Immunefi Suspends Trust Security Amid Dispute Over Denied Bug Bounty Payment

Web3 bug bounty platform Immunefi has suspended white hat security firm Trust Security for 90 days following allegations of an unfairly denied bug bounty payment.

Trust Security accused Immunefi of siding with a project that allegedly dismissed a critical vulnerability capable of enabling fund theft.

The controversy began on November 12, when Trust Security disclosed on X that its team had discovered a critical theft-of-funds vulnerability on a forked mainnet of an undisclosed project.

Immunefi Concludes Reported Bug Fell Out of Scope

The vulnerability, shared with Immunefi, was intended to secure a bounty payment for the identification of a high-risk bug.

Immunefi, which mediates between ethical hackers and blockchain projects, concluded that the reported bug fell out of scope, rendering it ineligible for a full bounty.

Trust Security criticized the decision, claiming Immunefi backed the project’s “nonsense argument” and offered only a small “goodwill bounty” instead of the full payout.

Trust rejected the offer, citing concerns about transparency, as accepting it would legally prevent them from revealing the vulnerability’s details without the project’s approval.

Immunefi countered the accusations, asserting that its decision followed standard guidelines.

“The issue was out of scope according to our standard rules,” Immunefi stated, adding that the project’s goodwill offer was a generous gesture.

The platform defended its stance by suspending Trust Security for “mischaracterizing the issues” and warned of a permanent ban for any repeated violations.

Recently the bounty team at TrustSec found another critical leading to live unauthenticated theft of funds. Due to what we consider malicious behavior of the project and especially of @immunefi , not only did the project get away without paying the bounty, but due to a dirty…

— Trust (@trust__90) November 12, 2024

Trust Security, however, accused Immunefi of prioritizing secrecy over Web3’s ethos of transparency and community-driven security.

“We’d rather expose the scam and warn hackers than take a few extra Ks in our pocket.”

Notably, in October, the Evmos blockchain paid a $150,000 reward to a researcher for identifying a critical vulnerability that could halt its operations.

Over $409 Million Lost to Crypto Hacks in Q3 2024

An estimated $409 million was stolen by crypto hackers in the third quarter of 2024, Immunefi revealed in a recent report.

Per the report, the quarter saw hacks account for 99.25% of total funds lost, while fraud represented just 0.75%. Fraud cases saw a notable decrease year over year, dropping by 86.4%.

This $409 million figure represents a 40% decrease from the same quarter in 2023, which recorded losses of over $685 million to hackers and fraudsters.

The report said that while DeFi saw a higher number of incidents, CeFi was responsible for more severe losses, with some individual attacks leading to hundreds of millions of dollars in stolen assets.

“We’re seeing a higher number of incidents targeting DeFi, while CeFi experiences fewer incidents but often with more severe consequences, with hundreds of millions in stolen funds in a single exploit,” said Mitchell Amador, Immunefi founder and CEO.

Amador further explained that private key management remains one of the biggest vulnerabilities in CeFi.

“It requires rigorous key management policies, practices, and emergency plans,” she added.