Theoretical Bugs With No Impact Don’t Get Paid — Here’s Why

As a whitehat, it’s easy to want to submit as many bugs as possible to a project — especially projects on Immunefi, because the bounties are so large. The largest in the world, in fact.

But at the same time, it’s important to have correct expectations about which submissions will be paid and which won’t be. Before submitting a bug, always carefully check the project’s bug bounty page on Immunefi to check which assets and impacts are in scope. Each project is unique in its requirements and expectations. Following those requirements and expectations is how you win.

Aside from checking whether the bug you’re submitting is in scope, there’s one other thing you need to do: make sure the bug is not a purely theoretical one.

Whitehats sometimes submit theoretical bugs and become disappointed when projects don’t pay out, so in this article, we’re going to focus on the category of theoretical bugs and why they are out of scope by default, so you can spend your time hunting more effectively.

Theoretical bugs, defined as attacks that are either impossible or non-profitable to execute, are out of scope by default and there is no expectation for a project to reward them.

In other words, in a theoretical attack, all planets would have to align for it to be successful. And as we know, planets only align in the movies.

Sometimes, a project may decide to reward them, but they are not at all obligated to do so. So, it’s important to have manage your own expectations. If you decide to submit a theoretical bug, your default expectation should be that the project is not going to pay.

What’s an example of a theoretical submission?

Here are some cases of bugs that count as theoretical submissions and are therefore not in scope:

• A bug that requires $1 trillion USDC to exist, in order for an attack to be successful. This amount of USDC does not exist and is not likely to exist for a very, very long time, if ever. This is a theoretical submission because it is not possible as an attack at present.
• A bug where $1,000 could be stolen, but $100,000 has to be paid in fees first. This is a theoretical submission, as defined above, because it is not profitable. No attacker would execute this attack in the wild and therefore is out of scope.
• A bug that requires a 51% attack
• Any bug that may be exploitable in the future under various conditions, but isn’t exploitable now

We’re writing this article because your time is valuable, and we want you to spend it effectively and efficiently in hunting for bug bounties. If you follow this advice, you’ll be one step closer to claiming a big bug bounty on Immunefi and letting the world know just how skilled you are.

🔒 For more guides on how to secure smart contracts, analysis of past hacks, and information on the latest bounties, make sure you follow us on Twitter and join our whitehat Discord community.

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.