Cheap Crypto Security Costs Billions: How Skimping on Bounties Fuels Massive Hacks
Source: rekt.news - Cutting Corners
A recent $730,000 hack spotlighted a glaring issue: basic security flaws remain rampant despite clear, preventable mistakes. In this case, SuperRare suffered a breach caused by an access control bug so obvious that even OpenAI’s ChatGPT detected it instantly. Yet, the platform had no public bug bounty program, wrongly assuming their contracts were secure. This neglect isn’t unique - many projects either skip bounties or cap rewards too low, incentivizing attackers more than ethical hackers.
Bug Bounties vs. Exploits: The Perverse Incentive
- Exploit payouts now dwarf bounty rewards. With many platforms offering only up to $50,000 on bug bounties, while hacks have netted millions, researchers face a simple choice: disclose for small rewards or exploit for massive profit.
- GMX faced a $12 million hack due to a "basic Oracle 101 exploit" that solid bounties should have uncovered months earlier.
- Intriguingly, post-hack, GMX and others offered millions back as recovery bounties, illustrating funds were available — just not invested in prevention.
The ‘Out of Scope’ Excuse and Its Fallout
Academic research exposed over 31,000 potential security issues in more than 83,000 upgraded contracts. Many stem from protocols deeming critical parts of their systems “out of scope” during audits, thus ignoring them entirely. Attackers clearly don’t respect these artificial boundaries, rendering this practice dangerously negligent.
Economics: Why Cheap Security Fails
Immunefi’s CEO highlights a fundamental truth: security budgets must align incentives —bug bounties should be roughly 10% of at-risk funds. For example, protecting $10 million should come with up to $1 million in bounty payouts. Instead, platforms race to offer the lowest payouts to “save money,” creating a vicious cycle where researchers abandon public programs or go silent.
- The $12 million GMX exploit perfectly demonstrates why capped bounties don’t work.
- Discounted security packages equate to a “death spiral” enriching attackers.
When Security Investment Pays Off
Some projects “get it.” Euler Finance (now Sky) shifted to robust, wide-scope bug bounty programs with rewards up to $10 million covering core systems, including stablecoins and governance. This approach has:
- Paid out over $120 million in bounties,
- Protected $25+ billion in user funds,
- Proven that meaningful incentives lead to stronger security.
The High Cost of Cheap Security
The pattern is clear: protocols that skimp on security lose far more than they save. From SuperRare to GMX, the same story repeats - ignoring sound security practices, only to scramble for damage control funds after hacks.
- Bug bounty platforms report record payouts,
- Hack losses skyrocket past $2 billion in 2025 alone.
The crypto industry, founded on the mantra “don’t trust, verify,” must ask: How can it protect billions if it neglects to verify its own security
Bottom Line
Failing to invest in meaningful, well-funded bug bounty programs is no longer affordable. Researchers need better incentives to protect billions in funds. The data is undeniable: security treated as a cost center instead of essential insurance leads directly to costly, avoidable exploits. It’s time for Web3 projects to rethink their approach - or risk continuing the cycle where hackers profit and users pay the price.
