CertiK Launches Invite Only Hunt Platform for Elite Security Researchers
Web3 projects lost $482 million to hacks and scams in the first quarter of 2026 across 44 separate i 2026-7-2 13:43:58 Author: hackernoon.com(查看原文) 阅读量:2 收藏

Web3 projects lost $482 million to hacks and scams in the first quarter of 2026 across 44 separate incidents, according to blockchain security firm Hacken, a steep decline from the $2 billion lost in the same quarter a year earlier.

The improvement is real, but it is not the whole truth. Smart contract exploits, the category of bug that a security audit or a bug bounty program is built to catch, accounted for just $86.2 million of that total, 18 percent. Phishing and social engineering took $306 million. Compromised keys and cloud infrastructure took another $71.9 million. The two attack surfaces that no code audit touches now cause five times more damage than the one that every code audit is designed to prevent.

CertiK is launching its newest product directly into that gap. The Web3 security firm announced CertiK Hunt on July 1, 2026, an invite-only platform where blockchain projects can run bug bounty programs, audit competitions and AI-powered security challenges with researchers CertiK has personally vetted for technical expertise, prior findings and standing in the security community. Projects joining the platform go through their own review before launching a program.

Ishan Pandey's image-16ebf8

The pitch from Head of Communications Margarita Kadochnikova at Certik, is that too many researchers who submit legitimate vulnerabilities end up in disputes or waiting on delayed payouts, and that a curated, invite-only pool fixes the trust problem at its source rather than patching it after each disagreement.

 Smart contract code, the layer every bug bounty program tests, drove less than a fifth of this quarter's losses Smart contract code, the layer every bug bounty program tests, drove less than a fifth of this quarter's losses

The Smallest Slice of a Shrinking Problem

The timing argument in CertiK's own announcement, that Web3 lost billions again and the industry needs continuous security rather than one-time audits, is accurate as far as it goes. What it does not mention is which billions.

Losses fell 76% from the Bybit-driven peak of Q1 2025, then ticked back up in Q1 2026 with no mega-hack in sight.Losses fell 76% from the Bybit-driven peak of Q1 2025, then ticked back up in Q1 2026 with no mega-hack in sight.

Hacken's quarterly tracking shows losses falling from $2.05 billion in the first quarter of 2025, the quarter that contained the $1.46 billion Bybit breach, down to roughly $350 million by the fourth quarter, before rising again to $482 million in the first quarter of 2026. The full-year 2025 total lands somewhere between $2.7 billion, per Chainalysis and TRM Labs data reported by TechCrunch, and $3.95 billion, per Hacken's own year-end report, a spread that itself says something about how unevenly this category still gets measured. What every tracker agrees on is the composition shift underneath the total: the biggest, least recoverable losses now come from weak keys, compromised signers, phishing and sloppy access control, not from bugs sitting in deployed smart contract code.

Bybit's $1.46B alone exceeded the next five most-cited incidents combined, and none of them were pure smart-contract bugs either.Bybit's $1.46B alone exceeded the next five most-cited incidents combined, and none of them were pure smart-contract bugs either.

Bybit lost $1.46 billion to a compromised signer interface, not a code flaw. A single hardware wallet phishing scam in January 2026 cost $282 million on its own, more than 80 percent of that quarter's entire loss total. Cetus lost $223 million in a DeFi exploit during what Hacken called the worst quarter for the category since early 2023. Balancer lost $128 million. Phemex lost roughly $85 million to an access control failure. Only Truebit's $26.4 million, a bug sitting in a five-year-old Solidity contract, and a handful of smaller incidents fit the profile a bug bounty program is actually built to catch. CertiK Hunt is a well-funded, well-timed answer to a real problem. It is also an answer aimed at roughly a fifth of the current attack surface, in a year when the other four-fifths is growing faster.

Nobody Can Agree on the Size of the Prize

None of that scope mismatch has stopped capital from flowing into blockchain security broadly, and the reason shows up in how differently the analysts sizing the category talk about it.

Eight research houses put the market anywhere from $2.35B to $8.41B, and disagree on the growth rate by a factor of three.Eight research houses put the market anywhere from $2.35B to $8.41B, and disagree on the growth rate by a factor of three.

Future Market Insights puts the 2026 baseline at roughly $4.0 billion, growing at a 21.7 percent compound annual rate. Fortune Business Insights puts the same year at $8.41 billion, more than double, growing at 66.4 percent, the kind of forecast that says more about model assumptions than about the underlying market. Grand View Research lands in between at $6.37 billion with a comparatively sober 22.4 percent growth rate, and lists CertiK by name as one of the category's established players alongside Chainalysis, Fireblocks and Hacken. A market this loosely defined is exactly the kind that rewards a recognized brand entering a new sub-category over a technically superior but less visible challenger, which is as much a reason for CertiK Hunt's existence as any gap in Immunefi's coverage.

A Real Spam Problem, an Old Fix

CertiK's stated rationale for going invite-only is not invented. Industry-wide, an estimated 50 to 70 percent of all bug bounty submissions across platforms are duplicates or false positives, according to aggregated 2026 industry data, and Immunefi's own public documentation notes that private, invite-only tracks resolve faster than fully open ones. Roughly 80 percent of active bug bounty programs already run both a public and a private track side by side. Spam is a genuine tax on every open program, and curation is a genuine answer to it.

Immunefi, the platform CertiK Hunt now competes directly against, already runs "Invite Only" as a standing program type alongside Bug Bounty Programs, Audit Competitions, PR Reviews and Managed Triage, the same product categories CertiK Hunt is launching with on day one. Sherlock runs a stake-to-submit model that filters out low-effort submissions by requiring researchers to put $250 down before a report is reviewed.

Ishan Pandey's image-e23c58

Cantina, built on Spearbit's curated researcher network of more than 9,000 security professionals, has already paid out $11.6 million against $49.6 million in active rewards using the same "reduce spam through curation" pitch CertiK is now making, and counts Coinbase, Optimism and Morpho as clients. Code4rena and Codehawks round out the field with time-boxed audit competitions rather than always-on bounties. Curated, gated, vetted security research is not a gap in the Web3 market. It is close to half of it already. CertiK's actual bet is narrower and more specific than the announcement lets on: that its own brand, audit relationships and 5,000-plus enterprise client base can pull a curated researcher pool out of an already-curated field faster than the platforms that got there first.

CertiK's Own Test Case

There is a reason the trust language in CertiK's announcement invites more scrutiny than it would from a newer entrant, and it traces back to CertiK's own conduct in the exact kind of dispute CertiK Hunt is designed to prevent.

Ishan Pandey's image-c7b3c8

In June 2024, Kraken's Chief Security Officer Nicholas Percoco stated publicly that a security researcher had used a critical vulnerability, one Kraken's team fixed within 47 minutes of disclosure, to withdraw nearly $3 million from Kraken's treasury over several days, and had refused to return the funds without a negotiated reward. CertiK identified itself as the firm involved and offered a different account: that it was stress-testing Kraken's detection limits, that the funds were "minted out of air" rather than drawn from user balances, and that Kraken's security team had threatened individual CertiK employees with an unreasonable repayment deadline.

Kraken disputed CertiK's version in turn, stating that only one CertiK-linked account had filed a legitimate bug report for a token amount before two other associated accounts drained the larger sum, and that some of the withdrawn funds moved through the sanctioned mixer Tornado Cash before being returned. The funds came back to Kraken on June 20, minus transaction fees, and both sides described the matter as resolved.

Nothing about that episode was illegal, and nothing about it remains unresolved. But CertiK Hunt's entire pitch is that projects and researchers need a trusted intermediary who ensures, in Kadochnikova's words, that both sides know the rules will be applied fairly. CertiK is now asking Web3 projects to trust it as the referee in exactly the kind of researcher-versus-platform dispute where its own most public appearance was as a disputed party, not a neutral one.

Competitive Landscape: An Entrenched, Crowded Market

CertiK Hunt is entering a category with an incumbent that has a five-and-a-half-year head start and a financial track record CertiK Hunt cannot yet match on day one.

CertiK Hunt launches with zero disclosed payouts against Immunefi's $110 million and HackenProof's $15.7 million.CertiK Hunt launches with zero disclosed payouts against Immunefi's $110 million and HackenProof's $15.7 million.

Immunefi, founded in December 2020 and backed by a $24 million Series A led by Framework Ventures with Electric Capital, Polygon Ventures and Samsung Next participating, has paid out more than $110 million to a community it says exceeds 45,000 researchers across more than 650 active programs, protecting upward of $190 billion in total value locked for clients including Chainlink, SushiSwap, MakerDAO and Wormhole. Its largest single payout, $10 million to researcher satya0x for a critical Wormhole vulnerability in 2022, remains the biggest bug bounty in software history.

Sherlock currently hosts the single largest active program, a $16 million bounty from stablecoin protocol Usual, and layers post-exploit coverage of up to $500,000 on top of its stake-to-submit model. HackenProof runs more than 200 active programs across a hybrid Web2 and Web3 researcher base, with $15.7 million paid out to date. Cantina is the newest and most institutionally focused of the group, hosting Coinbase's $5 million bounty covering its mainnet contracts and Base layer-2 deployment, the largest active bounty from a centralized exchange.

CertiK's advantage is not researcher supply, where it starts from zero disclosed history, but distribution. The firm says it has audited more than 5,000 organizations and secured over $600 billion in digital assets, up from roughly 3,200 clients and $300 billion when it last disclosed comparable figures in 2022, giving CertiK Hunt a warm list of existing audit clients to convert into bounty customers that Immunefi has to acquire cold. Whether an existing audit relationship converts into bounty-program loyalty, or whether researchers who have spent years building reputation and earnings history on Immunefi's leaderboard have any reason to rebuild it on a brand-new platform, is the open question CertiK's distribution advantage does not automatically answer.

Why CertiK, Why Now

CertiK has not raised a priced round since April 2022.

Two rounds in four months took CertiK from roughly $1 billion to $2 billion. No round has followed sinceTwo rounds in four months took CertiK from roughly $1 billion to $2 billion. No round has followed since

The company's Series B2 and Series B3 rounds, four months apart in early 2022, were led respectively by Sequoia Capital China and by Insight Partners, Tiger Global and Advent International, with Goldman Sachs joining as a new backer on the B3 round alongside existing investors Sequoia, Coatue and Lightspeed. Co-founder Ronghui Gu told The Block at the time that CertiK was profitable, had no immediate plans to raise again, and had no IPO plans. Four years later, that has held: no new round, and per CertiK's own current materials, the same $2 billion valuation, even as the company's own disclosed metrics, enterprise clients and digital assets secured, have both roughly doubled.

Ishan Pandey's image-2d34c

CertiK Hunt reads as a response to that gap between growth in usage and growth in valuation, launched from inside a broader pattern of product expansion rather than a funding event. In the weeks before Hunt, CertiK shipped Skill Scanner, a scanning tool for unvetted third-party AI agent skills, and struck a partnership with FinChip to define audit standards for AI-driven hardware. Hunt extends that same logic, expanding CertiK's footprint from one-time, pre-deployment audits into an ongoing revenue relationship that runs for the life of a client's product, without CertiK having to convince a new investor to underwrite it. Hudson Jameson, CertiK's Head of Ecosystem and a former coordinator at the Ethereum Foundation, framed the launch as a network built on signal rather than volume, the same distinction CertiK is now asking the market to price without a new round to validate it.

Curation as the Second Act

Every open marketplace eventually produces a curated alternative once volume alone stops being the advantage. HackerOne and Bugcrowd built Web2's bug bounty category on the open, anyone-can-submit model. Immunefi imported that model to Web3 in 2020 and has not fundamentally changed its shape since, even as it added an invite-only track of its own. CertiK is betting that the category's second act belongs to curation first, distribution second, treating its 5,000-client audit relationship as the wedge that an open marketplace, however large, cannot replicate.

That bet has one advantage no competitor can copy and one liability no competitor shares. The advantage is the client list built over eight years of audits. The test is unusually clean: either CertiK Hunt attracts researchers and programs away from an incumbent with a five-year head start and a $110 million track record, or it becomes one more line in CertiK's product catalog that existed mainly to be announced.

Don’t forget to like and share the story!


文章来源: https://hackernoon.com/certik-launches-invite-only-hunt-platform-for-elite-security-researchers?source=rss
如有侵权请联系:admin#unsafe.sh