LayerZero, Immunefi Offer Bug Bounty With $15M Max Payout

KYC is required for participation, and there are range of rewards available for bug hunters

article-image

Kelvin Degree/Shutterstock modified by Blockworks

share

LayerZero, a cross-chain messaging protocol, has established a bug bounty with a maximum reward of $15 million alongside partner Immunefi.

That number surpasses MakerDAO’s bug bounty, which offered a maximum of $10 million after launching in February 2022.

LayerZero will reserve the maximum bounty reward for those who find vulnerabilities at the “highest severity level,” and it will be paid out for each new bug found by participants.

LayerZero’s decision to partner with Immunefi mirrors the thinking of other prominent projects who have adopted the Web3 platform for their own bug bounties, including MakerDAO, Compound and Chainlink. Immunefi raised $24 million in its Series A round back in September 2022 and now claims to have paid out over $75 million in bounties. 

Immunefi’s terms for LayerZero’s bounty are public and outline the rewards by “threat level” and by “groups.” Group 1 includes the chains Ethereum, BNB Chain, Avalanche, Polygon, Arbitrum, Optimism, and Fantom, while Group 2 is for every other chain out there. 

The highest threat level for bugs is “critical,” as defined by Immunefi. For smart contracts, a critical threat entails voting manipulation in governance proposals, direct theft of user funds and NFTs, among a host of other things.

According to Immunefi’s terms, “Critical smart contract vulnerability payouts for Group 1 are a minimum of USD $250,000, or 10% of the value at risk at the time of report submission, with a hard cap of USD $15,000,000, whichever is larger. Value at risk should be calculated primarily (though not exclusively) based on concrete and demonstrable funds at risk.”

For Group 2, the minimum payout is $25,000 or, again, 10% of the value that’s at risk. The cap is $1.5 million. 

Importantly, smaller payouts are up for grabs for lower threat bugs that participants are able to find. The lowest minimum prize is $1,000.

Supplementary rewards beyond minimum payouts or the 10% metric is “at the discretion of the team.”

Additionally, know-your-customer is needed to participate in this bounty. That means to get paid, you’ll have to send an invoice with your name, address and payment instructions. A government identification and an Office of Foreign Assets Control (OFAC) screening are also required. 

Blockworks reported in April that LayerZero secured $120 million in funding to expand into the Asia-Pacific region’s gaming sector, boosting the company’s valuation to $3 billion.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research Report Templates.png

Research

Content Delivery Networks (CDNs) represent low-hanging fruit in a massive market ripe for Web3-driven disruption. The global CDN market was valued at ~$28B in 2024, and is projected to surpass $140B by 2034, (18.75% CAGR) underscoring the immense demand for efficient content delivery.

article-image

Sponsored

With early interest from an initial cohort of brands including Metaplex, Story Protocol, and Pipe Network, Shelby offers decentralized, cloud-speed storage for streaming, AI, and real-time content

article-image

The $135 million raise shows that TradFi giants are serious about crypto adoption

article-image

The banking system still processes payments like it’s 1975. Crypto might have a fix.

article-image

Fiserv’s launch follows Senate passage of the GENIUS Act for stablecoin regulation.

article-image

Bitcoin is emerging as “the new standard for long-term corporate resilience,” Swan Bitcoin CIO says

article-image

Cybersecurity experts explain how the attack could have been prevented