LayerZero, Immunefi Offer Bug Bounty With $15M Max Payout
KYC is required for participation, and there are range of rewards available for bug hunters
Kelvin Degree/Shutterstock modified by Blockworks
LayerZero, a cross-chain messaging protocol, has established a bug bounty with a maximum reward of $15 million alongside partner Immunefi.
That number surpasses MakerDAO’s bug bounty, which offered a maximum of $10 million after launching in February 2022.
LayerZero will reserve the maximum bounty reward for those who find vulnerabilities at the “highest severity level,” and it will be paid out for each new bug found by participants.
LayerZero’s decision to partner with Immunefi mirrors the thinking of other prominent projects who have adopted the Web3 platform for their own bug bounties, including MakerDAO, Compound and Chainlink. Immunefi raised $24 million in its Series A round back in September 2022 and now claims to have paid out over $75 million in bounties.
Immunefi’s terms for LayerZero’s bounty are public and outline the rewards by “threat level” and by “groups.” Group 1 includes the chains Ethereum, BNB Chain, Avalanche, Polygon, Arbitrum, Optimism, and Fantom, while Group 2 is for every other chain out there.
The highest threat level for bugs is “critical,” as defined by Immunefi. For smart contracts, a critical threat entails voting manipulation in governance proposals, direct theft of user funds and NFTs, among a host of other things.
According to Immunefi’s terms, “Critical smart contract vulnerability payouts for Group 1 are a minimum of USD $250,000, or 10% of the value at risk at the time of report submission, with a hard cap of USD $15,000,000, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk.”
For Group 2, the minimum payout is $25,000 or, again, 10% of the value that’s at risk. The cap is $1.5 million.
Importantly, smaller payouts are up for grabs for lower threat bugs that participants are able to find. The lowest minimum prize is $1,000.
Supplementary rewards beyond minimum payouts or the 10% metric is “at the discretion of the team.”
Additionally, know-your-customer is needed to participate in this bounty. That means to get paid, you’ll have to send an invoice with your name, address and payment instructions. A government identification and an Office of Foreign Assets Control (OFAC) screening are also required.
Blockworks reported in April that LayerZero secured $120 million in funding to expand into the Asia-Pacific region’s gaming sector, boosting the company’s valuation to $3 billion.
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- 0xResearch: Alpha directly in your inbox.
- Lightspeed: All things Solana.
- The Drop: Apps, games, memes and more.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
