News Heat Trend
Project Overview
Immunefi is a bug bounty platform focused on Web3 and smart contract security. They provide hosting, consultation, bug triaging, and program management services to blockchain and smart contract projects.
Immunefi CEO claims AI models lead to surge in crypto security vulnerabilities
Odaily, Mitchell Amador, CEO of bug bounty platform Immunefi, stated at the WAIB Summit that new AI models such as Claude Opus 4.8 and ChatGPT 5.5 are shifting the balance of cybersecurity offense and defense in favor of attackers, leading to a resurgence in crypto hacks in 2026. Data from DefiLlama shows that in April 2026, illicit actors stole over $634 million from crypto platforms, the highest monthly total since the Bybit hack in February 2025 drove losses of approximately $1.4 billion.Amador stated that the crypto industry is in a critical survival period for the next three to four years until security teams leverage similar AI models to build codebases that attackers cannot breach; if the industry adopts more crowd-sourced security solutions, this timeline could be shortened to within two years. The latest Claude Mythos model, Fable 5, from AI company Anthropic, previously raised concerns about accelerating the ability to exploit crypto vulnerabilities.Anthropic stated that Fable 5 has safeguards in place that will redirect topics related to cybersecurity and similar fields to Claude Opus 4.8. On April 19, an attacker transferred approximately 116,500 restaked Ethereum (rsETH) from Kelp DAO's LayerZero-based rsETH bridge, valued at around $290 million to $293 million at the time. Cross-chain protocol LayerZero stated that the 1/1 decentralized verification network configuration of Kelp DAO relied on a single verification path for processing cross-chain messages, creating a single point of failure. (Cointelegraph)
Immunefi: DeFi Attack Losses Down 74% from 2022 Peak, AI Accelerates Security Arms Race
Web3 security company Immunefi's latest "2026 Ecosystem Vulnerability Audit Report" shows that losses from DeFi protocol hacks have fallen 74% from a peak of $2.62 billion in 2022 to approximately $680.3 million in 2025.The report notes that the median loss per individual attack has also significantly decreased, from $6 million in 2022 to $1.5 million in 2025, reflecting an overall improvement in security standards. Meanwhile, the share of bridge exploits in total DeFi losses has dropped sharply from 73% in 2022 to 3% in 2025, and the proportion of flash loan attacks has fallen from 54% to less than 1%.The proportion of risks at the infrastructure level (such as private key leaks and database attacks) also decreased from 30.7% in 2022 to 10.3% in 2025. Immunefi stated that this reflects continuous optimization in oracle design, reentrancy attack protection, and access control standards, making the DeFi ecosystem "generally becoming safer."However, the report also notes that losses slightly rebounded to $680.3 million in 2025, primarily due to increased complexity in multi-chain systems and a few high-severity incidents. At the same time, the number of independent security incidents continues to rise, indicating the attack surface is still expanding. (The Block)
AaveLabs: Updates Bug Bounty Program, Core Aave V3 Maximum Reward Raised to $5 Million
that, according to official sources, AaveLabs has proposed restructuring the Aave DAO bug bounty framework into multiple specific subsystem programs, operating on the Immunefi, Sherlock, and Cantina platforms respectively. Core Aave V3, Core Aave V2, GHO, and non-liquidity protocol infrastructure will be covered by Immunefi; Aave V4 and the Aave App Stack will be covered by Sherlock; and Aave V3 on Aptos will be covered by Cantina.The proposal suggests adjusting the bounty scale for each system. The maximum reward for critical vulnerabilities in Core Aave V3 is $5 million, while the maximum reward for critical vulnerabilities in Aave V4 is $2.5 million. Additionally, the funding source for the Aave V3 bug bounty on Aptos will be transferred from Aave Labs to the Aave DAO. This ARFC proposal has currently been passed.
Code4rena to Shut Down, Immunefi to Take Over Its Bug Bounty Clients
the smart contract auditing platform Code4rena has announced it will gradually cease operations. All ongoing audit contests and bug bounty programs will still be completed as normal.Web3 security platform Immunefi subsequently stated that it will collaborate with Code4rena to take over its bug bounty clients and security researchers, assisting in the migration of bounty scope, rules, and reward structures.Code4rena was known for its "competitive audit" model, allowing independent security researchers to earn rewards by discovering smart contract vulnerabilities. The platform secured $6 million in funding from Paradigm in 2023 and was acquired by blockchain security firm Zellic in 2024.
USDT0 Reveals Security Architecture Details: Implements 3/3 Verification Mechanism and Launches $6 Million Bug Bounty Program
following the Kelp security incident, Tether's asset interoperability protocol USDT0 has disclosed details of its protocol security architecture. It stated that the system currently utilizes a proprietary DVN (Decentralized Verification Network) with message veto authority, and requires 3 independent validators, operating on different codebases, to reach a 3/3 consensus before cross-chain messages can be settled. The current verification nodes include the USDT0 proprietary DVN, LayerZero, and Canary, with future plans to expand to 4/4 and 5/5 verification mechanisms.USDT0 also stated that all multi-signature transactions must undergo multiple reviews by internal teams, external security teams, and auditing firms before signatures are submitted. The relevant contracts have been audited by firms such as Guardian and OpenZeppelin, and a $6 million bug bounty program has been launched on Immunefi.
Immunefi: DeFi Attack Losses Down 74% from 2022 Peak, AI Accelerates Security Arms Race
Web3 security company Immunefi's latest "2026 Ecosystem Vulnerability Audit Report" shows that losses from DeFi protocol hacks have fallen 74% from a peak of $2.62 billion in 2022 to approximately $680.3 million in 2025.The report notes that the median loss per individual attack has also significantly decreased, from $6 million in 2022 to $1.5 million in 2025, reflecting an overall improvement in security standards. Meanwhile, the share of bridge exploits in total DeFi losses has dropped sharply from 73% in 2022 to 3% in 2025, and the proportion of flash loan attacks has fallen from 54% to less than 1%.The proportion of risks at the infrastructure level (such as private key leaks and database attacks) also decreased from 30.7% in 2022 to 10.3% in 2025. Immunefi stated that this reflects continuous optimization in oracle design, reentrancy attack protection, and access control standards, making the DeFi ecosystem "generally becoming safer."However, the report also notes that losses slightly rebounded to $680.3 million in 2025, primarily due to increased complexity in multi-chain systems and a few high-severity incidents. At the same time, the number of independent security incidents continues to rise, indicating the attack surface is still expanding. (The Block)
AaveLabs: Updates Bug Bounty Program, Core Aave V3 Maximum Reward Raised to $5 Million
that, according to official sources, AaveLabs has proposed restructuring the Aave DAO bug bounty framework into multiple specific subsystem programs, operating on the Immunefi, Sherlock, and Cantina platforms respectively. Core Aave V3, Core Aave V2, GHO, and non-liquidity protocol infrastructure will be covered by Immunefi; Aave V4 and the Aave App Stack will be covered by Sherlock; and Aave V3 on Aptos will be covered by Cantina.The proposal suggests adjusting the bounty scale for each system. The maximum reward for critical vulnerabilities in Core Aave V3 is $5 million, while the maximum reward for critical vulnerabilities in Aave V4 is $2.5 million. Additionally, the funding source for the Aave V3 bug bounty on Aptos will be transferred from Aave Labs to the Aave DAO. This ARFC proposal has currently been passed.
USDT0 Reveals Security Architecture Details: Implements 3/3 Verification Mechanism and Launches $6 Million Bug Bounty Program
following the Kelp security incident, Tether's asset interoperability protocol USDT0 has disclosed details of its protocol security architecture. It stated that the system currently utilizes a proprietary DVN (Decentralized Verification Network) with message veto authority, and requires 3 independent validators, operating on different codebases, to reach a 3/3 consensus before cross-chain messages can be settled. The current verification nodes include the USDT0 proprietary DVN, LayerZero, and Canary, with future plans to expand to 4/4 and 5/5 verification mechanisms.USDT0 also stated that all multi-signature transactions must undergo multiple reviews by internal teams, external security teams, and auditing firms before signatures are submitted. The relevant contracts have been audited by firms such as Guardian and OpenZeppelin, and a $6 million bug bounty program has been launched on Immunefi.
Related news
Immunefi CEO claims AI models lead to surge in crypto security vulnerabilities
Odaily, Mitchell Amador, CEO of bug bounty platform Immunefi, stated at the WAIB Summit that new AI models such as Claude Opus 4.8 and ChatGPT 5.5 are shifting the balance of cybersecurity offense and defense in favor of attackers, leading to a resurgence in crypto hacks in 2026. Data from DefiLlama shows that in April 2026, illicit actors stole over $634 million from crypto platforms, the highest monthly total since the Bybit hack in February 2025 drove losses of approximately $1.4 billion.Amador stated that the crypto industry is in a critical survival period for the next three to four years until security teams leverage similar AI models to build codebases that attackers cannot breach; if the industry adopts more crowd-sourced security solutions, this timeline could be shortened to within two years. The latest Claude Mythos model, Fable 5, from AI company Anthropic, previously raised concerns about accelerating the ability to exploit crypto vulnerabilities.Anthropic stated that Fable 5 has safeguards in place that will redirect topics related to cybersecurity and similar fields to Claude Opus 4.8. On April 19, an attacker transferred approximately 116,500 restaked Ethereum (rsETH) from Kelp DAO's LayerZero-based rsETH bridge, valued at around $290 million to $293 million at the time. Cross-chain protocol LayerZero stated that the 1/1 decentralized verification network configuration of Kelp DAO relied on a single verification path for processing cross-chain messages, creating a single point of failure. (Cointelegraph)
Immunefi: DeFi Attack Losses Down 74% from 2022 Peak, AI Accelerates Security Arms Race
Web3 security company Immunefi's latest "2026 Ecosystem Vulnerability Audit Report" shows that losses from DeFi protocol hacks have fallen 74% from a peak of $2.62 billion in 2022 to approximately $680.3 million in 2025.The report notes that the median loss per individual attack has also significantly decreased, from $6 million in 2022 to $1.5 million in 2025, reflecting an overall improvement in security standards. Meanwhile, the share of bridge exploits in total DeFi losses has dropped sharply from 73% in 2022 to 3% in 2025, and the proportion of flash loan attacks has fallen from 54% to less than 1%.The proportion of risks at the infrastructure level (such as private key leaks and database attacks) also decreased from 30.7% in 2022 to 10.3% in 2025. Immunefi stated that this reflects continuous optimization in oracle design, reentrancy attack protection, and access control standards, making the DeFi ecosystem "generally becoming safer."However, the report also notes that losses slightly rebounded to $680.3 million in 2025, primarily due to increased complexity in multi-chain systems and a few high-severity incidents. At the same time, the number of independent security incidents continues to rise, indicating the attack surface is still expanding. (The Block)
AaveLabs: Updates Bug Bounty Program, Core Aave V3 Maximum Reward Raised to $5 Million
that, according to official sources, AaveLabs has proposed restructuring the Aave DAO bug bounty framework into multiple specific subsystem programs, operating on the Immunefi, Sherlock, and Cantina platforms respectively. Core Aave V3, Core Aave V2, GHO, and non-liquidity protocol infrastructure will be covered by Immunefi; Aave V4 and the Aave App Stack will be covered by Sherlock; and Aave V3 on Aptos will be covered by Cantina.The proposal suggests adjusting the bounty scale for each system. The maximum reward for critical vulnerabilities in Core Aave V3 is $5 million, while the maximum reward for critical vulnerabilities in Aave V4 is $2.5 million. Additionally, the funding source for the Aave V3 bug bounty on Aptos will be transferred from Aave Labs to the Aave DAO. This ARFC proposal has currently been passed.
Code4rena to Shut Down, Immunefi to Take Over Its Bug Bounty Clients
the smart contract auditing platform Code4rena has announced it will gradually cease operations. All ongoing audit contests and bug bounty programs will still be completed as normal.Web3 security platform Immunefi subsequently stated that it will collaborate with Code4rena to take over its bug bounty clients and security researchers, assisting in the migration of bounty scope, rules, and reward structures.Code4rena was known for its "competitive audit" model, allowing independent security researchers to earn rewards by discovering smart contract vulnerabilities. The platform secured $6 million in funding from Paradigm in 2023 and was acquired by blockchain security firm Zellic in 2024.
USDT0 Reveals Security Architecture Details: Implements 3/3 Verification Mechanism and Launches $6 Million Bug Bounty Program
following the Kelp security incident, Tether's asset interoperability protocol USDT0 has disclosed details of its protocol security architecture. It stated that the system currently utilizes a proprietary DVN (Decentralized Verification Network) with message veto authority, and requires 3 independent validators, operating on different codebases, to reach a 3/3 consensus before cross-chain messages can be settled. The current verification nodes include the USDT0 proprietary DVN, LayerZero, and Canary, with future plans to expand to 4/4 and 5/5 verification mechanisms.USDT0 also stated that all multi-signature transactions must undergo multiple reviews by internal teams, external security teams, and auditing firms before signatures are submitted. The relevant contracts have been audited by firms such as Guardian and OpenZeppelin, and a $6 million bug bounty program has been launched on Immunefi.