Bug bounties are used for web applications to find vulnerabilities in the app before they can be exploited by hackers. It is commonly described as white hat hacking because security professionals report the discovered vulnerabilities back to the development team instead of exploiting them.
The same bug bounty programs exist for smart contracts written in the Solidity programming language. And because there are millions of dollars at stake and the reputation of well funded crypto companies, the rewards are also high. Hackers stole staggering $3.8b in 122 attacks on the blockchain in 2020. Therefore it comes to no surprise that security is critical for web3 and pays generously. Cybersecurity is a hot topic anyway and security in Web3 is an even hotter topic considering the kind of DeFi applications that are using smart contracts.
Solidity bug bounties allow developers to make money by finding vulnerabilities in smart contracts.
How big are the Rewards?
How big are the rewards for finding vulnerabilities? The bug bounties can reach millions of dollars, for example the crypto bridge service Wormhole paid out $10 million Dollars to a single developer who found a vulnerability in a core bridge contract. The reward size usually depends on the threat level of the vulnerability, a critical bug pays more than a minor one.
The Web3 bug bounty platform Immunefi has $138m in bounties available and paid out already more than $40m in bounties. The biggest rewards offered on the platform reach multi-millions for reputable projects like MakerDAO, Polygon, Optimism and Gnosis. Another interesting aspect is that some bug bounties on immunefi doesn't require KYC, so the white-hat hacker can stay anonymous and receive the reward in crypto.
Other platforms that offer bounty rewards are HackenProof, Code4rena and gitcoin. But even when a smart contract doesn't offer a bug bounty and you find a vulnerability it's still always possible to contact the developers and disclose the vulnerability in exchange for a reward. Most projects are rather giving away rewards than suffering from a hack.
How to become Solidity Security Expert
To profit of Solidity bug bounties you need to have a complete understanding of blockchain, Solidity fundamentals and then master Solidity. You want to know the Solidity programming language inside out and then specialize and master Solidity security.
To become a good Security Expert, you need to think like a hacker. Become an ethical hacker!
You should understand common concepts like Delegatecall, Re-Entrance, Denial of Service, Honeypots, Front Running, Signature Replay, Block Timestamp Manipulation and understand how previous hacks were executed. In short you want to think like a hacker and penetrate all ways a smart contract can be exploited. Then you are able to start auditing smart contracts for security vulnerabilities.
A common source to find smart contract weaknesses is the SWC registry.