Whitehats’ biggest motivation is solving technical puzzles, not bounties: Immunefi

The Immunefi 2023 Hacker Ecosystem Survey has revealed the most common Web3 vulnerabilities and provided insights into the demographics and preferences of the whitehat hackers community.

A man wearing a white hat and two women wearing black hats
The respondents of the Immunefi survey have named reentrancy the most common vulnerability in Web3 systems.

Immunefi, a leading Web3 bug bounty platform, has published the results of its 2023 Hacker Ecosystem Survey, which focused on whitehat hackers demographics, preferences, and experiences. This survey has brought new valuable insights into the Web3 cybersecurity industry.

Read also: CremaFinance closes investigation into hack, recovers most funds

"Home to the largest community of security talent in the crypto space, Immunefi maps the Web3 security landscape and shares the survey results received," the report said.

Most whitehat hackers (43.2%) say reentrancy is the most common vulnerability they come across when reviewing code, followed by access control (18.2%), input validation (9.1%), and oracle manipulation (6.8%)Interestingly, the reentrancy attack has been considered quite out-of-date since 2021, when four such attacks collectively netted hackers $33.5 million — but its triteness doesn’t make it any less destructive.This type of an attack is possible when a poorly designed contract fails to update its state in time. Such a delay allows an attacker to make an external call to an untrusted contract that drains funds from the first contract through a recursive call. In other words, if the code has a reentrancy vulnerability, it is possible to repeatedly withdraw money and transfer funds.

While the largest reentrancy attack occurred in 2016, when a hacker siphoned from the Ethereum DAO treasury, there have been smaller but still significant exploits in recent years, including Uniswap/Lendf.Me, which collectively lost $25 million in April 2020, and $18.8 million stolen from Cream Finance in August 2021.

The second most common vulnerability, cited by 18.2% of white hats, was access control. Input validation, oracle manipulation, and logical errors were some of the other potentially dangerous code issues reported by survey participants.

The majority of whitehats (88.9%) have reported improvement in security measures at Web3 companies. At the same time, 76.1% of respondents have noted an increase in attack surfaces or the total number of vulnerabilities in a software environment.

Read also: Hacker returns stolen funds to DeFi lender Tender.fi for a $97,000 bounty

While these numbers may indicate some balance between the effectiveness of cybersecurity measures and threats, the data is not sufficient to draw conclusions about causation. Indeed, attack surfaces may increase in response to strengthening protection, however, it can also work the other way. When attack surfaces grow, companies need to optimize their security measures.

The average white hat hacker in 2023

The Immunefi study has gathered information on the lifestyle and demographic characteristics of whitehat hackers. According to the results, most hackers are male (95.5%), between 20 and 29 years old (53.95%), and consider ethical hacking their main job (55.8%). At the same time, 67.2% of white hats are willing to switch to a full-time security job.

A curious fact uncovered by Immunefi concerns bug bounties. Despite the appeal of financial rewards and career opportunities, the majority of respondents (77%) say they enjoy hacking primarily for the satisfaction of solving technical challenges.

Still, when it comes to the choice of a bounty program, the size of a financial reward is of the greatest importance to ethical hackers (66.4%). Another significant factor for white hats is trust in a company (54.87%). This is also the most important factor for dismissing a bounty program. 62.83% of respondents will not help a company if they do not consider it trustworthy.

Hackers were also asked about their preferences for blockchains. The absolute favorite is Ethereum, with 92% of white hats preferring to work with this blockchain over others. 30.97% of respondents also choose Solana and 20.35% choose Avalanche. The survey participants also mentioned Cosmos, Tezos, Polygon, Optimism, NEAR, Arbitrum, Fantom, Polkadot, zkSync, and BSC.

How difficult is it to become an ethical hacker?

As one of the leading bug bounty platforms, Immunefi has a lot to offer to whitehats. At press time, there were over fifty bug bounty programs with a maximum reward of over $1 million. The highest bounty of $10 million was provided by the decentralized lender MakerDAO. Immunefi claims that $131,416,455 in bounties is currently available.

While the path of a white hat appears to be very lucrative, survey participants noted that it is also rather challenging. Whilehacking itself requires advanced programming skills and extensive knowledge of cybersecurity, it is difficult for hackers to find adequate and up-to-date learning resources because they are "hard to find, limited, and often too sparse or not well-structured." What’s more, the "resources available in the specific languages that white hat hackers speak are also limited," the report stated.

Ever-evolving technology and the complexity of protocols and Solidity coding are further obstacles to becoming an ethical hacker. Finally, the development of new security measures makes a whitehat's job even more difficult.