The cryptocurrency protocol team warned that the increased use of AI has led to a surge in fake vulnerability bounty reports, placing significant pressure on teams trying to identify real threats to the protocol.
Bug bounties, a mechanism that rewards "white hat" hackers for submitting reports of potential vulnerabilities, are widely popular in the cryptocurrency industry. AI is now better equipped to scan large volumes of code to identify potential vulnerabilities, although AI is also known for its tendency to generate hallucinations.
"AI is changing the way bug bounty programs operate," said Barry Plunkett, Co-CEO of Cosmos Labs, on Tuesday, responding to a bounty hunter who accused the protocol of ignoring his vulnerability report.
“Our project saw a 900% increase in submissions this year compared to last year, with about 20 to 50 submissions per day,” he said, adding that this led to a significant rise in both valid and invalid reports.
Kadan Stadelmann, blockchain developer and Chief Technology Officer of Komodo Platform, told Cointelegraph that he has also observed a significant increase in vulnerability bounty submissions and payments from institutions.
Low-quality vulnerability bounty submissions have indeed increased significantly, some of which are false positives, potentially indicating AI involvement. One possible explanation is that AI has reduced the cost of generating reports, leading to a surge in submissions.
In January, Daniel Stenberg, the creator of the open-source data transfer tool curl, which is used by many applications including blockchain infrastructure, announced he would shut down his bug bounty program because “bug reports were flooded with AI-generated spam,” and he was exhausted from screening them.
One of the world's largest bug bounty platforms, HackerOne, reported 85,000 valid bounty submissions in 2025, a 7% increase from the previous year.
Artificial intelligence can be both a cause and a solution.
Plunkett said that as the volume of vulnerability bounty submissions has increased, Cosmos Labs has begun adjusting its approach, including tightening submission scoring criteria, prioritizing trusted researchers with a strong track record, and collaborating with other bounty platforms that offer more advanced triage services.
Meanwhile, Stadelmann said that bug bounty programs have proven to be critical in defending decentralized systems, and using AI to help filter out noise could be a solution.
The blockchain team will have to build AI-based protection mechanisms to filter incoming bug bounties. The smaller the team, the greater the problems caused by an increase in bug bounties. Software engineers are unable to review every submission individually, he said.
This is precisely where automated screening by defensive AI systems for incoming bug bounty submissions will become crucial. Teams relying on bug bounties need to establish stricter criteria for their bug bounty programs to reduce the number of incoming reports.