Hacker Earns Largest Ever Crypto Bug Bounty via Immunefi

3 min readFeb 4, 2021

Hacker Earns Largest Ever Crypto Bug Bounty via Immunefi

ArmorFi pays $1.5m to whitehat hacker Alexander Schlindwein. ArmorFi CTO offers to get a tattoo of Schlindwein’s choice.

Singapore, February 3, 2020 — Immunefi, the premier bug bounty platform focused on smart contracts and blockchain, announced Wednesday that whitehat hacker Alexander Schlindwein (@bobface16) successfully submitted a critical bug via Immunefi that would have drained the entirety of underwriting funds from decentralized finance (DeFi) insurance project ArmorFi. Schlindwein delivered the submission a mere 24 hours after ArmorFi offered 1m in mostly vested Armor tokens (current market value $1.5m USD) to anyone who could find a critical exploit in its smart contract code. In the initial announcement of the bounty, ArmorFi CTO Robert Forster offered to get a tattoo of the name or handle of any hacker who found a critical bug.

This is the largest smart contract bug bounty ever paid out and ranks among the largest bug bounties in existence. It represents a historic moment for the DeFi community.

Had the bug been left unchecked, a malicious actor, with just a single dollar of coverage, could have drained all funds from ArmorFi’s underwriting contract. With Immunefi’s bounty system, that bug was eliminated.

More specifically, in the event where a party needed to draw on its insurance policy after suffering some negative event covered by that policy, this exploit would have let the party withdraw 10^18 times the amount of coverage that they purchased.

“Writing secure smart contracts is incredibly hard,” said Duncan Townsend, CTO of Immunefi. “Any developer could have made this error. We hope that this news will encourage projects to recognize the need for bug bounties and their importance in demonstrating seriousness and responsibility.”

Following news of the payout, the Armor token doubled in value, as measured by CoinMarketCap.

“It’s a real privilege to have made possible the largest ever bug bounty payout. We’re going to keep rewarding the developers who make Defi safe, and this is just the beginning,” Mitchell Loureiro, CEO of Immunefi, said. “Bug bounties increase trust among users, developers, the DeFi community, and they incentivize security researchers to protect the community. Everyone wins.”

Security is a serious concern in DeFi. According to The Block, hackers stole $150 million from DeFi projects in 2020. As DeFi continues to explode in growth, that figure is likely to continue being a major concern.

“No matter how good your coders are, no matter how good your auditors are, people still make mistakes,” said ArmorFi CTO Robert Forster. “Companies need to understand and compensate bounty hunters generously. Best case scenario, these decentralized audits are completely free. Worst case scenario, you save your company and your users from disaster at a fraction of what it may otherwise cost.”


Immunefi.com is the premier bug bounty platform for smart contracts and DeFi projects, where security researchers review code, disclose vulnerabilities, get paid, and make crypto safer. Immunefi removes security risk through bug bounties and comprehensive security services to help drive high-quality decentralized financial products to the public.


Jonah Michaels
Director of Communications




Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.