It was around last year that we reported that Immunefi – one of the emerging bug bounty and security services platforms for DeFi – had secured $5.5 million in funding. With nearly $2 billion lost in crypto this year to hacking and fraud, this seems like a very poor investment.
And sure enough, it was. Because Immunefi has now raised $24 million as part of Series A. The round was led by Framework Ventures. Other investors include Samsung Next, Electric Capital and Polygon Ventures. This brings the total to $29.5 million.
Immunefi connects Web3 projects with whitehat hackers who inspect their code and report security vulnerabilities and demand monetary rewards. Sometimes these rewards can be as high as $10 million – a bit unsurprising when so much cryptocurrency is at stake. Most tech companies, including Apple and Microsoft, use a similar bug bounty system, but the practice was rarely used on Web3, in part because hackers can sometimes be more incentivized to steal the money than to report a bug, especially when millions of dollars can be offered.
In the year Imunefi, which launched in December 2020, claims to have paid $60 million to whitehat hackers.
But bug payments in crypt need to work differently than in web 2.0. With $100 million in funds at stake, a $5,000 fee is very small. Therefore, Immunefi has developed a bug bounty standard corresponding to 10% of the risk funds to encourage projects to pay rewards for large vulnerabilities.
That means some huge bug bounties — such as $10 million for vulnerabilities found in Wormhole, a generic messaging protocol, and $6 million for vulnerabilities in Aurora, an Ethereum bridge and scaling solution. This contrasts with Apple’s largest typical bug bounty of $2 million.
CEO and founder Mitchell Amador said in a statement: “Open source and directly monetized exploits make Web3 the most competitive software development space in the world.” By shifting incentives to whitehats, Immunefi has already saved billions of dollars in user funds. Projects in crypto will quickly realize that it is better to use Immunefi than to publicly beg hackers to return funds or pay ransom. We are using this increase to grow our team to meet this big challenge.
But Immunefi has competitors; HackerOne switched from web 2.0 to web3, and Safeheron recently raised $7 million to make private keys more secure.