2026-02-16 –, Auditorium
In 2025 alone, Immunefi paid out close to $11,000,000 in bug bounties for critical crypto vulnerabilities. preventing exploits that could have resulted in hundreds of millions of dollars in losses.
This talk breaks down a few of the highest-impact bounty payouts of 2025, focusing on what actually drove seven-figure and high six-figure rewards. We’ll examine specific vulnerabilities, system designs, and attacker mindsets behind the most severe findings, and explain why these specific bugs justified such large payouts.
This session is grounded in specific cases in 2025 across DeFi, bridges, L2s, and core infrastructure. Attendees will gain a practical understanding of where the highest paying security risks surfaced in 2025, and what both researchers and protocol teams should prioritize going forward.
This talk is structured around a small number of high-impact 2025 case studies, including:
- The technical root cause of some of the largest bounty payouts of the year
- How these vulnerabilities could have been exploited in the wild
- What made these reports stand out and qualify for top-tier rewards
Each case is anonymized or based on information approved for public disclosure, and is used to extract concrete lessons for:
- Whitehats looking to focus on high-impact targets
- Protocol teams aiming to prevent catastrophic bugs
- The goal is to give attendees a realistic picture of what “critical” actually looks like in 2025 crypto systems.
Alejandro Muñoz-McDonald is a Senior Security Researcher and Smart Contract Lead Triager at Immunefi, with over eight years of experience in Web3 security. He joined Immunefi in January 2022 as one of the earliest members of the company’s 24/7 triage team.
Immunefi has facilitated more responsible disclosures than any other organization in the crypto ecosystem. In his role, Alejandro has personally handled thousands of vulnerability reports and has been directly involved in hundreds of critical incident response events across DeFi, bridges, and core blockchain infrastructure. This hands-on exposure to real-world exploits, near-misses, and complex attack paths has given him a rare, practical perspective on where crypto systems fail in practice.