Despite a drop in interest compared to 2023, Ethereum remains the blockchain of choice for crypto whitehat hackers, with Polygon, Arbitrum, Optimism and Solana gaining traction.
That’s according to a breakdown of the ethical hacker ecosystem compiled by the bug bounty and security services platform Immunefi in its 2024 report, aimed at mapping the interests, challenges and opportunities of whitehats in web3. But money isn’t everything, with respondents also motivated by solving the technical challenges of decentralized applications and generating career opportunities.
Ethereum remained a strong preference among whitehats, with 87% of respondents attracted to the blockchain, down from 94% in 2023. Polygon pushed Solana out of second place, rising to a 59% interest, though Solana also gained in percentage terms from 32% in 2023 to 42% in 2024 and remains the fifth most preferred network by whitehats.
The relatively newer Arbitrum and Optimism Ethereum Layer 2s rose to take third and fourth place, with 47% and 45% of respondents interested in the chains, respectively. BNB Chain, Base, Avalanche, Cosmos and Tezos were also high on the whitehats' radar, though Near, Polkadot and Fantom have fallen out of favor since 2023.
Whitehat blockchain preferences. Image: Immunefi.
Most whitehats (58%) said they did not incorporate increasingly available AI tools into their security practices, though 42% confirmed they use services such as ChatGPT, Gemini, Olympia Chat, CensysGPT, Codeium, Blackbox AI and Claude to assist with smart contract auditing and other security assessments. However, only 4% of respondents were extremely confident in the ability of AI tools to easily identify vulnerabilities.
Improper input validation, meaning an application does not adequately validate an input it receives, became the most common exploit vulnerability identified by the whitehat hackers this year, rising significantly from 9% to 47%.
Those vulnerabilities replaced reentrancy attacks (enabling malicious parties to repeatedly drain funds from smart contracts by exploiting the code execution order), which fell to 16% compared to 43% in 2023. Incorrect calculations and weak access control were identified as the second and third most common vulnerabilities this year at 35% and 32%, respectively.
Most whitehats (74%) saw the attack surfaces in crypto growing. This has fallen slightly compared to 2023, however, and the majority (88%) also agreed that projects’ security measures were improving.
The biggest threats across the web3 sector remain vulnerability exploitation (63%), phishing and social engineering (57%), insider threats (47%), third-party software exploitation (25%) and nation-state actors (23%), Immunefi said.
Bounty size was again cited as the main factor (61%) for whitehats when selecting bounty programs, though this fell from 66% in 2023. Scope, trust in the brand and efficient communication were also highly valued.
Immunefi claims to operate the largest blockchain security community with over 45,000 researchers, saving more than $25 billion in user funds across protocols like Polygon, Optimism, Chainlink, The Graph, Synthetix and Sky (formerly MakerDAO) from being stolen.
The firm has paid out more than $100 million in ethical hacker and researcher bounties over the past three years, with $183 million in bounty rewards currently available on its platform. The highest white hat hacker bounty facilitated by Immunefi was a $10 million award for a vulnerability discovered in Wormhole’s cross-chain protocol.
Nevertheless, more than $1.3 billion has been stolen via hacks and fraud year-to-date, down by 4% compared with the same period last year, per Immunefi data.
When asked about the biggest challenges encountered, most respondents highlighted the steep learning curve required regardless of their previous background, crafting the actual vulnerability reports and a lack of educational resources. Difficult interactions with projects were another pain point, along with the complexity of reviewing code.
Most whitehats (46%) fall into the 20 to 29-year-old age bracket, down from 54% in the previous period. Thirty percent of respondents are between 30 and 39, up from 21% in 2023, and 11% are between 40 and 49, down from 12%.
Despite an increasing number of women joining the ethical hacker community, male whitehats still make up the largest share at 88%, down from 96% in 2023. The majority (40%) are based in Asia, with 34% in Europe and just 13% in North America, according to Immunefi.
The majority of respondents have worked in crypto for over three years, and 63% now considered hacking their primary job, up from 56% in the previous period. Outside of the financial incentive (77%), interest in solving technical challenges (71%), career opportunities (51%) and community (28%) were also cited as strong motivating factors.
“We're observing that security researchers are increasingly drawn to financial and career opportunities while seeking technical challenges,” Immunefi founder and CEO Mitchell Amador said. “With over half of security researchers already hacking as their main job, we must provide them with the right environment to thrive and also welcome the next generation. They will continue to be the backbone of the ecosystem, as they protect crypto from threats and vulnerabilities.”
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
