Last year around this time we reported about immunity — one of the emerging bug bounty and security service platforms for DeFi — had raised $5.5 million in funding. Considering that nearly $2 billion has been lost to crypto hacks and scams so far this year, it looks like this was a pretty low investment.
And yes, it was. Because Immunefi has now raised $24 million as part of its Series A. The round was led by Framework Ventures. Other investors include Samsung Next, Electric Capital and Polygon Ventures. That now brings the total to $29.5 million.
Immunefi connects Web3 projects whose code needs to be audited and secured with whitehat hackers who report vulnerabilities and claim monetary rewards. Sometimes these rewards can reach $10 million – somewhat unsurprising when so much crypto can be at stake. Most tech companies, including Apple and Microsoft, use a similar method for bug bounty, but the practice has been less well adopted in Web3, in part because hackers can sometimes be much more incentivized to steal the money than to report the bug, especially when millions maybe there are dollars on offer.
Launched in December 2020, Immunefi says it has paid out $60 million to whitehat hackers and claims to have saved more than $25 billion in money from being hacked.
But bug payouts in crypto should work differently than in Web2. A $5,000 payout when $100 million in funds is at stake is a meager amount of risk. So Immunefi developed a bug bounty standard that is scalable, to encourage projects to pay out rewards for major vulnerabilities at a rate equal to 10% of funds at potential risk.
This means some huge bug bounties, such as the $10 million paid out for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol, and $6 million for a vulnerability discovered in Aurora, a bridging and scaling solution for Ethereum. This contrasts with the largest conventional bug bounty offered by Apple for $2 million.
CEO and founder Mitchell Amador said in a statement: “Open code and instant monetization exploits have made Web3 the most hostile software development space in the world. By shifting incentives to whitehats, Immunefi has already saved billions of dollars in user funds. We are quickly realizing that using Immunefi is better than publicly begging hackers to return or pay ransoms. We are using this increase to scale our team to meet this massive challenge.”
Immunefi does have competitors, but HackerOne moved from web2 to web3 and Safeheron recently raised $7 million to make private keys more secure.