Bug Bounties Hit Limits as AI Puts Crypto Hackers on Equal Footing

AI is giving crypto attackers the same tools that defenders use, and the results cost the industry billions of dollars, experts say.

Mitchell Amador, CEO of Immunefi, said Decryption At the start of Token 2049 week in Singapore, AI turned vulnerability discoveries into myopia exploitation, indicating that the sophisticated audit tools his company has built are no longer exclusive to good people.

“If that were to happen, can the North Korean Lazarus group build similar touring? Can the Russian Ukrainian hacker group build similar to those?” asked Amador. “The answer is that they can do it.”

Immunefi’s AI auditing agents outweigh the majority of traditional auditing companies, but the same features are within the scope of well-funded hacking work, he said.

“The audit is great, but it’s not enough to keep up with the rate of innovation and the speed at which attackers improve compound interest,” he said.

More than 3% of the total value is locked Stolen across the ecosystem In 2024, Amador said security is no longer an afterthought, but he “struggles to know how to invest and how to effectively allocate resources.”

He added that the industry moved because “it’s a matter of prioritization, and that’s great, it becomes a matter of knowledge and education.”

According to Amador, AI is making sophisticated social engineering attacks cheap and cheap.

“How much do you think that call would cost?” he said, referring to AI-generated phishing calls that could make a colleague feel unsettling accuracy. “You can do it against pennies using a well-thought-out system of prompts, and you can do it in a ton of ways. That’s the scary part of AI.”

The CEO of Immunefi said it is likely that groups such as Lazarus will hire “at least hundreds, if not thousands” in crypto exploits as the main source of revenue for North Korea’s economy.

“The competitiveness caused by North Korea’s annual revenue allocation drives “outperforming colleagues” rather than protecting individual assets and adjusting security improvements; Sentinellabs Intelligence Report Found.

“A game with AI-driven attacks is to speed up the speed at which something can be exploited from discovery,” Amador said. Decryption. “The only solution to protect it is a faster solution.”

Immunefi’s answer was to incorporate AI directly into the developer’s GitHub repository and the CI/CD pipeline. It was about catching vulnerabilities before the code reached production. defi Hacking within a year or two, potentially reducing the incident by a few more orders of magnitude.

DMytro Matviiv, CEO of Web3 Bug Bounty Platform Hackemproof Decryption That “manual audits always have a place, but their roles change.”

“AI tools are increasingly effective at catching the vulnerability of ‘low hanging fruits’, which reduces the need for large-scale manual reviews of common mistakes,” he said. “What remains is a subtle, context-dependent issue that requires deep human expertise.”

To protect against AI-powered attacks, Immunefi has implemented a whitelist-only policy for all company resources and infrastructure. This stated that Amador “arrested these spear fishing attempts very effectively.”

But this level of vigilance is not practical for most organizations, he said, “We are a company with safety and vigilance, so we can do immunity. Ordinary people can’t do that. They can’t live.”

Bug Bounty hits a wall

Immunefi promoted $100 million payments A stable monthly distribution to white hat hackers ranging from $1 million to $5 million. But Amador said Decryption The platform can “reach the limit” because there is no “sufficient eyeballs” to provide the coverage needed across the industry.

According to Amador, the bugs face the problems of the inherent zero-sum game, so it’s not just the availability of researchers.

Researchers must reveal vulnerabilities to prove they exist, but lose all leverage after disclosure. Immunefi will mitigate this by negotiating a comprehensive agreement that specifies everything before disclosure occurs, Amador said.

Meanwhile, Matviiv said Decryption He doesn’t think “we’re close to exhausting a global pool of security talent,” noting that new researchers join the platform each year, quickly progressing from simple findings to extremely complex vulnerabilities.

“The challenge is to make the space attractive enough from an incentive and community perspective for those new faces to stick.”

The bug’s prize money likely reached a “zenith of efficiency” other than the net new innovation that is not present in traditional bug prize programs, Amador added.

The company is exploring hybrid AI solutions to provide greater leverage for individual researchers to audit more protocols at scale, but these remain R&D.

“A diverse external community is always in the best position to discover edge cases that an automated system or internal team is missing,” says Matviiv, but bug bounties are essential as it is increasingly important to work with AI-powered scan, monitoring and auditing on a “hybrid model.”

The biggest hack doesn’t come from the code

meanwhile Smart Contract Audit and bug prizes are pretty mature, and the most devastating exploit is increasingly bypassing the code completely.

$1.4 billion Bibit Hack This shift was highlighted earlier this year, Amador said attackers would replace legal multi-SIG transactions, rather than exploiting the vulnerability of smart contracts.

“It wasn’t something that got caught up in an audit or a bug bounty,” he said. “It was a compromised internal infrastructure system.”

Amador said the industry was “not too hot” about multisig security, spear phishing, anti-scum countermeasures and community protection despite improvements in security in traditional areas such as audits, CI/CD pipelines and bug awards.

Immunefi launched a multi-sig security product that assigns elite white hat hackers and manually reviewed all important transactions before running. However, he acknowledged that it was a reactive measure rather than a preventive one.

This uneven progress explains why it became 2024 The worst year for hacking Despite improvements in code security, the hacking patterns follow a predictable mathematical distribution, and stated that a single, large incident, rather than anomalies, is inevitable.

“There’s always one big outlier,” he said. “And that’s not an outlier, it’s a pattern. There’s always one big hack in the year.”

While smart contract security is pretty mature, Matviiv said, “the next frontier is definitely around a broader attack surface, not just multisig wallet configuration, key management, phishing, governance attacks and ecosystem-level exploits.”

Effective security requires vulnerabilities to be caught as quickly as possible during the development process, Amador said Decryption.

“Bugbounties are the second most expensive, and the most expensive one is the hack,” he said, explaining the cost hierarchy that increases dramatically at each stage.

“We’re catching bugs before they reach production and before they reach audits,” added Amador. “It’s never even included in an audit. They don’t waste time on it.”

The severity of the hack remains high, but Amador said “the incidence rates are declining and the severity of most bugs is decreasing, so we’re catching these things more and more early in the cycle.”

When asked about a single security measure that should employ all Token2049 projects, Amador called for a “unified security platform” that deals with multiple attack vectors.

Fragmented security is essential because it essentially forces a project to “do research yourself” about products, restrictions and workflows.

“We’re not yet able to handle trillions of assets. We don’t have much at Primetime.”