Nearly Every Long-Running Bug Bounty Program on Immunefi Has Found a Critical Bug

An Immunefi research report on five years of confirmed vulnerability data across 593 bug bounty programs, and what it reveals about the inevitability of critical bugs in production crypto code.

Key findings

• 93.9% of bug bounty programs active five years or longer on Immunefi have logged at least one confirmed, paid critical severity disclosure. Time, not luck, drives the rate toward certainty.
• Roughly one in five confirmed Immunefi reports is rated critical. Of the 364 programs that have surfaced at least one critical, the average sits at 2.7 confirmed criticals per program.
• Around 70% of active programs disclose at least one high or critical bug per calendar year. The rate has been remarkably stable across five complete years, across market cycles, and across architectural categories.
• The economic case is one-sided. A median bounty payout for a critical sits at $20,000. The Amador's Hack Impact Estimate puts the cost of an exploit at roughly $25 million in direct theft, a 61% six-month token decline, an 84% probability of no recovery, and a minimum of three months of lost organizational output.

The conviction every protocol shares

Walk into any protocol team and the underlying assumption is identical: the codebase has been audited, the code is solid, and a critical vulnerability is the sort of thing that happens to someone else.

Five years of platform data from Immunefi tells a different story. Paired with what is now documented about the real cost of getting hacked, continuous security coverage stops looking like an option and starts looking like arithmetic.

This analysis draws on confirmed and paid vulnerability reports across 593 bug bounty programs on Immunefi, covering January 2021 through February 2026. Audit competitions and attackathons were filtered out so the focus stays on ongoing, persistent bug bounty programs, the kind of coverage that runs continuously month over month and year over year.

The findings leave little room for interpretation.

Critical findings are a matter of time, not chance

Out of the bug bounty programs that have been live on Immunefi for five years or more, 93.9% have received at least one confirmed, paid critical severity disclosure. Not a hypothetical exposure. Not a low-severity informational note. A real critical, the kind that translates into drained funds or full protocol compromise.

The directional trend is monotonic and impossible to miss. The longer a program runs, the closer the critical rate climbs toward 100%:

• 1+ years active: 61.4% of programs have surfaced a critical
• 2+ years: 73.9%
• 3+ years: 87.2%
• 4+ years: 92.9%
• 5+ years: 93.9%

These programs did not open bounties because problems were already suspected. The pattern is what happens when complex, high-value code is exposed to sustained adversarial scrutiny. At this level of system complexity, criticals are an inherent property of the code itself. Open the doors to the global security research community, and over time, they will surface.

Criticals are a recurring event, not a single disclosure

One of the more surprising findings: a critical disclosure is rarely a once-and-done event for a program. Of the 364 programs that have surfaced at least one critical, the average is 2.7 confirmed criticals per program, with a median of 2. The top program in the dataset has accumulated 50 confirmed critical reports over its lifetime.

More importantly, 129 programs, well over a third of those with any critical, have seen critical severity bugs disclosed in two or more distinct calendar years. As new code lands, fresh attack surface comes with it, and new vulnerabilities are introduced in lockstep.

That dynamic lines up directly with what Immunefi documented in The Real Cost of an Onchain Hack: 2024-2025 Update. That study covered 425 hacks over five years and found that exploit frequency has not actually fallen. It has flattened into a persistent, elevated baseline of roughly 95 incidents per year. Bugs continue to appear because the code continues to change. The only variable is whether the next one is found by a researcher or by an attacker.

Annual critical disclosure rates are remarkably stable

In any given calendar year, about half of all active bug bounty programs on Immunefi surface at least one critical vulnerability. That figure has barely moved across five complete calendar years, regardless of macro conditions, regardless of where the market sat in its cycle, and regardless of the architectural choices behind individual protocols.

The stability itself is the finding. The base rate is not being skewed upward by a small group of poorly engineered protocols. It reflects a structural property of every blockchain software project once skilled researchers are looking at it continuously. That is the steady state of the industry, and the data offers no indication that it will change anytime soon.

Widen the lens to high severity, and the picture turns near-universal

Folding high severity findings in alongside criticals sharpens the result considerably: in any given calendar year, roughly 70% of Immunefi bug bounty programs surface at least one high or critical vulnerability. Put differently: seven out of ten programs are within striking distance of being pwned every single year.

The 30% that don't show a high or critical in a given year are mostly newer programs that have not yet accumulated enough live time or researcher attention. Extrapolated against the rest of the dataset, the trajectory suggests every program eventually surfaces a high or critical.

$20,000 vs. $25,000,000: the economics of catching it early

This is the point where vulnerability discovery data and exploit cost data collapse into one inescapable conclusion.

To date, Immunefi bug bounty programs have paid out $107.3 million in awards for confirmed critical vulnerabilities alone. The median payout for a critical is $20,000. The mean sits at $114,355, lifted by a relatively small tail of extraordinarily high-impact disclosures, including a $10 million payout for what stands as one of the largest single bug bounty awards in DeFi to date.

Now look at the alternative. Per Immunefi's hack impact research, the median onchain hack in 2024-2025 produced $2.2 million in stolen funds, with the average reaching $24.5 million. And direct theft is only the opening figure. The median hacked token shed 61% of its value over the following six months, up from 53% in the 2021-2023 period. 84% of hacked tokens were stuck in sustained price suppression through that window, never recovering. Every hacked project also lost at least 3 months of productive output to incident response, fixes, leadership turnover, and slipped roadmap work.

The updated Amador's Hack Impact Estimate states it plainly: a protocol exploited today should plan on losing roughly $25 million in direct theft, a 61% token price decline, an 84% probability the price never recovers, and roughly a quarter-year of organizational momentum lost to cleanup.

A $20,000 median bounty stacked against that outcome is not a difficult comparison.

The uncomfortable conclusion for protocols without bounties

Here is the implication the data forces into the open: there is no reasonable case for assuming that protocols outside the bug bounty system carry fewer critical vulnerabilities than protocols inside it. If anything, the bug density is likely equal or worse, because choosing not to run a bounty program tends to track with weaker overall security posture. Whether a project has a bounty in place or not, the criticals exist in the live mainnet code.

What changes is the path to discovery. With an active bounty program, a researcher who finds a serious vulnerability has a defined, financially aligned route to disclose it responsibly and be compensated. Without one, that same researcher has neither obligation nor incentive to come forward. The bug doesn't disappear. It just remains quietly in production until someone less ethically inclined finds it, or until it manifests onchain as an actual exploit.

When that exploit does land, the damage runs far past the headline theft number. Immunefi's hack impact research catalogued how deepening DeFi composability has stretched the blast radius of any single failure. Cross-chain bridges, liquid staking tokens, restaking derivatives, and composable lending markets now create dependency chains in which one compromise can ripple through the full stack. Elixir's deUSD stablecoin failure, set off by a $93 million loss at one external counterparty, made the dynamic concrete: a single point of failure cascaded through collateral relationships to take out a stablecoin, disrupt several lending markets, and erase over 97% of the token's value.

87% of programs operating for three years or longer have logged multiple confirmed criticals. The vulnerabilities are present. The only meaningful question is whether the protocol has set up a way to find them before an attacker does.

A maturing industry, but not a safer one

Immunefi's hack impact research did surface a partial silver lining: median theft per hack has fallen from $4.5 million across 2021-2023 to $2.2 million across 2024-2025. That decline likely reflects, at least in part, improving smart contract security practices, including the expansion of bug bounty programs themselves. But the improvement is uneven and fragile. Top-end exploits have actually grown in magnitude. The five largest hacks of 2024-2025 alone accounted for 62% of total stolen funds. Market reactions to security failures have hardened rather than softened. And total annual hack volume has not meaningfully fallen, holding near 95 incidents a year.

Crypto has not solved its security problem yet. The protocols that come through this period intact are the ones treating security as an ongoing, financially incentivized practice rather than a one-shot audit milestone.

What it all adds up to

Five years of vulnerability discovery data and five years of exploit cost data point in the same direction from different angles.

• Critical vulnerabilities are not edge cases. Across every Immunefi program, one in five confirmed bug reports lands at the critical severity level.
• Time strips away ambiguity. The longer a bounty program operates, the closer its odds of seeing a critical converge on near-certainty. At 93.9% for programs five years and older, this is essentially deterministic. Programs that haven't yet logged a critical disclosure simply haven't been live long enough to get there.
• The downside of not knowing is severe. A $25 million average hack, a 61% token price decline, an 84% chance the price never comes back, and three months of organizational damage. That is the bill for finding out by exploit.
• The investment math is trivial. Spending $20,000 on a bounty payment to head off a $25 million exploit ranks as the highest-return security spend any protocol can make.

Every serious protocol will encounter a critical vulnerability eventually. Protocols running bug bounty programs encounter it through a whitehat disclosure, on the team's own timeline, with room to remediate before users are exposed. Protocols without bounty programs encounter it some other way.

This analysis is based on confirmed and paid vulnerability data from the Immunefi platform, covering January 2021 through February 2026. The dataset is limited to traditional, ongoing bug bounty programs; audit competitions and time-bound events were filtered out. Exploit cost figures are sourced from Immunefi's What an Onchain Hack Actually Costs: 2024-2025 Update, which examined 425 publicly known hacks across 2021 through 2025.

For questions about this study or Immunefi itself, reach out at press@immunefi.com

About Immunefi

Immunefi is the leading security platform for crypto, protecting more than $180 billion in user funds, and securing protocols across the full development lifecycle, from pre-deployment through production.