How Crypto and Blockchain Organizations Manage Complex Attack Surfaces With Competitive Security Testing Programs


There are three factors that differentiate crypto and blockchain organizations from other industries; their attack surfaces, their most common vulnerabilities, and the amount they spend on bug bounty rewards. 

  1. Valid vulnerabilities: The total number of valid vulnerabilities for crypto and blockchain organizations is up significantly compared to the cross-industry average, but the number of high- and critical-severity vulnerabilities is down.
  2. Most common vulnerabilities: While the most common vulnerabilities are pretty consistent for most industries, web3’s most common vulnerability—business logic errors—is one of the lowest for every other industry.
  3. Bounty spend: The bounty spend by crypto and blockchain organizations across all severity levels far exceeds the cross-industry average.

Which vulnerabilities most plague crypto and blockchain organizations? Why do these companies significantly outpay other industries in bounty rewards? How are web3 organizations engaging with security researchers to secure their assets? Let’s analyze the data.

How Many Vulnerability Reports Do Crypto and Blockchain Organizations Get?

Despite the investment in security, and industry calls for better security practices earlier in the software development life cycle (SDLC), we see steady increases in vulnerability reports year over year. While valid vulnerabilities on the HackerOne Platform jumped 12% across industries over the past year, we saw a 147% increase in crypto and blockchain.

When it comes to high- and critical-severity reports, however, crypto and blockchain are trending down: 24% of the industry’s vulnerabilities are rated high or critical, down 35% from 2023. 

The overall decrease in higher-severity reports in web3 is likely related to the increase in security researchers submitting reports to web3 programs (up 67%); crypto organizations have made a major effort to better engage the researcher community, and more researchers mean more reports for low-hanging fruit. While organizations in crypto and blockchain are making efforts to reduce vulnerability reports by identifying trends and putting measures in place to catch bugs earlier in development, we do expect vulnerability reports to keep rising as more organizations invest in security testing.

Web3’s Most Common Vulnerability: Business Logic Error

Most industries are still seeing the most common vulnerabilities, like cross-site scripting, reported again and again — not so with crypto and blockchain. One major outlier is the high rate of business logic errors compared to the cross-industry average. While business logic errors account for only 2% of reports across industries, they account for 10% of web3 reports. The average bounty spend across industries on business logic errors is only 4%, but web3 organizations spend 45% of their bounty budget on these vulnerabilities. 

Why? With crypto and blockchain organizations’ complex, experimental business models and intricate transaction mechanisms, it’s tough to secure against edge cases or unintended uses.

For example, smart contracts are incredibly complicated—they run on the blockchain, execute automatically, and are visible to everyone. Once deployed, they’re also immutable, meaning any flaws or logic errors are hard to fix. These vulnerabilities can lead to financial loss, making them prime targets for bug bounty hunters.

“People can see every interaction that takes place in a smart contract. They have a lot of complexity, which greatly increases the attack surface for business logic issues.”

Dane Sherrets
Staff Innovations Architect, Emerging Technologies, HackerOne

Top ten vulnerabilities for crypto and blockchain organizations

 

How Much Do Crypto and Blockchain Organizations Pay for a Bug?

Average bounty payouts for web3 organizations have increased significantly over the last year, reaching an average of nearly $70,000 in 2024. The stark difference in bounty rewards for cryptocurrency and blockchain versus all other industries is directly related to the amount of money at risk within these organizations. When hundreds of millions of dollars are on the line, you need to incentivize the best researchers in the world to secure your systems—and cryptocurrency organizations are doing so by paying out bounties 182% higher than the cross-industry average. 

“If you have $100 million at risk, you want to incentivize the best researchers in the world to help secure it. If I’m a security researcher capable of finding bugs that would let me steal $100 million, it would be dangerous to only offer $5,000 to report that vulnerability.”

Dane Sherrets
Staff Innovations Architect, Emerging Technologies, HackerOne

Bounties are typically even more competitive in the high- and critical-severity vulnerability category. The average bounty for high and critical vulnerabilities in crypto and blockchain organizations is $133,700, 190% higher than the average across industries.

With so much sensitive data at risk in these industries, competitive rewards for the most severe findings are essential, as high and critical vulnerabilities make up 24% of reports for organizations across this sector. 

Bounty Budget Recommendations for Crypto and Blockchain Organizations

  • Make a strong business case for your budget that speaks to the priorities of your stakeholders and board members. Check out the Measuring Success section of the full Hacker-Powered Security Report to see how the most security-resilient organizations are making the financial case for their bounty budgets using a return on mitigation (ROM) approach.
     
  • Take a tiered-award approach, with bounty awards weighted by asset type. Bounty award amounts can be adjusted to incentivize testing on your most critical assets, as well as assets that may require a more unique skill set.
     
  • For cryptocurrency and blockchain organizations already paying above-average bounties, focus on impact statements to attract the best researchers. Be specific: “We pay $X for vulnerabilities that could result in A, B, or C consequences.” Crypto.com, for example, generally categorizes reports with “Extreme” severity as vulnerabilities that could result in an “immediate loss of over $1 million in funds to Crypto.com or our users, or that could dump customer PII en masse.” 

Want to learn more about the intricacies of crypto and blockchain security and see how your organization compares to your industry peers? Download the 8th Annual Hacker-Powered Security Report: Technology Edition for more web3 data, researcher insights, and customer advice.



Source link