Summary A critical vulnerability was identified and reported by whitehat @riproprip in the Raydium protocol on January 10, 2024. This vulnerability, found in the increase_liquidity.rs function allowed an attacker to exploit the liquidity management functionality of the automated market maker (AMM) to drain funds from liquidity pools. A bounty of $505,000 in RAY tokens was awarded to the whitehat for this discovery. Raydium, an AMM built on the Solana blockchain, quickly addressed and resolved the issue. What is Raydium? Raydium is an AMM with an integrated central order book sys ..read more

We’re excited to announce the launch of the Firedancer v0.1 Boost on Immunefi. Firedancer v0.1, a new validator client for Solana, is opening the gates to security researchers to find and submit vulnerabilities in its extensive codebase. The contest offers rewards of up to $1,000,000 for finding critical vulnerabilities in the codebase, which is approximately 200,000 lines of nSLOC. We will be hosting a live technical walkthrough with the Firedancer v0.1 team. This walkthrough will provide valuable insights into the Firedancer v0.1 codebase, helping to make your hunt successful. Hunting ..read more

Shardeum, the EVM-based autoscaling Layer 1 blockchain has launched two Boosts on Immunefi to help secure their codebase. Shardeum has ambitious plans — aspiring to be a chain capable of onboarding over a billion people to the blockchain. Their platform is open, collaborative, and community-driven — and aims to democratize accessibility to decentralization. Shardeum is offering two tiers of Boosts on Immunefi: Core and Ancillaries. The Core Boost offers rewards of up to $500,000 for critical vulnerabilities identified in its blockchain/DLT codebase. This code is largely written in TypeScript ..read more

You’ve heard about Immunefi’s new Boosts, Invite-Only programs, and Attackathons. But how much will you earn from bug hunting on them? You’ve asked and we’ve answered with Immunefi’s V.1 Contest Rewards Calculator. This version, a simplification of the actual calculator, allows you to approximate the rewards you can earn by hunting on an Immunefi contest without the hassle of creating the whole dataset. Make a copy, play around with it, show us the potential ROI you can have! Here’s a few examples based on the Fuel Attackathon and a 4 minute video guide through it. Example #1 ..read more

How do you bughunt on a codebase with 100,000+ lines of code? You’re not alone in wondering this. Many security researchers have said they felt overwhelmed when considering the Fuel Attackathon. For only 5 weeks, this is a lot of code to review. Would your ROI (return-on-investment for your time) even be worth it? With these intimidating questions in mind, some have simply opted-out of hunting on Fuel — missing out on the most profitable audit contest of the year, even for part-time Solidity-only auditors. To understand the ROI of hunting on the Fuel Attackathon, you need to view it as s ..read more

Immunefi Surpasses $100m Paid to Whitehats At Immunefi, our dedication to on-chain security remains steadfast. Today, we are excited to share a monumental achievement that underscores our commitment to protecting the web3 ecosystem: Immunefi has surpassed $100 million in rewards paid to whitehat hackers. Here’s what our CEO, Mitchell Amador, had to say: https://medium.com/media/d10678615ae6fddba199c51ccb1092fb/href This milestone is not just a significant achievement for Immunefi, but also a testament to the vibrant and growing web3 security community. In just over three years, Immun ..read more

Summary On September 23, 2023, the security researcher Koiush submitted a high vulnerability to Alchemix via Immunefi, which consisted of improper configuration of access control for harvesting of yield. At the time of the submission, the vulnerability would have allowed an attacker to steal yield generated during harvesting in rETH, stETH, and FraxETH pools. After receiving Koiush’s report, the bug was quickly neutralized by Alchemix’s team with no impact to user funds. Alchemix promptly awarded a bounty of 1,000 ALCX ($28,730) to Koiush for this finding. Immunefi is pleased to ..read more

Fuel and Immunefi Join Forces to Launch $1.3M Attackathon: The Largest Crowdsourced Security Audit in Web3 In a monumental collaboration, Fuel, the operating system tailored for Ethereum rollups, has announced a strategic partnership with Immunefi, Web3’s premier crowdsourced security platform. This partnership heralds the launch of an Attackathon program that will be the largest audit contest in history. The Fuel Attackathon program will have a total reward pool of $1.3M. This program will start with a $1M open contest focused on the Fuel code base followed by a $300K reward pool f ..read more

Exciting news! The Floki Ecosystem recently launched a bug bounty program on Immunefi, and they’re offering up to $50,000 for critical bugs! The Floki Ecosystem is an innovative protocol offering a 3D NFT Metaverse, DeFi utilities, a crypto education platform, NFTs, a merchandise store, and more. The token linked to the project, FLOKI, is designed to work across multiple blockchains, including Ethereum and BNB Chain, as it meets the requirements of both ERC-20 and BEP-20 standards. FLOKI tokens are capable of being transferred between these chains, allowing FLOKI holders the flexibility ..read more

On January 7 and January 24th, 2024, whitehat @GregadETH submitted High and Critical vulnerabilities in the Graph ecosystem, which consisted of 2 rounding errors that had the potential to result in the loss of user funds or unclaimed yield. The Graph quickly patched the issue, and paid out a bounty total of $290,497 to the whitehat. The Graph overview The Graph considers itself a “decentralized indexing protocol”. What does this mean? It enables mainly developers to access and query data across different blockchains using its “subgraphs”, which are APIs. As with other decentralized proto ..read more