March 23, 2026
featured post

Best Web3 Bug Bounties in 2026: The Highest-Paying Programs on Every Platform

The definitive 2026 guide to Web3 bug bounties, ranked by maximum payout across Sherlock, Immunefi, Cantina, HackenProof, and more.

The Web3 bug bounty market now exceeds $162 million in available rewards across hundreds of active programs. Whether you're a security researcher deciding where to hunt or a protocol team benchmarking your own program, this is the definitive list of the best Web3 bug bounties in 2026. Every major program worth knowing about, organized by platform, ranked by maximum payout, with a direct link to each one.

Disclosure: Sherlock is one of the platforms listed. We've included our own programs where they belong and covered every competing platform with equal detail. All reward amounts are sourced from public program pages as of March 2026.
The biggest bug bounties of the Web3 space as of March 2026.

Sherlock Bug Bounties

Sherlock's bug bounty platform uses a stake-to-submit model where researchers stake $250 USDC per report, refunded if the issue is valid, with expert triage by Sherlock's lead auditors. The result is a 52% hit rate on impactful submissions, the highest signal-to-noise ratio of any Web3 bug bounty platform. All programs include post-exploit coverage up to $500K. Browse the full list at audits.sherlock.xyz/bug-bounties.

Usual: $16,000,000

The largest bug bounty in tech history. Usual partnered with Sherlock to offer $16 million for a single critical vulnerability, eclipsing the previous records set by Uniswap ($15.5M) and LayerZero ($15M). The program covers Usual's full smart contract suite including stablecoin infrastructure, yield distribution, and governance contracts. Launched March 2026, it's generating massive researcher interest from both DeFi-native and traditional security communities.

Exactly Protocol: Up to $500,000

Exactly's fixed-rate lending protocol on Optimism. Covers the core ERC-4626 vault architecture, interest rate models, and liquidation mechanics. One of Sherlock's longest-running bounty programs.

Yearn: Up to $200,000

Yearn Finance's vault architecture, one of DeFi's most battle-tested yield aggregation systems. Covers v3 vault logic, strategy contracts, and deposit/withdrawal flows. A steady program with strong researcher engagement on Sherlock since mid-2025.

SatLayer: Up to $200,000

Bitcoin restaking infrastructure. SatLayer extends the restaking model to BTC, and the bounty covers its core staking contracts, validator logic, and reward distribution mechanisms. Active since early 2025.

Sentiment V2: Up to $150,000

Sentiment's second-generation leveraged lending protocol. Covers the SuperPool architecture, risk engine, and cross-collateral lending mechanics. A focused program that rewards deep protocol-specific expertise.

Flat Money: Up to $50,000

A delta-neutral stablecoin protocol on Base. Covers the leveraged rETH positions, liquidation keeper system, and price oracle integrations. Smaller payout ceiling but a compact codebase that's accessible for researchers newer to Sherlock's stake-to-submit model.

Aave V4: Proposed, Up to $500,000

Aave Labs has proposed launching a dedicated Aave V4 bug bounty on Sherlock, currently in governance discussion. If approved, this would bring one of DeFi's most important protocols onto Sherlock's stake-to-submit model. Coming soon!

Immunefi Bug Bounties

Immunefi is the largest Web3 bug bounty marketplace by every metric: 45,000+ researchers, 650+ active programs, and $110M+ paid out to ethical hackers to date. Open submission model with no staking requirement. The default platform for blue-chip DeFi protocols.

Uniswap v4: $15,500,000

The second-largest active bug bounty in crypto. Covers Uniswap v4 core and periphery contracts, including the hooks-based architecture that represents the protocol's biggest upgrade since launch. Tiered payouts: up to $15.5M critical, $1M high, $100K medium. Backed by nine independent audits and a $2.35M security competition that drew 500+ researchers. One of the most actively hunted programs in crypto.

LayerZero: $15,000,000

Cross-chain messaging protocol. Group 1 critical V1 smart contract vulnerabilities pay $250K minimum, up to $15M (or 10% of value at risk, hard capped). Group 2 caps at $1.5M. KYC required for all researchers. Given the history of nine-figure bridge exploits, this remains one of the most strategically important bounties in the ecosystem.

Wormhole: $10,000,000

Tiered rewards denominated in W tokens: up to 20M W for multi-chain TVL vulnerabilities, 10M W for single-chain, 5M W for lower tiers. Famous for producing the largest single bug bounty payout in crypto history when researcher satya0x earned $10M in 2022 for a critical cross-chain vulnerability.

Sky (formerly MakerDAO): $10,000,000

The rebranded MakerDAO ecosystem, the protocol behind DAI and one of the oldest DeFi systems in production. $10M maximum for critical smart contract bugs. Systemic importance to the entire DeFi ecosystem makes this a perennial high-priority target.

GMX: $5,000,000

Perpetual DEX on Arbitrum and Avalanche. One of the highest bounties in the derivatives vertical. Covers the GLP/GM liquidity architecture, trading engine, and price feed infrastructure.

Olympus DAO: $3,333,333

Protocol-owned liquidity pioneer. The unusually specific maximum covers OHM token contracts, treasury, and governance. Olympus's novel bonding and rebasing mechanics make it interesting hunting ground for researchers.

Chainlink: $3,000,000

Oracle infrastructure that hundreds of protocols depend on. Rewards for critical smart contract vulnerabilities at the sole discretion of Chainlink Labs, maxing at $3M. A vulnerability here has cascading impact across DeFi.

Optimism: $2,000,042

Ethereum L2 rollup. The distinctive max payout covers the OP Stack, bridge contracts, and sequencer infrastructure. Optimism's Superchain ambitions make its security posture increasingly critical as more chains launch on the stack.

Arbitrum: $2,000,000

The largest Ethereum L2 by TVL. Covers the Arbitrum One and Nova chains, bridge contracts, and fraud proof system. High-priority target for elite researchers.

Kamino (Solana): $1,500,000

The largest DeFi bug bounty in the Solana ecosystem. Covers concentrated liquidity vaults, lending markets, and leverage products. Launched October 2025.

Immutable: $1,000,000

Gaming-focused L2. Covers the Immutable zkEVM, passport system, and marketplace contracts. An underexplored vertical with fewer researchers hunting, meaning less competition and potentially more accessible findings.

Veda: $1,000,000

DeFi infrastructure protocol. $1M max for critical smart contract vulnerabilities.

Firedancer (Solana): $500,000

Jump Crypto's independent C-language Solana validator client. A from-scratch implementation that introduces a different vulnerability surface than the Rust-based Agave client. Updated January 2026. Critical: $100K to $500K. High: $50K to $100K. Medium: $5K to $50K.

Injective: $500,000

Cosmos-based L1 optimized for finance. On-chain orderbook, exchange module, and bridge infrastructure.

Compound Finance: Dynamic

Blue-chip lending protocol. Uses dynamic reward calculations rather than a fixed maximum cap, with payouts scaling based on severity and value at risk.

Cantina Bug Bounties

Cantina offers curated bounty management with Spearbit's elite researcher network handling triage. Fewer programs than Immunefi but higher-profile institutional clients.

Coinbase / Base: $5,000,000

All mainnet smart contracts deployed by Coinbase plus Base L2 contracts. Launched July 2025. Open to everyone with no staking, deposits, or gated entry. Covers cbETH, cbBTC, BaseNames, staking contracts, DEX aggregators, and new acquisitions. The benchmark for institutional-grade onchain bug bounties.

Morpho: $2,500,000

Permissionless, institutional lending protocol. Focused on Vaults V2 guardrails and isolated markets. One of DeFi's most architecturally interesting codebases with modular lending and minimal governance surface area.

HackenProof Bug Bounties

HackenProof runs 200+ active crypto bug bounty programs with professional triage. Its hybrid Web2/Web3 model attracts cross-domain researchers. Rewards payable in stablecoins, fiat, or tokens.

SmarDex: $500,000

DEX smart contracts. Minimum $20K or 5% of value at risk for critical, hard capped at $500K.

Cronos Smart Contracts: $250,000

Cronos EVM chain smart contracts. One of the highest-paying programs on HackenProof.

Aptos Network: Active

Next-generation L1 built with Move language. Covers the core blockchain, consensus, and execution layer.

Aptos Keyless: Active

Keyless account infrastructure enabling OIDC-based account management on Aptos. A novel attack surface worth exploring for researchers.

Cronos Blockchain Protocols: $100,000

L1 blockchain infrastructure for the Cronos chain.

NEAR Intents Bridges: Active (March 2026)

Brand new program covering NEAR's intent-based cross-chain bridge infrastructure, including the MPC network for chain signatures. One of the freshest bounties on any platform.

Citrea Protocol: Active (February 2026)

Bitcoin-native rollup infrastructure. One of the first Bitcoin L2s with a formal bug bounty program.

Ethereum Foundation Bug Bounty (Self-Hosted)

Ethereum Core Protocol: $1,000,000

The Ethereum Foundation quadrupled its maximum from $250K to $1M in March 2025. Critical bugs are defined as those affecting 50%+ of validators, enabling infinite ETH creation, stealing ETH from wallets, or taking down the network via a single on-chain transaction. Covers all consensus and execution layer clients.

Hats Finance Bug Bounties (On-Chain)

Hats Finance runs fully on-chain, permissionless bounty vaults and is the most Web3-native bug bounty model available. No KYC required. First-come-first-served rewards. Anyone can contribute liquidity to a vault. Programs are smaller in absolute terms but accessible for researchers with less competition from elite hunters. Browse active vaults at app.hats.finance/vaults.

Crypto.com Bug Bounty (HackerOne)

Crypto.com: $2,000,000

The largest crypto bug bounty on a traditional (non-Web3-native) platform. Covers the full exchange including web, mobile, API, and blockchain integrations. The first crypto bug bounty to reach $2M on HackerOne.

Get Started with Sherlock

For protocol teams: Sherlock's bug bounty platform pairs your program with expert triage, a stake-to-submit model that filters out noise, and post-exploit coverage up to $500K. Fewer junk reports, faster turnaround on valid findings, and real financial protection if something slips through. Get in touch with our team to scope your program, or learn more about how Sherlock bug bounties work.

For security researchers: Sherlock's 52% hit rate means your work is more likely to get paid. Stake $250 USDC per submission, get it back when your finding is valid, and hunt across programs like Usual ($16M), Yearn, SatLayer, and more. No wasted reports buried in a triage queue. Browse active bounties and start hunting today.

Frequently Asked Questions

What is the largest Web3 bug bounty in 2026?

As of March 2026, the largest active Web3 bug bounty is Usual's $16 million program on Sherlock, the highest in tech history. The second-largest is Uniswap v4's $15.5 million bounty on Immunefi, followed by LayerZero at $15 million.

What is the highest bug bounty payout ever in crypto?

The largest single bug bounty payout in crypto history is $10 million, paid to researcher satya0x for a critical vulnerability discovered in Wormhole's cross-chain protocol in 2022, facilitated by Immunefi.

Which Web3 bug bounty platform pays the most?

Immunefi has the largest number of high-value programs and has paid out over $110 million total. Sherlock hosts the single highest-value bounty ($16M for Usual) and offers post-exploit coverage up to $500K. Cantina hosts Coinbase's $5M bounty, the largest from a centralized exchange.

How much do Web3 bug bounty hunters earn?

Earnings vary enormously. On Immunefi, the median confirmed payout is around $2,000, while the average is approximately $52,800 (skewed by occasional six- and seven-figure payouts). Critical smart contract bugs average around $13,000, with high-severity bugs averaging around $5,300. Elite researchers who find critical bugs in major protocols can earn $1M+ in a single report.

What is the difference between a bug bounty and an audit contest?

A bug bounty is an ongoing, open-ended program that runs continuously after a protocol is deployed. Researchers can submit vulnerabilities at any time. An audit contest is a time-limited competition held before launch where researchers compete to find bugs within a defined window. Both serve different phases of the security lifecycle. We wrote a detailed comparison in our Bug Bounties vs. Audit Contests explainer.

Do I need KYC to participate in Web3 bug bounties?

It depends on the platform and program. Immunefi requires KYC for payouts above certain thresholds. Some individual programs (like LayerZero) require KYC for all participants. Hats Finance is fully permissionless with no KYC. Sherlock requires an Ethereum wallet and USDC for its stake-to-submit model but the process is streamlined.

Want to read more?

Best Blockchain to Build On in 2026

Which blockchain should you build on in 2026? We compare Ethereum, Base, Arbitrum, Solana, and Sui across liquidity, developer traction, fees, and security tradeoffs.

Mar 10, 2026
Sherlock Banner image: Stablecoin security audits in 2026: what teams verify before launch

Stablecoin security audits in 2026: what teams verify before launch

What stablecoin teams need to verify for security before launch in 2026: mint and redemption logic, admin controls, oracle dependencies, vault accounting, and cross-chain supply integrity.

Sherlock Academy
Feb 3, 2026

When Audits Go Head-to-Head: How Case Studies Reveal the Most Effective Methodology

When it comes to the blockchain, securing trust requires bulletproof auditing. But how can teams determine which provider delivers truly rigorous security reviews?

Sherlock Research
Jun 2, 2025

Secure Your Protocol with sherlock

Sherlock delivers complete lifecycle security, from early development to protection on live code. Tell us what stage you’re in and we’ll help you from there.
Contact Our Team

Products

Collaborative Audits

Audit Contests

Bug Bounties

Sherlock AI

Sherlock Shield

Live Security

Leaderboards

App

Live Audits

Live Bug Bounties

Resources

Blog

Docs

Brand Kit

Lifecycle eBook

Referral Program

Sherlock secures Web3 protocols across development, launch, and live operation through a unified lifecycle security model.

Sherlock’s services do not constitute a guarantee against all security incidents or losses. Responsibility for protocol operation and risk management remains with the protocol team.

Follow Us On

Copyright © Sherlock Protocol 2026. All Rights Reserved.