Axie Infinity Developer Sky Mavis Offers up to USD 1M in Bounty for ‘Fatal Bugs’

Disclosure: Crypto is a high-risk asset class. This article is provided for informational purposes and does not constitute investment advice. By using this website, you agree to our terms and conditions. We may utilise affiliate links within our content, and receive commission.
Source: AdobeStock / evannovostro


Sky Mavis, the firm behind the popular blockchain-based online game Axie Infinity (AXS), has launched a bug bounty program to incentivize white-hat hackers to find bugs associated with its services.

In an announcement, the team detailed that the program covers issues related to the two categories:

  • smart contracts and blockchain,
  • website and apps.

Rewards for the first category will range from USD 1,000 to USD 1m, while rewards for the second category will be in the range of USD 50 to USD 15,000. The amount depends on the level of threat – ranging from low to critical. 

“Sky Mavis is eager to work with the community to make sure that every researcher’s finding is rewarded fairly – based on the vulnerability’s impact on business and overall severity,” the team said, adding: 

“To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to [USD] 1,000,000.”

The blockchain gaming studio added that it will pay rewards in Axie’s governance token AXS. Moreover, there will be a six-months vesting period with monthly unlocks for fatal bounties that command top awards, which is arguably due to avoid a major sell-off. 

The team noted that the program is for “the disclosure of software security vulnerabilities only,” and that “only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.”

The program comes after Axie’s Ronin bridge, which allows users to send crypto back and forth between Ethereum (ETH) and Axie’s Ronin sidechain, was exploited to the tune of more than USD 600m back in March, marking one of the biggest hacks in the history of decentralized finance (DeFi).

And it appears that the exploiter(s) started moving the stolen funds through the privacy protocol Tornado Cash over the past week, per the blockchain data showing the activity of the address marked as ‘Ronin Bridge Exploiter’. The attacker seems to have made twenty ETH 100-heavy transactions to Tornado Cash. The main wallet still holds USD 461.53m worth of ETH.


Learn more:
Axie Infinity’s Ronin Hack Exposes Risks of Proof-of-Stake and Centralization – Analysts
Scammers Impersonate CoinMarketCap to Sell Fake ‘CMC’ Tokens

NFT Traders, Beware of Social Engineering Hacks
Here’s How You Can Protect Yourself Against Phishing as Trezor is Attacked

Crypto Security in 2022: Prepare for More DeFi Hacks, Exchange Outages, and Noob Mistakes 
Digital Collectibles Marketplace VeVe Loses ‘Large Amount of Gems’ in an Exploit

ApeCoin Smart Contract Exploited, ‘Well-Prepared Claimer’ Walks Away With USD 380K
DeFiance Founder’s USD 1.76M Loss is a Lesson For NFT Investors