It was around this time last year that we reported that Immunefi — one of the emerging bug bounty and security services platforms for DeFi — had raised $5.5 million in funding. Given that almost $2 billion has been lost to hacks and scams in crypto so far this year, it would seem this was a pretty low investment.
And sure enough, it was. Because Immunefi has now raised $24 million as part of its Series A. The round was led by Framework Ventures. Other investors include Samsung Next, Electric Capital and Polygon Ventures. That bring its total now raises to $29.5 million.
Immunefi connects web3 projects that need their code checked and secured with whitehat hackers who report vulnerabilities and claim monetary rewards. Sometimes these rewards can go as high as $10 million — somewhat unsurprising when so much crypto currency can be at stake. Most tech companies, including Apple and Microsoft, use a similar bug bounty methodology, but the practice was less well employed in web3, in part because hackers can sometimes be far more incentivised to steal the money rather than report the bug, especially when millions of might be dollars might be on offer.
Launched in December 2020, Immunefi says it has paid out $60 million to whitehat hackers, and claims to have saved more than $25 billion in funds from being hacked.
But bug payouts in crypto have to work differently than in Web 2.0. A $5,000 payout when $100 million in funds might be at stake is a paltry amount. So Immunefi developed a bug bounty standard which scales, to encourage projects to pay rewards for big vulnerabilities at a rate equivalent to 10% of the funds at potential risk.
This means some enormous bug bounties — such as the $10 million paid out for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol, and $6 million for a vulnerability discovered in Aurora, a bridging and scaling solution for Ethereum. This contrasts with the largest conventional bug bounty offered by Apple for $2 million.
CEO and founder Mitchell Amador said in a statement: “Open code and directly monetizable exploits have made Web3 the most adversarial software development space in the world. By shifting incentives towards whitehats, Immunefi has already saved billions of dollars of user funds. Projects across crypto are rapidly realizing that it’s better to use Immunefi than publicly begging hackers to return funds or pay a ransom. We’re using this raise to scale our team to meet this massive challenge”.
Immunefi does have competitors, however; HackerOne switched from Web 2.0 to web3, and Safeheron recently raised $7 million to make private keys safer.