‘Making Defense More Profitable Than Attack’ Prevented $25 Billion in DeFi Hacks — Immunefi CEO | Interview

The decentralized finance (DeFi)/Crypto sector continues to face a massive security crisis, with hackers draining billions from protocols at an alarming rate.

In just the first half of 2025, crypto exploits reached $2.1 billion, nearly matching all of 2024’s total losses and putting the industry on track to shatter previous annual records.

Yet amid this chaos, a different narrative is emerging. Bug bounty programs are proving that incentivizing ethical hackers can fundamentally shift the economics of cybersecurity, making defense more profitable than attack.

The concept is simple but revolutionary; instead of waiting for malicious actors to exploit vulnerabilities, protocols pay white hat hackers to find and report flaws first.

Source: TRM Labs

The $25 Billion Defense Revolution

DeFi protocols lost over $1.4 billion to hacks in 2024, with major incidents including the $300 million DMM exploit and $230 million WazirX breach. The biggest so far happened to Bybit earlier this year, where $1.4B was wiped out totally.

However, Hacken’s 2024 report shows a 40% decrease in DeFi losses compared to 2023, largely attributed to improved security measures, including more robust bug bounty programs.

Source: Hacken

The effectiveness of this approach was dramatically demonstrated when protocols prevented massive losses through strategic payouts.

The largest software bounty in history, $10 million paid by Wormhole for a critical bridge vulnerability, likely prevented billions in potential damages.

Immunefi, the leading Web3 bug bounty platform, sits at the center of this transformation. The company has facilitated over $120 million in bounty payouts while claiming to prevent more than $25 billion in potential hacks across 500+ protocols.

We spoke with Mitchell Amador, founder and CEO of Immunefi, about how bug bounties are making crypto more secure, why traditional security approaches fail in Web3’s open-source environment, and what the future holds for this critical line of defense against increasingly sophisticated threats.

Here’s what he thinks:

Flipping the Economics of Cybersecurity

Cryptonews: You’ve fundamentally flipped the economics of cybersecurity by making defense more profitable than attack. Can you walk us through a specific case where this prevented a major exploit, and what the traditional security approach would have missed?

Mitchell Amador: “In 2022, a whitehat reported a critical bug in the Wormhole core bridge contract on Ethereum. This bug was an upgradeable proxy implementation self-destruct bug that could have led to a potential lockup of user funds.

They disclosed it via Wormhole’s bug bounty program, hosted by Immunefi, and we facilitated a $10 million payout with no user funds lost. This is the largest software bounty ever—a life-changing sum of money which serves as an incentive for hackers to responsibly disclose vulnerabilities instead of exploiting them.

It’s a small price to pay when you compare it to the billions of funds that could have been lost if a blackhat found the bug. Traditional audits, static and pre-launch, miss post-deployment vulnerabilities in dynamic DeFi systems. Our continuous bug bounties mimic blackhat tactics ethically, catching what audits don’t or can’t.”

CN: With $25 billion in potential hacks prevented, what’s the largest single vulnerability your platform has caught, and what would the ripple effects have been if it had been exploited?

Amador: “The aforementioned $10 million Wormhole vulnerability was our biggest. It could have enabled billions in cross-chain theft, crashed users’ assets, eroded trust in bridges, tanked token prices, and slowed DeFi adoption. Our bounty ensured that a patch was quickly deployed to preserve ecosystem stability.”

The systemic impact would have been devastating beyond just the immediate financial loss.

Wormhole processes billions in cross-chain transactions and serves as critical infrastructure connecting major blockchains like Ethereum, Solana, and BSC.

A successful exploit could have triggered a cascade of liquidations across DeFi protocols that rely on cross-chain assets, potentially destabilizing the entire ecosystem.

Web3’s Unique Security Challenges

CN: You mentioned that traditional cybersecurity fails in Web3’s open-source world. What are the 2-3 most critical blind spots that enterprise security teams have when they try to secure DeFi protocols?

Amador:

Static audits: Enterprises rely on one-time checks, missing post-launch flaws in evolving smart contracts. Ignoring incentives: They underestimate Web3’s open-ledger attack appeal, needing bounties to outbid black hats. No Web3 expertise: Many teams lack prior blockchain knowledge, missing composability or oracle risks.

The composability aspect is particularly critical and often overlooked. In traditional finance, systems are largely siloed, but DeFi protocols are designed to interact with each other like Lego blocks.

This creates exponential complexity where a vulnerability in one protocol can cascade through an entire ecosystem.

Recent data from Halborn’s analysis shows that off-chain attacks accounted for 80.5% of stolen funds in 2024.

Yet, many security teams still focus primarily on smart contract code rather than the broader attack surface.

The incentive misalignment is equally problematic. Traditional enterprise security assumes attackers are opportunistic and limited in resources.

In DeFi, the transparent nature of blockchain means attackers can see precisely how much value is at stake, and the pseudonymous nature means there are fewer consequences for failed attempts.

CN: What security measures are major stablecoins not implementing that keep you up at night, and why aren’t they adopting these measures?

Amador: “Stablecoins often skip continuous monitoring and robust bounties. They rely on one-off audits, risking systemic exploits, and offer low payouts that don’t attract top white hats. Cost concerns, rapid deployment focus, and underestimating attack incentives are the main factors contributing to this gap.”

This is particularly concerning given stablecoins’ massive growth in adoption over the past few months. A successful attack on a major stablecoin wouldn’t just affect that protocol; it would threaten the stability of the entire ecosystem.

The irony is that stablecoin issuers often have the resources to implement comprehensive security measures but choose not to invest adequately because they view security as a cost center rather than critical infrastructure.

The Human Side of Hacker Negotiations

CN: When you personally negotiate with hackers who’ve found critical vulnerabilities, what’s that conversation actually like? How do you balance urgency with building trust?

Amador: “Relying on a hacker’s change of heart is not a viable strategy for protocol security. Most hackers today realize that keeping stolen crypto is more trouble than it’s worth.

And that’s due to better on-chain forensics and the very real reputational and legal risks of holding marked funds. It’s far easier for an attacker to negotiate quietly and move on, rather than fight constant scrutiny or become the focus of law enforcement. But make no mistake, this is not a typical outcome.”

The reality is that post-exploit negotiations are a last resort, not a security strategy. What DeFi might need is a system where the most skilled security researchers never become attackers in the first place because they’ve seen ethical disclosure more financially attractive than exploitation.

Talent Migration and Security Evolution

CN: You’re seeing top security talent leave traditional tech for crypto. What’s driving this exodus, and how is it changing the skill profile of security professionals?

Amador: “Talent moves in search for trust and transparency inherent to Web3 systems, financial incentives (like our $10M for Wormhole), and community recognition. Security talent is decentralized, blockchain-savvy, and economically-minded, forming collaborative “swarms” in contrast to Web2’s siloed roles.”

The financial incentives are genuinely transformative for security researchers. Google paid out $11.8 million across 660 researchers in 2024 through their bug bounty programs, but that pales in comparison to what top Web3 researchers can earn.

Individual payouts in crypto can reach six or seven figures for critical vulnerabilities, compared to traditional bug bounties that typically max out at tens of thousands.

CN: Can you explain “security swarms” and how automated defense networks might change the cat-and-mouse game between attackers and defenders?

Amador: “Security Swarm is the automation engine within Immunefi’s Magnus platform, which powers SecOps automations that autonomously detect and mitigate threats, all while minimizing overhead and watching over infrastructure 24/7.

Traditionally, attackers have the advantage of speed. They can strike in seconds, while human defenders need minutes or hours to coordinate a response.

With automation, detection and mitigation can happen almost instantly, reducing the attack window from hours to seconds, shifting the balance toward defenders.”

The speed advantage has always favored attackers in DeFi because transactions are irreversible and happen at the speed of the blockchain.

A successful flash loan attack can drain a protocol in a single transaction that takes 12 seconds to confirm.

Traditional incident response timelines, measured in hours or days, are inadequate for this threat model.

Automated defense systems, like the one released by TRMLabs yesterday, can detect anomalous behavior and trigger circuit breakers faster than any human response team.

Emerging Threats and Legal Frameworks

CN: Looking at the protocols you protect, what’s an emerging attack vector that most people aren’t talking about yet but should be preparing for?

Amador: “Oracle manipulation is under-discussed. Attackers can exploit weak data feeds to trick contracts, draining funds or destabilizing stablecoins. Protocols need multi-oracle redundancy and targeted bounties, but many overlook this critical single point of failure.”

Oracle manipulation attacks exploit a fundamental weakness in how DeFi protocols receive external data.

Oracles are third-party services that feed real-world information, like asset prices, weather data, or sports scores, into smart contracts that can’t access this data directly.

In crypto, price oracles are critical because they tell DeFi protocols what Bitcoin, Ethereum, or other tokens are worth at any given moment, enabling everything from lending calculations to automated trading.

Attackers exploit this dependency by manipulating the data oracles provide. They might artificially inflate or deflate asset prices through large trades on low-liquidity exchanges that oracles reference, or compromise the oracle infrastructure itself.

When a protocol receives false price data, it can be tricked into actions like approving loans against worthless collateral or executing trades at manipulated prices.

These attacks are particularly devastating because they target the protocol’s “view” of reality rather than the code itself, making them harder to detect and prevent through traditional security audits.

CN: Your new legally binding arbitration system for security disputes is fascinating. How does this work when code vulnerabilities become matters of international law, and what precedents are you setting?

Amador: “Our on-chain arbitration resolves disputes transparently, mediating severity or payout conflicts. It’s legally binding, avoiding slow courts, and works globally via smart contracts. We’re setting precedents for fair, decentralized dispute resolution, applicable to any open-source ecosystem.”

Ethics and Future Evolution

CN: With over $180 billion in digital assets under protection across 500+ protocols, how is your model influencing how other industries think about incentivizing security research?

Amador: “Our over $120 million in payouts proves that financial incentives work. Finance and healthcare are also adopting crowdsourced security, inspired by our arbitration and proactive model, treating security as infrastructure rather than a cost.”

CN: Five years from now, how do you see the relationship between hackers, companies, and security evolving beyond just bug bounties?

Amador: “Companies will prioritize economic incentives, collaborating with hackers as partners. On-chain arbitration will set governance norms, making security continuous and collaborative across industries.”

Looking forward, the future is moving toward a model where security researchers become integrated partners in the development process rather than external auditors.

This collaborative approach will enable proper economic incentives and transparent governance mechanisms, and might eventually become the standard for any crypto organization looking to secure its platform.

About Amador

Mitchell Amador is the founder and CEO of Immunefi, an on-chain security platform, working with protocols such as Chainlink, Ethereum Foundation, Optimism, and Arbitrum.

The post ‘Making Defense More Profitable Than Attack’ Prevented $25 Billion in DeFi Hacks — Immunefi CEO | Interview appeared first on Cryptonews.