Bounty-Based Review

This model crowdsources security expertise by offering financial rewards (bounties) to a global pool of ethical hackers and security researchers. It transforms security testing from a closed, periodic audit into a continuous, open process. Key aspects include:

• Public or Private Programs: Bounties can be open to all (public) or a vetted group (private).
• Cost-Effectiveness: Organizations pay only for valid, proven vulnerabilities, unlike fixed-fee audits.
• Example: Platforms like Immunefi and HackerOne facilitate these programs for Web3 projects.

Bounty programs define a clear scope (which contracts/applications are in-bounds) and a severity classification system that dictates reward size. This creates a structured framework for submissions.

• Common Severity Tiers: Critical, High, Medium, Low, with rewards scaling accordingly.
• Out-of-Scope Issues: Specifies what is not eligible (e.g., front-end bugs on a smart contract bounty).
• Payout Examples: A critical vulnerability leading to fund loss might have a bounty of $50,000 to $1,000,000+, while a medium-severity issue may offer $1,000 to $10,000.

A formalized workflow ensures vulnerabilities are reported and fixed responsibly before public disclosure, preventing exploitation. The standard process is:

• Submission: Researcher submits a detailed report via the bounty platform.
• Triage & Validation: The project's security team verifies the bug's existence and severity.
• Remediation: Developers patch the vulnerability in a private repository.
• Payout & Disclosure: The researcher is paid, and a public report is often published after a safe period.

Bounty-based review is not a replacement for professional smart contract audits but a critical complementary layer. It provides ongoing vigilance after an initial audit is complete.

• Audits are proactive, deep dives by a dedicated team at a specific point in time.
• Bounties create a continuous, reactive defense that leverages many eyes, especially useful after code updates or in production.
• Best Practice: Projects typically undergo 1-2 formal audits before launch, then initiate a bug bounty program for mainnet deployment.

A well-run bounty program acts as both a financial and reputational risk management tool.

• Financial: The cost of a bounty is typically far lower than the potential losses from an exploited vulnerability or a forced protocol shutdown.
• Reputational: Demonstrating a commitment to security by funding a public bounty builds trust with users and investors. It signals that the project is serious about protecting user funds.
• Deterrent: The existence of a bounty can deter malicious actors by incentivizing white-hats to find flaws first.

Poorly structured bounties can lead to incentive misalignment. Critical issues include:

• Low or capped rewards that fail to attract top-tier researchers for complex audits.
• Payout disputes over vulnerability severity classification.
• Time-based races that encourage rapid, shallow reviews over deep, systematic analysis.
• Scope limitations that exclude key components like governance contracts or oracle integrations.

The quality of findings depends entirely on the participating researchers. Challenges are:

• Inconsistent skill levels among bounty hunters, leading to missed vulnerabilities.
• Over-reliance on automated tools by some participants, which fail to catch novel or complex logic bugs.
• Difficulty attracting specialists for niche protocols (e.g., ZK-proof systems, novel consensus mechanisms).
• Lack of continuity, as researchers move to the next highest bounty rather than performing longitudinal review.

Bounties often fail to provide comprehensive security coverage.

• Out-of-scope components, such as admin key management or off-chain infrastructure, remain unaudited.
• Economic and game-theoretic attacks (e.g., flash loan manipulations, governance attacks) may be overlooked if the bounty focuses solely on code.
• Time-bound nature means the code is only reviewed at a snapshot, missing vulnerabilities introduced in later updates.
• Lack of formal verification for critical invariants.

Running an effective program requires significant operational effort.

• Triaging and validating a high volume of duplicate or invalid submissions.
• Maintaining clear, public scope rules to avoid disputes.
• Ensuring timely payouts to maintain researcher trust and engagement.
• Legal and compliance considerations for anonymous, global participants.
• Integrating findings with internal development and remediation workflows.

Bounty-based review is a supplement, not a replacement, for professional audits. Key considerations:

• Professional audits provide systematic, guaranteed coverage with defined deliverables and accountability.
• Bug bounties offer continuous, crowd-sourced review post-deployment, catching issues that auditors may have missed.
• Best practice is a layered approach: formal audit before mainnet launch, followed by a well-funded, ongoing public bounty program.

The growing number of bounty programs creates competition for researcher attention.

• High-profile protocols with large treasuries dominate the attention of top researchers.
• Smaller or newer projects may struggle to attract meaningful review despite having critical code.
• This can lead to a security disparity where systemic risk concentrates in less-scrutinized, lower-market-cap protocols.
• Platforms like Immunefi and HackerOne help aggregate attention but do not fully solve this imbalance.

The mathematical process of proving or disproving the correctness of a smart contract's logic against a formal specification. Unlike bounty-based review, which relies on human exploration, formal verification uses automated theorem provers and model checkers.

• Goal: Provide absolute guarantees that certain bug classes (e.g., overflow, reentrancy) are absent.
• Contrast: Bounty review is probabilistic (finds bugs that exist), while formal verification is deterministic (proves properties hold).

A comprehensive, time-boxed examination of a codebase by a dedicated team of expert security engineers. Audits are typically manual, in-depth, and structured, involving line-by-line code review and threat modeling.

• Relationship to Bounties: Often performed before a bounty program launches. The audit secures the base, and the ongoing bounty program provides continuous, crowd-sourced scrutiny post-deployment.

An ethical security researcher who exploits vulnerabilities to improve system security, typically under authorized conditions like a bug bounty program. They are the key participants in bounty-based review.

• Motivation: Financial reward, reputation, and the challenge of securing critical infrastructure.
• Contrast: Opposite of a blackhat hacker, who acts maliciously for personal gain.