably. If we don’t, and trillions flow on-chain, we will be subsidising cybercrime for 20 years.”

Why bug bounties need a court

However, traditional bug bounties rely heavily on goodwill and trust, but in Web3 the stakes are much higher: millions or billions can be at risk, and researchers typically must disclose the vulnerability before getting paid.

Immunefi Arbitration is a legally binding dispute-resolution system created specifically for the bug bounty world, where security researchers and crypto projects often disagree on whether a bug is valid, how severe it is, or how much the reward should be.

When a conflict arises, Immunefi first attempts to settle it through mediation. If mediation doesn’t resolve the issue — and the bounty program is enabled for arbitration — either side can trigger a formal arbitration claim. At this point the case is handed to the London Chamber of Arbitration and Mediation (LCAM), an independent body whose arbitrators evaluate the vulnerability report, the evidence, and the program’s rules.

The researcher becomes the claimant, the project becomes the respondent, and both sides submit documentation and arguments. The arbitrator then issues a ruling that is legally binding and enforceable internationally through established arbitration frameworks such as the New York Convention. It carries legal weight and can be enforced in courts around the world if necessary.

Ultimately, the process is designed to be faster, cheaper, and more practical than taking a dispute to a traditional court, which would be prohibitively slow and expensive for most researchers. For Amador, these systems weren’t theoretical — they grew out of years of witnessing crypto’s worst failures firsthand.



The paranoia that built a security platform

Mitchell Amador has worked with teams across the ecosystem — including Ethereum, Lido, MakerDAO/Sky, Filecoin, Stacks, LayerZero, Chainlink, Arbitrum, and Polygon — on incident response, vulnerability disclosure, and security standards. Amador has participated in numerous onchain incident “war rooms” and has been involved in efforts to recover funds and coordinate responsible disclosures.

Amador admits, “I’ve seen a lot of security events go wrong. Basically every project I worked on in the mid-2010s in crypto had some major cyberattack or incident. Everything and anything under the sun was happening. So I became super paranoid.”

However, this was before DeFi took off; there were no real on-chain financial markets, but he could see the tech taking off.

“I knew this was going to be huge — and we were going to get a huge wave of attacks. When people realise they can steal a million dollars over the internet, everybody and their dog is going to try.”

He did the math and concluded that all of DeFi — and the potential for on-chain finance — would be destroyed before it began. “It has been totally delegitimised in the eyes of the law. Imagine a world where 25–30 per cent of assets are stolen in the first year, “ he said. The modern attack landscape

The modern attack surface shows exactly why that paranoia was justified.

According to Amador, as the market matured, code became more complex. Real on-chain financial products have emerged over the last four years, such as lending markets like Aave, Automated market makers like Uniswap, perpetual futures, and prediction markets. This has brought forth a wave of security complexity and an explosion of new vulnerabilities.

There are two broad types:

Flash-loans: where a hacker uses a giant flash loan to manipulate the market or protocol rules, and profit from that distortion — and a broader category of financial-engineering attacks where funds are accessed by gaming the financial design of the protocol.

Web2-style “off-chain” compromises where attackers hack people and traditional IT infrastructure around a crypto system, instead of exploiting smart‑contract code directly. For example, in the $600 billion Ronin bridge hack, four North Korean actors compromised a service provider and internal systems to gain validator keys and then drained the bridge.

“Criminal organisations run like startups whose sole job is to steal your money.”

According to Amador:

“From day one, there are literally North Koreans stalking you. The moment you announce fundraising, they are spear-phishing your dev team. That’s literal, not figurative. There’s too much money at stake, and the cost of attack keeps falling."

He suggests that everyone must start paranoid, "There is no DeFi or on-chain company that survives with a reactive approach.”

"Instead, everyone must be proactive before launch: audits, code review, and bug bounties. VCs mandate it. It’s night-and-day from traditional industries.”

Amador asserts that when it comes to security threats, the risk of social engineering is massive. Crypto is the most lucrative place in history for social engineering.

“Criminal organisations run like startups whose sole job is to steal your money. And I came to the conclusion that the only way we could do that is to have a scalable way of incentivising and coordinating the security community to defend these projects."

He believes the stakes are clear: while “magical internet money” works remarkably well, the ecosystem risks subsidising cybercrime for decades if security doesn’t keep pace. Current hack rates of 3.6–4 per cent, he warns, are simply unsustainable. Yet Amador is adamant that the core technical challenges are solvable. In his view, the crypto security community already knows how to secure contracts, prevent contagion, detect scams, monitor chains, and harden code to aerospace-grade standards.

The tools exist and are effective. What’s missing, he argues, is broad adoption — particularly from traditional finance players entering the space.

“We know how to secure contracts, resist contagion, detect scams, monitor chains, and harden code to aerospace levels.

The tools exist and work. What’s missing is adoption — especially by traditional finance."

He sees this as a battle between the excellence of the crypto security community and human ignorance.