The best white hunting hats of vulnerabilities through decentralized protocols on web3 gain millions, eclipping the salary ceiling of $ 300,000 in traditional cybersecurity roles.
“Our ranking shows that researchers gain millions per year, compared to typical cybersecurity wages from $ 150 to 300,000,” said Cointelegraph Mitchell Amador, co-founder and CEO of Bug Bounty Platform Imunfi.
In Crypto, “White Hats” refers to ethical hackers paid to disclose vulnerabilities in decentralized financing protocols (DEFI). Unlike the roles of the salaried company, these researchers choose their objectives, set their own hours and gain according to the impact of what they find.
Until now, Immunifier has facilitated more than $ 120 million in payments in thousands of reports. Thirty researchers have already become millionaires.
“We protect more than $ 180 billion in total value locked in our programs,” said Amador, adding that the platform offers bonuses up to 10% for critical bugs. “These payments to a million dollars reflect reality that many protocols have tens or hundreds of millions involved from unique vulnerabilities,” he said.
In relation: The new Modstealer Malwore targets cryptographic wallets through operating systems
$ 10 million in bug premiums
The biggest payment in a White White hat from web3 was $ 10 million, awarded to a hacker who found a fatal defect in the Wormhole cross -bridge. Amador said vulnerability could have vaporized billions.
Despite this discovery vulnerability, Wormhole underwent a feat of $ 321 million on its Solana bridge in 2022, the largest crypto hack of the year. In February 2023, the web infrastructure company Jump Crypto and Oasis.app made a “counter operated” on the pirate of worm holes protocol, repelling a total of $ 225 million.
Amador revealed that critical vulnerabilities explain the greatest awards. The best researchers have reached between $ 1 million and $ 14 million, depending on the severity and scope of their results. “It is the pirates 100x who can find vulnerabilities that others are missing,” he said.
While the first years of DEFI were plagued by smart contract bugs, 2025 experienced an increase in “without code” exploits such as social engineering, compromised keys and operational security towers. Despite this change, the bridges remain the most lucrative targets due to their cross complexity and the large sums they provide.
Models have emerged in the types of projects that are most often violated. “Protocols is giving a significant TVL and the lack of solid premium programs are the most exposed,” said Amador. He warned that start -up teams rushing to the market without security measures, as well as complacent established players, have high risks.
In relation: Defi Whale loses $ 40 million while Kinto ends and Swissborg suffers from piracy: finance redefined
Crypto pirates stole $ 163 million in August
As Cintelelegraph reported, the hacks and scams linked to the crypto reached $ 163 million in losses in August, an increase of 15% compared to $ 142 million in July. Despite the tip, overall incidents tend to drop, with only 16 attacks against 20 in June.
The majority of losses came from two major incidents. This is in particular a social engineering scam of $ 91 million targeting a bitcoiner and a violation of $ 50 million in BTCTURK Turkish exchange.
Review: Meet the co-founder Ethereum and Polkadot who was not in Time magazine