Cutting Corners

A $730,000 hack just proved that ChatGPT is a better security auditor than most protocols.

SuperRare's staking contract contained a vulnerability so basic that OpenAI's chatbot could spot it instantly.

The logic error was sitting there in plain sight - a simple access control bug that unit tests would have caught, that any bug bounty program worth its salt would have flagged, that even the most cursory security review should have detected.

Instead, SuperRare had no public bug bounty program in place, betting that their smart contracts were bulletproof.

They weren't.

While SuperRare represents the extreme end of penny-pinching security, the broader industry isn't much better.

Certain platforms are linking their cheapest service tiers to maximum bounty payouts, often limiting rewards to just $50,000.

If that’s what happens when bounties are skipped, here’s what happens when they’re capped.

Cork Protocol's $100,000 bounty cap couldn't prevent a $12 million hack.

The economic incentives have flipped: exploitation now pays orders of magnitude more than disclosure.

Security researchers are getting the message loud and clear.

When finding vulnerabilities pays less than exploiting them, the choice becomes obvious.

How did an industry built on cryptographic certainty decide that uncertainty was cheaper?

The numbers don't lie, but they do tell a story nobody wants to hear.

Crypto just posted numbers that would make a casino blush.

By mid-2025, $2 billion was lost across dozens of incidents according to the Chainalysis Mid-year report.

That's already more than all of 2024's losses, and we're not even done yet.

August added another $163 million across 16 breaches - because apparently nobody got the memo from July's $142 million wake-up call.

Each hack follows the same script: protocols pinch pennies on security, then act shocked when someone finds the vulnerabilities they refused to pay for.

GMX's legacy V1 contracts were exploited for roughly $42 million in July 2025 via a re-entrancy bug; public reporting does not specify whether those legacy contracts remained in scope of GMX’s pre-incident bounty program.

KiloEx lost $7.5 million to what security researchers called a "basic Oracle 101 exploit" - the kind of manipulation that proper incentives should have caught months earlier.

But here's where the story gets interesting: both protocols immediately offered 10% recovery bounties worth millions to get their funds back.

GMX's post-hack bounty kept by the attacker was $5 million.

KiloEx's attacker accepted their 10% recovery bounty of $750k and returned the stolen funds.

If they had enough money available for recovery bounties, where were those funds when it came to prevention?

Out of Scope, Out of Mind

Academic researchers just delivered the industry's most uncomfortable wake-up call.

A comprehensive study of smart contract upgrades uncovered 31,407 potential security issues across 83,085 upgraded contracts.

That's not a typo - over thirty-one thousand problems sitting in production code, handling billions in user funds.

But here's the part that should make every protocol team squirm: the study identified eight risk categories, several of which remain under-recognized or poorly mitigated in practice to the community.

The study found several vulnerability categories that appear to be under-recognized and lacking clear mitigation strategies.

The paper reads like a laundry list of industry negligence.

Protocols routinely mark critical components as "out of scope" during audits, then act surprised when attackers ignore those convenient boundaries.

Analysis of major exploits shows critical components often fall outside audit scope, with the exploited Cork Protocol components being a case in point where scope gaps enabled the attack that eventually got exploited.

"Out of scope" has become the industry's favorite magic words.

Can't audit everything? Just draw some arbitrary lines and hope attackers respect the boundaries.

They don't.

How did "we didn't look at that part" become an acceptable answer for billion-dollar security audits?

The Economics of Exploitation

Mitchell Amador saw this coming from a mile away.

The Immunefi CEO has been beating the drum about incentive alignment, watching platforms trip over the same economic fallacy again and again.

His thesis is brutally simple: crypto security isn't about code quality - it's about making disclosure more profitable than exploitation.

The "scaling standard" should put bounties at roughly 10% of funds at risk.

Protecting $10 million? Offer up to $1 million.

These aren't just numbers on a spreadsheet - they're life-changing incentives that keep researchers on the right side of the fence.

Instead, platforms are racing toward the bottom.

Some platforms tie their cheapest service tiers to capped bounty payouts - sometimes as low as $50,000, according to Amador’s commentary.

That bet keeps losing.

Experts argued SuperRare’s $730,000 loss was trivially preventable and likely would have been caught by a routine bounty program or standard unit tests.

Cork Protocol's public bounty topped out at $100,000 via Cantina - the exploit netted about $12 million on May 28, 2025.

The math was never hard - why spend hundreds of hours finding a vulnerability for a capped payout that's 120 times smaller than the exploit value?

But platforms keep doubling down on discount security, creating what Amador calls "a death spiral that benefits no one except malicious actors."

Meanwhile, the few protocols that actually get it are proving the model works - and showing everyone else what they're missing.

What does proper security incentivization actually look like when someone decides to spend the money?

When Money Talks, Hackers Listen

LayerZero didn't mess around when they launched their $15 million bug bounty program in 2023, partnering with Immunefi.

The message was crystal clear: find our vulnerabilities and get rewarded handsomely.

The program works because the economics make sense.

LayerZero handles large volumes in cross-chain transactions - $15 million isn't generosity; it's risk-scaled insurance.

By offering one of the largest crypto bug bounty pools ever, they aligned incentives so that disclosure became far more profitable than exploitation. It is still active as of today too.

Euler Finance learned this lesson the expensive way.

After losing $197 million in their 2023 flash loan attack, they didn't just rebuild - they transformed their entire approach to security.

Their original $1 million bounty program evolved into a $7.5 million powerhouse hosted on Cantina, with comprehensive scope that covers the components other protocols love marking "out of scope."

MakerDAO set the standard in 2022 with their $10 million program, proving that meaningful security requires meaningful incentives.

The protocol has since rebranded to Sky, continuing its robust bug bounty program on Immunefi with the same $10 million maximum reward, now covering the SKY governance ecosystem and the USDS stablecoin.

Wormhole paid out $10 million in 2022 for a single critical vulnerability discovery - the largest crypto bug bounty on record at the time - and continues to maintain an active bug bounty program today, with a current maximum reward of $5 million.

These aren't feel-good PR stunts. They're economic warfare against exploitation, making it more profitable to help than to harm.

Immunefi's track record backs up the thesis: over $120 million paid out in bounties, $25+ billion in user funds protected.

When the incentives align, the system works.

So why are most protocols still playing with monopoly money while handling real billions?

When being cheap on security costs more than being expensive, what exactly are these protocols optimizing for?

The Death Spiral

Turns out, they're optimizing for the wrong metrics entirely.

Market competition warped the incentives in the worst possible way.

Platforms started treating bug bounties like line items to be minimized rather than insurance policies that need to scale.

Some tied their rock-bottom service plans to equally pathetic bounty caps, creating a race to the bottom where protocols choose cheaper packages not because the risk is lower, but because the pricing encourages it.

This is where the industry's understanding of bug bounties went completely sideways.

These aren't expenses - they're the cost of staying in business.

But when platforms compete on price instead of security outcomes, something has to give.

And what gave was the social contract that keeps skilled researchers hunting for vulnerabilities instead of exploiting them.

The result? Researchers started making rational economic decisions.

Why grind through hundreds of hours of code review for a $50,000 cap when the same vulnerability might be worth millions to exploit? Some researchers quit public programs entirely.

Others shifted to private audits where the pay actually matches the effort.

The rest just went dark.

The industry created its own brain drain, then acted confused when the exploits started piling up.

We've seen this movie before in Web2, where chronic underpayment and poor researcher treatment led to a mass exodus from public bug bounty programs.

Crypto can't afford the same mistake - not when trillions in institutional money are preparing to go onchain and regulators are watching every move.

But instead of learning from history, most protocols doubled down on discount security, creating what one researcher called "a chilling effect where everyone loses except the attackers."

The math was always going to catch up eventually. The only question was how much it would cost when it did.

How much damage can the industry absorb before someone admits that cheap security is the most expensive choice of all?

The bill always comes due.

The attackers have already done the math for everyone else.

They know exactly what protocols are worth, what their security budgets look like, and how much it costs to find the vulnerabilities everyone else refuses to pay for.

Meanwhile, protocols keep burning through users' funds, then scrambling to explain why their discount security wasn't quite good enough.

The recovery bounty theater proves they always had the money - they just chose to spend it on damage control instead of damage prevention.

SuperRare, Cork Protocol, GMX, KiloEx - the pattern is identical across different chains, different vulnerabilities, different attack vectors.

The only constant is the false economy of treating security like an optional expense instead of the price of admission to handle other people's money.

Academic researchers found over 31,000 security issues sitting in production code, most with zero mitigation.

Bug bounty platforms report record payouts while hack losses hit record highs.

If the industry that invented "don't trust, verify" can't figure out how to verify its own security, what exactly is all that blockchain immutability protecting?

REKT作为匿名作者的公共平台，我们对REKT上托管的观点或内容不承担任何责任。

捐赠 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

声明:

REKT对我们网站上发布的或与我们的服务相关的任何内容不承担任何责任，无论是由我们网站的匿名作者，还是由 REKT发布或引起的。虽然我们为匿名作者的行为和发文设置规则，我们不控制也不对匿名作者在我们的网站或服务上发布、传输或分享的内容负责，也不对您在我们的网站或服务上可能遇到的任何冒犯性、不适当、淫秽、非法或其他令人反感的内容负责。REKT不对我们网站或服务的任何用户的线上或线下行为负责。