Despite a drop in interest compared to 2023, Ethereum remains the blockchain of choice for crypto whitehat hackers, with Polygon, Arbitrum, Optimism and Solana gaining traction.
That’s according to a breakdown of the ethical hacker ecosystem compiled by the bug bounty and security services platform Immunefi in its 2024 report, aimed at mapping the interests, challenges and opportunities of whitehats in web3. But money isn’t everything, with respondents also motivated by solving the technical challenges of decentralized applications and generating career opportunities.
Blockchain and technology preferences
Ethereum remained a strong preference among whitehats, with 87% of respondents attracted to the blockchain, down from 94% in 2023. Polygon pushed Solana out of second place, rising to a 59% interest, though Solana also gained in percentage terms from 32% in 2023 to 42% in 2024 and remains the fifth most preferred network by whitehats.
The relatively newer Arbitrum and Optimism Ethereum Layer 2s rose to take third and fourth place, with 47% and 45% of respondents interested in the chains, respectively. BNB Chain, Base, Avalanche, Cosmos and Tezos were also high on the whitehats’ radar, though Near, Polkadot and Fantom have fallen out of favor since 2023.
Most whitehats (58%) said they did not incorporate increasingly available AI tools into their security practices, though 42% confirmed they use services such as ChatGPT, Gemini, Olympia Chat, CensysGPT, Codeium, Blackbox AI and Claude to assist with smart contract auditing and other security assessments. However, only 4% of respondents were extremely confident in the ability of AI tools to easily identify vulnerabilities.
Most common attack vectors
Improper input validation, meaning an application does not adequately validate an input it receives, became the most common exploit vulnerability identified by the whitehat hackers this year, rising significantly from 9% to 47%.
Those vulnerabilities replaced reentrancy attacks (enabling malicious parties to repeatedly drain funds from smart contracts by exploiting the code execution order), which fell to 16% compared to 43% in 2023. Incorrect calculations and weak access control were identified as the second and third most common vulnerabilities this year at 35% and 32%, respectively.
Most whitehats (74%) saw the attack surfaces in crypto growing. This has fallen slightly compared to 2023, however, and the majority (88%) also agreed that projects’ security measures were improving.
The biggest threats across the web3 sector remain vulnerability exploitation (63%), phishing and social engineering (57%), insider threats (47%), third-party software exploitation (25%) and nation-state actors (23%), Immunefi said.
Bug bounty reward incentives and challenges
Bounty size was again cited as the main factor (61%) for whitehats when selecting bounty programs, though this fell from 66% in 2023. Scope, trust in the brand and efficient communication were also highly valued.
Immunefi claims to operate the largest blockchain security community with over 45,000 researchers, saving more than $25 billion in user funds across protocols like Polygon, Optimism, Chainlink, The Graph, Synthetix and Sky (formerly MakerDAO) from being stolen.
The firm has paid out more than $100 million in ethical hacker and researcher bounties over the past three years, with $183 million in bounty rewards currently available on its platform. The highest white hat hacker bounty facilitated by Immunefi was a $10 million award for a vulnerability discovered in Wormhole’s cross-chain protocol.
Nevertheless, more than $1.3 billion has been stolen via hacks and fraud year-to-date, down by 4% compared with the same period last year, per Immunefi data.
When asked about the biggest challenges encountered, most respondents highlighted the steep learning curve required regardless of their previous background, crafting the actual vulnerability reports and a lack of educational resources. Difficult interactions with projects were another pain point, along with the complexity of reviewing code.
Most whitehats (46%) fall into the 20 to 29-year-old age bracket, down from 54% in the previous period. Thirty percent of respondents are between 30 and 39, up from 21% in 2023, and 11% are between 40 and 49, down from 12%.
Despite an increasing number of women joining the ethical hacker community, male whitehats still make up the largest share at 88%, down from 96% in 2023. The majority (40%) are based in Asia, with 34% in Europe and just 13% in North America, according to Immunefi.
The majority of respondents have worked in crypto for over three years, and 63% now considered hacking their primary job, up from 56% in the previous period. Outside of the financial incentive (77%), interest in solving technical challenges (71%), career opportunities (51%) and community (28%) were also cited as strong motivating factors.
“We’re observing that security researchers are increasingly drawn to financial and career opportunities while seeking technical challenges,” Immunefi founder and CEO Mitchell Amador said. “With over half of security researchers already hacking as their main job, we must provide them with the right environment to thrive and also welcome the next generation. They will continue to be the backbone of the ecosystem, as they protect crypto from threats and vulnerabilities.”