Bounties for Live Exploits (Proof-of-Exploit) vs Theoretical Vulnerabilities (Proof-of-Concept)

Pays for proven, real-world impact. Requires a functional exploit against a mainnet or testnet deployment. This matters for protocols with high TVL (e.g., Lido, Aave) where theoretical risk is insufficient. It validates exploit paths and provides immediate, actionable data for incident response teams.

Pays for vulnerability discovery and analysis. A detailed report with a working PoC in a controlled environment (e.g., a forked testnet) is sufficient. This matters for early-stage protocols (e.g., a new L2 or DeFi primitive) to find critical flaws before mainnet launch, maximizing security ROI during development.

• You have > $100M in TVL and need to stress-test live defenses.
• Your incident response team is ready to act on a live threat.
• You want to attract elite researchers who demonstrate real attack chains (e.g., Immunefi's 'Critical' tier bounties).
• Trade-off: Higher cost and risk, but eliminates false positives.

• You are in pre-launch or early growth phase (TVL < $50M).
• Your goal is preventive security and comprehensive code review.
• You want to engage a wider range of researchers, including those specializing in static analysis.
• Trade-off: Lower immediate risk, but requires robust triage to assess exploit feasibility.

Demonstrates Real-World Impact: A live exploit on a testnet or fork proves the vulnerability is exploitable and quantifies potential losses. This eliminates false positives and prioritizes fixes for threats that could drain funds, like the $325M Wormhole bridge exploit scenario.

Higher Risk and Complexity: Requires a functional exploit, which can be dangerous if mishandled. Platforms like Immunefi and Code4rena require strict environmental controls. This model is unsuitable for early-stage code where a simple PoC is sufficient for a critical logic flaw.

Faster, Broader Scope for Audits: A theoretical write-up or minimal script allows researchers to report a wider range of issues quickly, including complex logical flaws and centralization risks. This is ideal for pre-launch audits of protocols like Aave or Uniswap V4 where live exploits aren't feasible.

Potential for False Positives & Disputes: Without a working exploit, severity assessment can be subjective, leading to payout disputes. Teams may deprioritize fixes for issues deemed 'theoretical,' potentially missing vulnerabilities like the reentrancy bug that led to the $60M DAO hack.

Highest Fidelity Validation: Rewards are paid only for a working, on-chain exploit. This proves the vulnerability's severity and impact beyond doubt, eliminating false positives. This matters for protocols with high TVL where theoretical risk is insufficient for action.

Clear Priority for Fixes: A live PoC forces immediate, high-priority remediation. Teams can't deprioritize a bug that has been demonstrably weaponized. This matters for security-critical DeFi protocols like Aave or Uniswap V3, where exploit confirmation triggers emergency response.

Prevents Real-World Damage: Rewards vulnerabilities before they are exploited, protecting user funds and protocol reputation. This matters for early-stage protocols or new feature launches where preventing the first exploit is paramount.

Broader Researcher Participation: Lowers the barrier to entry, as researchers don't need to build full attack infrastructure or risk legal exposure. This matters for attracting a larger pool of white-hats from platforms like Immunefi or Hats Finance, increasing audit coverage.

Major Cons: High Risk & Legal Gray Area: Executing an exploit on a live network can be construed as an attack, potentially violating laws or terms of service. It also risks collateral damage if the exploit is poorly contained.

Major Cons: Subjective Severity Assessment: Requires expert judgment to triage and price bugs without live proof. Can lead to disputes over payout size, as seen in some Immunefi arbitration cases, slowing down the fix cycle.