Creating a Bug Bounty Program for DeFi: Rules, Rewards, Integration

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.

Blockchain Development Services

Blockchain Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1349
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1247
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    949
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1183
  • image_logo-advance_0.webp
    B2B Advance company logo design
    642
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    921

Smart contract audit found 5 vulnerabilities — developers fixed all. A month later, the protocol was hacked via a new vector: the attacker used an unusual call sequence that auditors hadn't modeled. Audit is a snapshot in time. To launch a successful Bug Bounty program for your DeFi project, you need clear rules, a well-defined scope, and integration with platforms like Immunefi or HackerOne to attract skilled white hat hackers. Bug Bounty is a constant live check by thousands of eyes. It's a necessity for projects managing millions of dollars. Without it, you risk losing funds due to a vulnerability an auditor missed. We help build a program that attracts top researchers and protects your protocol.

How Bug Bounty Works for DeFi?

The program rests on three pillars: rules (scope), reward system (rewards), and platform (Immunefi or HackerOne). Rules define what can be tested — which contracts, transactions, off-chain components. The reward system sets payouts per severity level: critical up to $1M+, medium up to $50k. The platform manages reports, verification, and payouts.

Platform Comparison: Immunefi vs HackerOne

Feature Immunefi HackerOne
Focus DeFi, smart contracts Universal (web2 + web3)
Community >50,000 researchers >600,000
Average critical payout $80k $20k (Immunefi pays on average 4x more)
Integrations Tenderly, Etherscan Wide API set

Developing Rules and Scope

Common scope mistakes:

  • Implicit out-of-scope: oracles, bridges, frontend not listed. Hacker finds a bug in Chainlink integration, but it's rejected.
  • Vague triggers: "substantial loss of funds" — no specific threshold. Better: "critical vulnerability — ability to steal more than 100 ETH".
  • Overloaded scope: 20 contracts but documentation is lacking. Optimum: 3-5 main contracts + a link to auxiliary ones.

We integrate rules as a YAML file (example):

scope:
  smart_contracts:
    - address: "0x..."
      name: "LendingPool"
      severity: critical
    - address: "0x..."
      name: "PriceOracle"
      severity: high
  off_chain:
    - service: "API endpoint"
      severity: medium
  exclusions:
    - type: "frontend"
      reason: "no control"

Reward System

Standard payout grid depends on scope complexity. For example:

Level Example Reward
Critical Direct theft of funds $50k – $1M
High Blocking withdrawals $10k – $50k
Medium Griefing attack $2k – $10k
Low Informational $500 – $2k

We don't fix prices — each project is unique. But we give estimates based on experience: a program across 12 projects showed average critical payout of $80k.

Why Start with Immunefi?

Immunefi is the DeFi standard: over $90M in rewards paid, integration with Tenderly for attack simulation. HackerOne is broader, but its crypto audience is smaller. We match the platform to the client's profile. For a young protocol with simple architecture, HackerOne gives more web2 specialists. For complex contracts, Immunefi is better.

What Is Scope and Why Is It Critical?

Scope defines testing boundaries. If too broad, researchers scatter on low-priority bugs. If too narrow, a critical vector goes unnoticed. We develop a scope that balances depth and coverage, with clear criteria for each severity level.

Work Process

How to Launch Bug Bounty in 4 Steps

  1. Analysis and program design (1 week): Study your stack: Solidity, Foundry, Hardhat. Identify critical functions, assess risks. Produce a "Scope of Work" document with rules and reward grid.
  2. Configuration development and integration (1 week): Set up platform: scope, roles, notifications. Write documentation for hackers: how to test, how to report.
  3. Closed launch (1 week): Publish program invite-only to 10–20 vetted researchers. Collect first reports, adjust rules.
  4. Open launch and monitoring (2 weeks): Open to all. Analyze reports daily, alert team on critical ones. Set up automatic pipeline via Tenderly for verification.

Full cycle: 4–6 weeks. Result: a working program with configured infrastructure. Request a preliminary analysis of your protocol – it will help determine scope and budget.

What's Included

  • Program documentation (rules, scope, rewards)
  • Integration with Immunefi or HackerOne
  • Setup of automatic report verification (Tenderly + webhook)
  • Dashboard for tracking metrics
  • Training the client's team: how to respond to reports
  • 30-day support guarantee after launch

Program development and integration typically costs between $5,000 and $15,000, with ongoing maintenance at $1,000/month.

We work with projects that have undergone at least one external audit. Without an audit, launching bug bounty is like shooting without aim: hackers find trivial bugs, you pay, but the critical vector remains.

Typical Startup Mistakes

  • Overly broad scope: all contracts allowed — hacker wastes time on low-hanging bugs. Narrow scope yields quality reports.
  • Unrealistic payouts: $500 for critical — researchers go to competitors. Follow Immunefi median: $50k for critical.
  • No triage: report sits in queue for 3 days — hacker moves on. We set up auto-triage: critical → immediate Telegram alert.

Experience and Guarantees

We have launched programs for 12+ crypto projects with total rewards over $2M. Our team consists of senior developers with experience in auditing and creating smart contracts. We guarantee: the program will attract qualified researchers, and you will receive only relevant reports.

"After launching the program on Immunefi, we received 3 critical reports in the first month. Two of them uncovered potential loss of funds worth $300k." — example from practice (data anonymized).

Checklist for Launching a Bug Bounty Program
  • Pass at least one external smart contract audit.
  • Define scope: which contracts, functions, off-chain components.
  • Set severity levels and corresponding rewards.
  • Choose platform (Immunefi or HackerOne).
  • Set up automatic report verification.
  • Train team on incident handling.

Frequently Asked Questions

What is a Bug Bounty program?

It's a program where independent security researchers (white hat hackers) receive rewards for finding vulnerabilities. For DeFi projects, it's a key security layer after audits.

How much does it cost to launch a Bug Bounty program?

Cost depends on your protocol's complexity and scope depth. We assess each project individually and fix a budget for rule development, platform integration, and initial analysis. Contact us for an estimate.

How to choose a Bug Bounty platform: Immunefi or HackerOne?

Immunefi is the industry standard for DeFi: focused on smart contracts with a vast community. HackerOne is more versatile, suitable for both web3 and web2. We help you choose based on your risk profile.

What types of vulnerabilities does the program cover?

Scope typically includes critical smart contract vulnerabilities (reentrancy, flash loan, oracle manipulation), tokenomics bugs, and permission admin issues. Each level has a fixed reward.

How often should the Bug Bounty program be updated?

After every major upgrade of smart contracts. Also review scope, reward levels, and rules quarterly based on new attack vectors. We offer ongoing maintenance.

How Do We Find What the Compiler Misses?

When a protocol loses $197M through a flash loan attack on a function that auditors reviewed live — it's not an accident. It's a systemic gap in methodology. Our experience shows: vulnerabilities live in a contract for over a year, while the compiler remains silent. We restructured the audit process to catch such cases before deployment.

What Static Analysis Won't Find?

Slither is the standard first tool. It finds reentrancy, integer overflow (in older Solidity versions), improper use of tx.origin, variable shadowing, uninitialized storage. On a real project, Slither produces dozens of warnings, of which critical ones are 0‑2. The rest is informational noise.

Slither won't find logical vulnerabilities. If withdraw correctly checks balance and correctly updates state, but business logic allows double deduction through two different code paths — Slither stays silent.

Mythril uses symbolic execution: builds a graph of all possible execution paths and searches for reachable states violating properties. Works well on isolated contracts. On a protocol of 20 contracts with cross‑contract calls — path explosion, analysis hangs or returns false positives.

Both tools are mandatory as a first pass. But they don't replace manual analysis.

Fuzzing: Where Echidna and Foundry Find Real Bugs

Echidna is a property‑based fuzzer from Trail of Bits. The idea: formulate contract invariants as Solidity functions (echidna_invariant), Echidna generates random call sequences and tries to break the invariant.

Example invariant for a lending protocol:

function echidna_total_assets_ge_liabilities() public view returns (bool) {
    return totalAssets() >= totalLiabilities();
}

Echidna will find a sequence deposit → borrow → liquidate → repay that violates this invariant. You can't build such a case manually — too many combinations.

Foundry fuzzing (forge test --fuzz-runs 100000) is easier to integrate if the team is already on Foundry. Supports stateful fuzzing via invariant tests. In a real project: auditing a vault contract, Foundry fuzzed for 40 minutes and found an edge case where maxWithdraw returned a value larger than actual balance at a specific shares/assets ratio after several donations. Hardhat unit tests missed it — they didn't have that combination of parameters.

Medusa (from Trail of Bits, newer than Echidna) supports corpus‑guided fuzzing and runs faster on large contracts. If the codebase exceeds 5000 lines of Solidity — we look at Medusa.

How Invariants Help Identify Critical Vulnerabilities

Formal verification proves that the contract satisfies specifications for all possible inputs — not for N random ones, but mathematically for all. Tools: Certora Prover, K Framework, Halmos.

Certora works with CVL (Certora Verification Language): write rules and invariants, the Prover translates them into SMT formulas and checks via Z3/CVC5. MakerDAO, Aave, Uniswap use Certora in CI/CD pipeline — every PR is automatically verified.

Limitations: doesn't work with unbounded loops, struggles with hash functions and signature verification. For contracts with simple math (AMM, lending) — excellent. For contracts with arbitrary external calls — difficult to write sufficiently complete specifications.

Formal verification makes sense for contracts that: manage over $50M, are rarely updated, have clearly formalizable invariants. For fast‑iterating products — the cost‑benefit ratio doesn't favor verification.

What Attack Vectors Do Junior Auditors Miss?

Storage collision in proxy pattern. Transparent proxy and UUPS use specific slots for implementation address (EIP‑1967). If an implementation accidentally declares a variable in slot 0 that overlaps with proxy storage — we get silent override. Slither won't catch this if proxy and implementation are in different files.

Read‑only reentrancy. Classic reentrancy guard protects against state changes during recursive calls. But if an external contract reads state via a view function mid‑transaction — guard doesn't help. Years ago, Curve pools became an attack vector precisely through this: an external protocol read get_virtual_price during a reentrancy‑vulnerable state of Curve.

Oracle manipulation via TWAP. Spot price is a standard target for flash loan attack. TWAP is harder to manipulate, but not impossible: on low‑liquidity Uniswap v2 pairs, TWAP can be shifted over several blocks with enough capital. Proper protection: use Chainlink as primary oracle with TWAP as fallback, with deviation threshold check.

Gas griefing on unbounded loop. A function iterates over an array of users. Attacker adds thousands of addresses with zero balances — the function's gas cost rises to the gas limit, making it inaccessible. Protection: pull pattern instead of push, limit array lengths, batch processing with position tracking.

Front‑running on MEV. Transaction is visible in mempool before inclusion in block. MEV bot sees addLiquidity for a significant amount, inserts its own swap before it (sandwich attack). For AMM this is part of the model. For protocols with price functions — require minAmountOut / deadline parameter and its mandatory verification.

Structure of a Full Audit

  1. Scope definition and automated analysis (1‑2 days). Fix commit hash, compiler version, list of out‑of‑scope items. Run Slither, Mythril, Aderyn. Triage: separate real critical bugs from false positives. Build contract dependency map.

  2. Manual analysis (5‑15 days). Each contract line by line. Special attention: all external and public functions, all transfer/call/delegatecall, all places where state changes before a check or after an external call, all math operations with user inputs. On average, 95% of found vulnerabilities are logical, not technical.

  3. Fuzzing and testing (2‑5 days). Echidna or Foundry invariant tests for critical invariants. Fork mainnet tests — verify behavior in real environment with real oracles. For example, in 4 days fuzzing finds on average 3 edge cases not covered by unit tests.

  4. Report and mitigation. Report with severity (Critical/High/Medium/Low/Informational), attack vector description, PoC code for Critical/High. Developers fix, auditors perform re‑audit of fixes.

Severity Examples Requires re‑audit?
Critical Drain funds, unauthorized ownership transfer Always
High Manipulation, DoS on key functions Always
Medium Incorrect behavior on edge cases Recommended
Low Gas inefficiency, typos in events Optional

Audit in CI/CD

Common practice for mature protocols: Slither and Aderyn run in GitHub Actions on every PR. Certora Prover — on merge to main. This doesn't replace a full audit before deployment, but catches regressions.

# .github/workflows/audit.yml
- name: Run Slither
  uses: crytic/[email protected]
  with:
    target: 'src/'
    slither-args: '--filter-paths "test|mock|script"'
Checklist of mandatory checks before deployment
  • All external functions have access controls (onlyOwner, onlyRole)
  • Use SafeERC20 for external tokens
  • No delegatecall to unknown addresses
  • Reentrancy check in all functions with external calls
  • Presence of minAmountOut and deadline in AMM functions
  • Use of a trusted oracle (Chainlink) with deviation threshold

Audit Tools Comparison

Tool Type of Analysis What It Finds Limitations
Slither Static Reentrancy, integer overflow, access control Misses logical vulnerabilities
Mythril Symbolic execution Reachable states violating properties Path explosion on large codebases
Echidna Fuzzing (property‑based) Invariant violations Requires writing invariants
Certora Formal verification Mathematical proof of properties Doesn't work with hashes/signatures

Deliverables

  • Full report in PDF with CVSS scores for each vulnerability
  • PoC code for all Critical and High (reproducible in test environment)
  • Remediation recommendations with code examples
  • Re‑audit after fixes (up to two iterations)
  • Brief guide for developers on ongoing operation
  • Post‑deployment support for 30 days (consultations and incident analysis)

Timeline

Audit of a simple token or NFT contract — 3‑5 business days. DeFi protocol with lending/AMM — 2‑4 weeks. Full stack with multiple protocols, cross‑chain, proxy upgrades — 4‑8 weeks. Re‑audit of fixes — 3‑7 days separately.

Our team has 7+ years of experience in smart contract security, having audited over 100 projects. We guarantee we won't miss any known attack vectors — we use licensed versions of Slither and best fuzzer configurations. Assess your project — we will analyze your code for free and provide a commercial offer within 2 days. Order an audit with quality guarantee and get a discount on re‑audit for repeat customers.