Crypto Firms Report Flood of AI-Driven Bug Bounty Submissions
Crypto protocols have warned that an increase in AI use has led to a flood of bogus bug bounty submissions, putting a strain on teams trying to identify real threats to their protocols.
Bug bounties are a system to reward “good” hackers for submitting reports about potential vulnerabilities and are popular in the crypto industry. AI has now made it easier to sift through large amounts of code to find possible bugs, though AI is also known to hallucinate.
“AI is changing the way that bug bounty programs must operate,” said Barry Plunkett, co-CEO of Cosmos Labs, on Tuesday, responding to a bug bounty hunter who accused the protocol of ignoring their vulnerability report.
“Our program has seen a 900% increase in submission volume from last year, on the order of 20-50 per day,” he said, adding that it’s led to a huge increase in both valid and invalid reports.
Kadan Stadelmann, a blockchain developer and chief technology officer at Komodo Platform, told Cointelegraph he has also seen a notable increase in bug bounty submissions and payouts across organizations.
“There has definitely been an increase in low-quality bug bounty submissions, some of which have been false positives, potentially suggesting AI sourcing. One potential explanation is that AI has caused a decrease in the cost to produce a report, resulting in an influx of submissions.”
In January, Daniel Stenberg, the creator of the open-source data transfer tool curl, which is used in many apps, including blockchain infrastructure, announced he was ending his bug bounty program because of an influx of “AI slop in vulnerability reports,” and he was exhausted from sifting through them.
HackerOne, one of the largest bug bounty platforms in the world, reported in January that there were 85,000 valid bounty submissions in 2025, up 7% from the previous year.
AI could be both the cause and the solution
Plunkett said Cosmos Labs has already started to adapt its approach as a result of the uptick in bug bounty submissions by tightening how it scores submissions, prioritizing trusted researchers with a proven track record and working with other bug bounty providers that offer more advanced triage.
Meanwhile, Stadelmann said bug bounty programs have proven integral to defending decentralized systems, and adopting AI to assist in sifting through the noise could be a solution.
“Blockchain teams will have to create AI deterrents to sift through incoming bug bounties. The smaller the team, the bigger the problem of increased bug bounties will become. Software engineers won’t have the capacity to examine everything,” he said.
“This is where defensive AI systems to automatically sift through incoming bug bounties will be crucial. Teams dependent on bug bounties will need to develop stricter standards on their bug bounty programs as a means of lowering the number of incoming reports.”
Related: Crypto hackers stole $17B over past 10 years: DefiLlama
