A new report from DeFi risk analysts LlamaRisk is raising some uncomfortable questions about the security practices of major stablecoin issuers. The focus? Their bug bounty programs—or, in some cases, the surprising lack of them.
The firm took a close look at the crypto assets on Aave’s V3 protocol, and the findings are a bit of a mixed bag. On one hand, 33 assets covering nearly $20 billion in supply have what they call “adequate” programs. But then there’s the other side: ten assets, representing another $19.2 billion, either have no program at all or one that’s considered seriously lacking.
Big Names, Small Bounties
The real eyebrow-raisers are the giants. Circle, which manages a colossal $70 billion in USDC, apparently offers a maximum bug bounty of just $5,000. Tether, behind the $160 billion USDT, only doubles that to $10,000. When you’re securing that much value, those figures seem… low. Perhaps even a little out of touch.
It’s not just them. The report also flags BitGo’s wrapped bitcoin, Gnosis, and Ripple for relatively small rewards. And then there are the ones with nothing on the books: Etherfi, Monerium, PayPal’s PYUSD, and Agora. That’s a lot of value seemingly left without this specific safety net.
Why Bug Bounties Matter
For anyone not deep in the tech world, a bug bounty is basically a reward offered to ethical hackers—often called “white hats”—who find and report security flaws instead of exploiting them. It’s like a paid crowdsourcing effort to find the cracks before the bad actors do.
The thinking is that skilled researchers need a real incentive to spend their time on this. LlamaRisk suggests a minimum of $50,000 to even get their attention, scaling up massively for protocols holding huge sums. For something with over $250 million in total value locked, they argue a top bounty should exceed a million dollars. It makes the five-figure offers from billion-dollar companies look pretty weak by comparison.
A Complicated Picture
Now, it’s not all black and white. The report does acknowledge that centralized issuers like Circle and Tether have other things going for them. They point to “robust legal operations” that might handle some risks in other ways. Maybe the legal framework does some of the work a bounty would.
But the trend is clear. These programs are quickly becoming an expected part of the landscape. Look at Coinbase, which launched a program this year with rewards going all the way up to $5 million for a critical find. That sets a certain bar.
There’s even a weird precedent for negotiating with hackers after the fact. Last year, GMX got hacked for $42 million and ended up offering the hacker a 10% bounty to return most of the funds. It worked, but it’s hardly an ideal model.
Looking Ahead
LlamaRisk, which gets some funding from the Aave ecosystem itself, is pushing for Aave to encourage better standards from the assets on its platform. Right now, having a bug bounty isn’t a legal requirement in the US or EU, even with other security rules.
But the firm thinks that’s changing. They see these programs becoming a de facto standard, something regulators will probably start looking at closely during licensing or after something goes wrong. It feels like one of those things that everyone will pretend they’ve always cared about—right after a major incident forces their hand. For now, it seems some of the biggest players are just hoping it won’t be them.
