LayerZero Labs has launched a bug bounty on the Immunefi platform that offers a maximum reward of $15 million for critical smart contract and blockchain vulnerabilities, a figure that sets a new record in the crypto space.
Bug bounty programs are initiatives launched by businesses and software developers to reward security researchers for identifying and reporting bugs in their platforms.
Their objective is to incentivize ethical “white-hat” hackers to discover unknown security vulnerabilities impacting their products so they can be fixed before malicious actors exploit them in attacks.
LayerZero Labs is the creator of the LayerZero blockchain messaging protocol that enables secure communication across 30 different blockchains.
Since its launch in March 2022, LayerZero has facilitated the exchange of 10 million messages and is currently valued at $3 billion.
Through the launch of the largest bug bounty program in history, LayerZero Labs aims to showcase its commitment to security and inspire trust in its communication protocol.
The LayerZero bug bounty program will distribute rewards to security researchers based on the severity level of their findings and the impacted blockchains.
Critical-severity findings will be considered exploits that result in the permanent locking, loss, or theft of user funds or attacks that result in permanent denial of service (DoS).
Governance voting result manipulation and modification of LayerZero default settings will be considered high-severity issues.
Attacks that bring no profit to the attacker but still cause harm to the users of the LayerZero protocol will be classified as medium-severity findings.
Defined scope of the program (Immunefi)
The highest-paying category is Group 1, which are for critical bugs impacting Ethereum, BNB Chain, Avalanche, Polygon, Arbitrum, Optimism, and Fantom.
- Findings concerning critical vulnerabilities on Group 1 pay between $250,000 and $15,000,000.
- High-severity flaws have payouts between $25,000 and $250,000.
- Medium-severity vulnerabilities will pay between $10,000 and $25,000
- Low-severity issues have the still notable payout range of $1,000 to $10,000
For Group 2, which concerns all other blockchains supported by LayerZero, the maximum payout is $1,500,000 for critical findings, $25,000 for high-severity, $10,000 for medium, and $5,000 for low-impact flaws.
Payout tiers (Immunefi)
All payouts will be handled directly by LayerZero Labs, done in Fiat USD via wire transfer or USDC, USDT, and BUSD.
A proof-of-concept (PoC) example to demonstrate the practical feasibility of the attack will be required for a submission to be considered valid.
Furthermore, to receive a reward, bug bounty hunters must go through KYC and pass an OFAC Screening to confirm they are not sanctioned on the Office of Foreign Assets Control’s Specially Designated Nationals List.