Ever Wonder How DeFi Apps Stay Safe?

[R1dwanRz]

I’ve been using crypto wallets and DeFi apps daily, but I never really thought about how they stay secure in a deeper level until Recently, I heard someone talking about Immunefi on reddit and its bug bounty program, and it made me see security in a whole new way.

Got to discover Immunefi helps protect blockchain projects by finding bugs before hackers can exploit them. So far, it has helped secure over $180B in user funds across 650+ projects, including Ethereum, Aave, Chainlink, Optimism, and Arbitrum. It has also prevented more than $25Bin potential losses.

The platform runs the largest bug bounty program in crypto. Projects create bounties and set rewards based on how serious a bug isCritical, High, Medium, or Low.

This made me Curious to learn more, so i read about people submitting bounties and how much work it takes to find a real issue. I also compared it with other platforms like HackerOne and HackenProof to see how reporting, payouts, and verification differ. It really opened my eyes to how much goes into keeping DeFi safe. Crazy sums!.

Now, With the recent launch of the IMU token, and exposure created opportunities like these>> launchpool  I’m wondering: has anyone here tried submitting a bounty on Immunefi? What was your experience like?

And for anyone using crypto or DeFi apps every day, understanding how these programs work can make a big difference in keeping your funds safe.

[jossiel]

No matter what security bug bounty they run and have that large pool prize for the hunters. The impression of DeFi for me will not change anymore.

And that's they're an apple of the eye of the hackers because of how bountiful they are and large the money that circulates there.

That is the reason why we often read news of how many DeFi apps have been hacked. So, as an investor, I'll avoid going in them even with good audits or records they propose.

[JeromeTash]

I was about to think that you had changed for good. For the first time, I thought you had posted something sensible. Something that is not about shilling a certain service, and then on checking the shared link, I just realized it's the same stupidity all over again.
Do you find that what you are doing is now boring? How far must you go with the shilling?

[TastyChillySauce00]

Shill aside, immunefi is just reinventing the wheel, every good and trusted project already have bounty for bugs and audit their smart contract regularly and whenever they deploy a new ones.

Smart contracts routinely audited by different audit firms such as OpenZeppelin and CertiK for a long time. It's not like immunefi appear and suddenly defi become secure. It's a good to have platform but not necessarily the only thing that keep defi safe.

[hugeblack]

The problem is that some DeFi app hacks come from insiders, either former employees or part of a social attack or exit scam, so even if the bug bounty program is generous, it will certainly not be worth the same as stealing money, especially if it is part of an exit scam.

[$crypto$]

Do you find that what you are doing is now boring? How far must you go with the shilling?

Every post will keep saying Bitget, I guess this is part of her promotion.

The problem is that some DeFi app hacks come from insiders, either former employees or part of a social attack or exit scam, so even if the bug bounty program is generous, it will certainly not be worth the same as stealing money, especially if it is part of an exit scam.

DeFi is always a loophole where hackers can do these actions when there is an opportunity, then you say from insiders or former employees it makes sense because it could be that the loophole came from those who told him.

Even though DeFi has high security, I still saw on X that DeFi was hacked several times.

[R1dwanRz]

No matter what security bug bounty they run and have that large pool prize for the hunters. The impression of DeFi for me will not change anymore.

And that's they're an apple of the eye of the hackers because of how bountiful they are and large the money that circulates there.

That is the reason why we often read news of how many DeFi apps have been hacked. So, as an investor, I'll avoid going in them even with good audits or records they propose.

So you're saying you're more aligned with cex than Defi apps? They're some secure Defi apps though. And tbh navigating through them is fun.

Shill aside, immunefi is just reinventing the wheel, every good and trusted project already have bounty for bugs and audit their smart contract regularly and whenever they deploy a new ones.

Smart contracts routinely audited by different audit firms such as OpenZeppelin and CertiK for a long time. It's not like immunefi appear and suddenly defi become secure. It's a good to have platform but not necessarily the only thing that keep defi safe.

Yeah from their stats you can see that, and they're thriving with how much they've recovered and prevented so far.

[jossiel]

No matter what security bug bounty they run and have that large pool prize for the hunters. The impression of DeFi for me will not change anymore.

And that's they're an apple of the eye of the hackers because of how bountiful they are and large the money that circulates there.

That is the reason why we often read news of how many DeFi apps have been hacked. So, as an investor, I'll avoid going in them even with good audits or records they propose.

So you're saying you're more aligned with cex than Defi apps? They're some secure Defi apps though. And tbh navigating through them is fun.

Sort of but I only use them when I'm about to sell. But if it's the regular usage, it's made me avoided the Defi apps.

I know that there are some which are secure but it made me think generally that I shouldn't get into it.

Maybe my mind will change and I understand that searching for the good ones is fun but, what if I have no time in them and that's why.

[TastyChillySauce00]

The problem is that some DeFi app hacks come from insiders, either former employees or part of a social attack or exit scam, so even if the bug bounty program is generous, it will certainly not be worth the same as stealing money, especially if it is part of an exit scam.

Insider hacking is real, a contract can be audited thoroughly but the one who make the decision is the project including the insider. if the team is rotten, the audit become useless.
Honestly any bug bounty platform should treat backdoor as a bug as well to flag the smart contract as a red flag. The fact that the so called defi is mostly just a protocol with multisig controlled by project owner and still have centralized risk is something that should make us raise a concern.

I've heard so many old protocols getting hacked despite already got audited and have bounty for bugs. It's possible that there is a backdoor.

[nelson4lov]

No system can ever be safe from hacking, most especially smart contracts since those are particularly prone to faults in code that usually lead to hacks. If anything, bug bounties only helps to a certain levels. As someone that used to audit, it's safe to say bug bounties not fault proof for this defi programs. If the project bug bounties doesn't have a large enough budget, most quality auditors may not even attempt to look for bugs that might be present

[wiss19]

Insider hacking is real, a contract can be audited thoroughly but the one who make the decision is the project including the insider. if the team is rotten, the audit become useless.
Honestly any bug bounty platform should treat backdoor as a bug as well to flag the smart contract as a red flag. The fact that the so called defi is mostly just a protocol with multisig controlled by project owner and still have centralized risk is something that should make us raise a concern.

I've heard so many old protocols getting hacked despite already got audited and have bounty for bugs. It's possible that there is a backdoor.

I was once part of a team that made a token that the creator moved to a new one and then scammed everyone. Since it is not decentralized and there are people at the top, they can always make a new version that is not audited and people would still go for it and then the creator would steal money.

It was a very difficult part of my life because I lost a good chunk of my work in there, I was holding that token because I earned it by working, airdrops, bounties, mod work, everything I can do, and then one day it was all gone.

[BattleDog]

Bug bounties are a good signal that a team is at least willing to pay for bad news, but they don't magically make a protocol safe. A lot of the biggest DeFi losses weren't even spicy memory corruption type bugs, they were boring things like admin key risk, upgradeability gone wrong, oracle, MEV edge cases, or just straight up humans getting phished. If a contract can be upgraded instantly by one hot key, an audit PDF is pretty useless.

I wouldn't dismiss bounty programs altogether, though, but I'd treat them like one layer in a stack.

For judging a DeFi app, I personally look harder at who controls upgrades, whether there are timelocks/multisig with real signers and how they handled prior incidents.

[asriloni]

No, it's a disaster when you submitting the bug you found to the immunifi as they rarely paid it. There have been numerous reviews about how immunefi was fooling the bug hunters, and majority of it ended with no pay for their found.

FYI, most of projects that listed on immunefi were not also serious in rewarding the bounty hunters. When you find a valid bug, but they will be also avoiding to pay you by finding a reason to make your finding out of their scope.

If you want your work to find the bug to be rewarded, just don't use them, but report it to the team that handle the platform directly.

[bitgolden]

Bug bounties are a good signal that a team is at least willing to pay for bad news, but they don't magically make a protocol safe. A lot of the biggest DeFi losses weren't even spicy memory corruption type bugs, they were boring things like admin key risk, upgradeability gone wrong, oracle, MEV edge cases, or just straight up humans getting phished. If a contract can be upgraded instantly by one hot key, an audit PDF is pretty useless.

I wouldn't dismiss bounty programs altogether, though, but I'd treat them like one layer in a stack.

For judging a DeFi app, I personally look harder at who controls upgrades, whether there are timelocks/multisig with real signers and how they handled prior incidents.

Considering how many projects are out there which was made by a single person who just distributes tokens for airdrops for retweets, I would say a professional team who is willing to pay out for a bug bounty is vast improvement.

Still doesn't guarantee there won't be any bugs I agree, but at least it shows they are fairly professional on their approach. This also doesn't mean that we are going to see price be good or the project makes profit, but it's better than the zeros we see in the world.

[BattleDog]

The bounty-as-marketing thing is a real problem. Projects get to say they take security seriously while having every incentive to deny payouts when someone actually finds something.

[lixer]

They do not. While there are some places who have been decent, we have seen many DeFi apps that got hacked, and for that reason we cannot really see this be a problem and for that reason we shouldn't really be considering this as just because one place is good so far, doesn't mean it will stay good forever.

Just like how other places got hacked and scammed people, the places that are good so far could do that in the future as well. This is why there is nothing that we can do to know if that will happen or not.

[justdimin]

And for anyone using crypto or DeFi apps every day, understanding how these programs work can make a big difference in keeping your funds safe.

It's clear that you can do bug bounty programs if you really want to make sure there are no bugs in your system, but the reality is that in most cases we are going to see these places not be as good as it gets and for that reason alone you are not going to end up with anything good.

For the time being, the best thing you can do at the moment would be making sure that it is going to end up with a lot better returns for the long term, and we should be avoiding places if possible. Just because they have bug bounty doesn't mean they won't steal from you, they may still steal the funding they get and that is why in most cases it will be a scam. So there is no prevention, it will always be a danger to invest with these.

[Josefjix]

Are you aware Binance and Bybit had been hacked before and other popular DeFi platform had suffered heavy hacks before? Even when bug bounty was done on them and nothing strength could be found.

I hope these bug bounty hackers do instruct the insider workers to be always watching their business interactions with outsiders. These way the trap is set in for hackers to intrude.

Ever since I lost so much money in apeswap DeFi platform, I stopped investing in any one at all.

[TastyChillySauce00]

I was once part of a team that made a token that the creator moved to a new one and then scammed everyone. Since it is not decentralized and there are people at the top, they can always make a new version that is not audited and people would still go for it and then the creator would steal money.

It was a very difficult part of my life because I lost a good chunk of my work in there, I was holding that token because I earned it by working, airdrops, bounties, mod work, everything I can do, and then one day it was all gone.

Yeah, the so called decentralized finance isn't really decentralized after all just because some founders decided to be dishonest and people would go in with their money blindly.

Some even deployed a code without audit to save some money and cutting corner, truly a mess sometime.