Circle and Tether Underestimate Bug Bounties — LlamaRisk Report

Experts paid special attention to Circle and Tether — the largest issuers of stablecoins. According to LlamaRisk, Circle, which manages assets worth $70 billion, sets the maximum reward for a found bug at $5,000. Tether, which controls more than $160 billion, is ready to pay no more than $10,000. According to experts, these amounts do not correspond to the scale of the companies and create risks for users of their assets.

The list of projects with minimum payments also includes BitGo Wrapped Bitcoin, Gnosis and Ripple. And companies such as EtherFi, Monerium, PayPal and Agora do not offer hackers any compensation for discovering vulnerabilities. At the same time, it is large centralized issuers with asset reservation, including Circle, Tether and PayPal, according to LlamaRisk, that have every opportunity to fully finance security programs.

Experts proposed introducing a minimum reward threshold of $50,000, and for protocols with a total locked value (TVL) of over $250 million, raising payments to $1 million and higher. Such a system will attract highly qualified specialists and provide more reliable protection for the ecosystem. In addition, LlamaRisk recommends that researchers keep their bug reports confidential, not share them with third parties, and not use the data for harm.

For comparison, the report cites the example of Compound Finance, which, together with Immunefi, launched a program last year with maximum payouts of up to $1 million. For minor bugs, it provides rewards of $1,000, which, according to analysts, makes the program more balanced and attractive to researchers.

Thus, low payouts from Circle and Tether can undermine trust in their stablecoins, while more generous programs like the Compound Finance initiative stimulate the development of a culture of responsible vulnerability search and improve the overall security of the DeFi sector.