The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on December 30, 2018

Hackers pocketed $878,000 from cryptocurrency bug bounties in 2018

Security researchers are picking apart the blockchain

Hackers pocketed $878,000 from cryptocurrency bug bounties in 2018
Story by


Former TNW Writer

Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about his work on Twitter.

While hardcore cryptocurrency enthusiasts often tout blockchain for its heightened security, the technology is not perfect – and there are often tons of vulnerabilities in the code. Indeed, blockchain companies have received at least 3,000 vulnerability reports in 2018 alone.

According to stats from breach disclosure platform HackerOne, blockchain companies awarded $878,504 in bug bounties to hackers this year. The data was compiled in mid-December. By contrast, the total sum of bug bounties awarded by August was $600,000.

With $534,500 awarded, EOS creator accounts for more than 60 percent of all bounties handed out in 2018.

Here is the top three all-time chart when it comes to bug bounty rewards (please note this includes bounties from before 2018):

  • – $534,500
  • Coinbase – $290,381
  • TRON – $76,200

While cryptocurrency exchange desk Coinbase comes in second (with $290,381 in bug bounties), it’s been running a disclosure program since 2014. launched its disclosure program for EOS at the end of May. Shortly after that, one single hacker claimed $120,000 in bug bounties from in less than a week.

“Nearly 4 percent of all bounties awarded on HackerOne in 2018 were from blockchain and cryptocurrency companies,” a HackerOne spokesperson told Hard Fork.

Still, it seems blockchain companies remunerate hackers slightly better than other industries on HackerOne.

“The average bounty for all blockchain companies in 2018 was $1490, that is higher than the Q4 platform average of around $900.” the spokesperson added. “One of the top paid crypto hackers earned 7X the median software engineer salary in their country respectively.”

The blockchain bug problem is bigger than it seems

HackerOne told Hard Fork there are currently 64 blockchain companies on its platform at present. For context, there are more than 2,000 various cryptocurrency companies out there. This means the real number of vulnerabilities is likely significantly higher.

Just keep in mind that researchers found crippling vulnerabilities in both Bitcoin and Bitcoin Cash this year – the former of which is blockchain’s oldest and most well-established protocol out there. Earlier this year, reports suggested there were more than 34,000 vulnerable smart contracts in Ethereum-based projects alone.

Due to its immutability aspects, the severity of vulnerabilities on the blockchain is much more serious than in other centralized technologies, since there is no way of reversing transactions (unless we’re talking about EOS or other systems with built-in backdoors).

So if you were thinking about betting on blockchain to keep your funds safe, you might want to measure the risk.

In the meantime, Augur’s $200,000 bounty for critical issues is still up for grabs. You can take a dig at it here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with

Back to top