Arbitrum |
Sep 2022 |
352,000 ETH |
1200 ETH |
A compromised deposit contract allowed theft of all incoming deposits. |
The largest deposit during bug bounty negotiation was 351,803 ETH. The max bounty for a critical vulnerability was advertised as $2mm. The white hat was only awarded 25% of the max bounty (400 ETH). |
Perpetual |
May 2022 |
$40M |
>$1M |
Bad Debt Attack For Perpetual Protocol |
Perpetual claimed that since the attack must be performed across multiple blocks and there were high capital requirements the likelihood of an attack was “low” despite $40M being at risk. |
Bizthon by TDeFi |
October 2022 |
N/A |
$1M |
A Web3 hackathon falsely advertising to pay winners $1M USD in bounties. |
TDeFi, the parent company, created BizThon to lure hackathon participants to relinquish 7.5% equity of their businesses for $0 cash investment (dilutive capital). In both the marketing and terms for Bizthon, it includes claims that hackathon winners would be paid bounties (non-dilutive capital) from a prize pot of $1M USD. Winners/finalists did not recieve bounties after completing the hackathon but were instead propositioned to trade business equity for $0. Furthermore, there were no reimbursements for travel and lodging to pitch on the TDeFi stage at GITEX in Dubai. |
Cronos |
November 2023 |
>$2.5M |
$250K |
Re-enterancy allowed an attacker to receive free staked tokens. |
Cronos fixed the bug immediately before responding to the report, then paid a $1.6k bounty as a “token of appreciation”. Cronos has since been removed from Immunefi. |
Aave |
Nov 2022 |
$40M ($1.5M stolen) |
$250K |
CRV economic exploit |
An attacker targeted Aave’s treasury using an economic exploit of CRV borrowing/lending on the protocol. The white hat showed Aave the wallet, the attack path, and how to stop it days before the attack occurred. Over $40m was at risk. $1.5m was actually taken from the exploit, which was stopped midway by private individuals leading a short squeeze. Aave paid no bug bounty. |
dHEDGE |
April 2023 |
$14.44M |
$25K |
Managers can steal tokens from users using malicious swap paths. |
dHEDGE responded that the issue is “well-known” and that it is impossible to fix. They did not fix the issue and paid $500 for “goodwill”. |
GhostMarket |
July 2024 |
N/A |
$10K |
Precision loss in ERC2981 royalties calculation results in loss of funds for the royalties receiver |
High severity vulnerability in GhostMarket’s royalty calculations was responsibly disclosed via Immunefi. The submission was rejected by GhostMarket with claims that ERC-2981 allows ‘flexibility in royalty calculations and rounding.’ Immunefi later confirmed the vulnerability and ordered GhostMarket to pay the bounty, but they ignored the mediation and went silent. |
Magic Link |
May 2023 |
$10M |
$3000 |
Iframe Phishing |
Magic Link claims their wallet to be unphishable. Yet it was found to be vulnerable to iframe phishing. Magic Link ignored the vulnerability after eight reminders over a month-long period until it began receiving public scrutiny about the presence of a potential unknown vulnerability. The whitehat suggested a payment of more than $3000 and Magic Link ignored the hacker, paid nothing, and publicly announced its patch as a “new security feature” and their “investment in security” rather than an unpaid whitehat’s finding. |
Magic Link |
April 2023 |
$20M |
$2000 |
Clickjacking can drain wallets |
All user funds, which are here estimated to be above $20M, were at risk, with minimal user interaction needed to steal them. Magic Link’s max bounty is $3000. Magic Link paid $1000, falsely claiming it is not critical because it needs a dashboard misconfiguration or XSS to be exploited. Magic Link refused to coordinate a timeline to fix it for months until this issue received more public scrutiny; at that point, they fixed it in days. |
WalletConnect |
October 2022 |
170 wallets + 450 dApps |
$500 |
WalletConnect: Submitting malicious transactions into crypto wallet on behalf of any dApp |
The WalletConnect team was informed about issues on 2022-10-21. During the period from 2022-10-21 to 2022-11-15, the whitehat attempted to offer help and asked for status updates. When the whitehat stated that they would disclose the report according to the policy of report responsibility disclosure (90 days window), they instantly replied that the findings were well-known facts and should be explicitly mentioned in their documentation. Furthermore, they did not allow disclosing the findings due to their self-written security policies. The whitehat then explained the process of public vulnerability submission (for example https://about.google/appsecurity/) and set a deadline of 2023-01-21, but was ignored. |
unitaryHACK |
June 2023 |
$100 |
$100 |
They don’t pay you for the completed bounties |
unitaryHACK stopped responding to the emails asking for the payment to be made. |
Ubiq |
March 2024 |
N/A |
N/A |
The security researcher reached out to inform them of a DOS vector. The team was rude to the researcher, told him there would be no bounty, and then patched the vulnerable code. |
See this twitter thread, including a NIST CVE of the bug and the patch diff. |