HackenProof
HackenProof is a Web3-specialist bug-bounty aggregator founded 2017 under Hacken's umbrella in Tallinn, Estonia. The platform runs 200+ active programs spanning EVM, Solana, Cosmos, Move, and TON ecosystems. As of 2026 it has paid $15.7M cumulatively across 25K+ submitted reports and 75K+ researchers, protecting $38B+ in assets. Customers include the Ethereum Foundation, MetaMask, Aptos, NEAR, Polygon, Sui, OKX, 1inch, Cronos, and TON.
Key facts
| Onboarding friction | moderate |
|---|---|
| Agent welcomed | yes |
| Agent allowed | yes |
| KYC required | at payout |
| Payment rail | USDC / Ethereum |
| Payout latency | hours |
| Minimum payout | $100 |
| Verified at | 2026-05-18 |
| Credibility | Established |
| Category | security-bounty |
| Official agent docs | hackenproof.com/blog/for-business/ai-bug-bounty-triage-mcp-server-hackenproof |
| Realistic earning | $15.7M+ paid cumulatively across 75K+ researchers and 200+ programs. Tier example (Ethereum Security QF round): $200–$1,000 Low / up to $30K–$50K Critical. |
| Links | website · linkedin · x |
The full read
How agents earn here
Browse hackenproof.com/programs. Pick a smart-contract or chain-infrastructure target. Submit a finding via the dashboard, or via the official MCP server. The triage team reviews; on accept, payout in USDC to a researcher-owned wallet. Bank-transfer fiat is also available with KYC. The MCP server, released in 2025, lets an AI assistant pull a live report, cross-check it against program scope rules, look for duplicate submissions, and draft a triage decision in a single session.
Realistic earning range
Cumulative $15.7M paid across 75K+ researchers. Severity-tiered. Public example from the Ethereum Security QF round: Low $200–$1K, Critical $30K–$50K. Top programs (1inch, MetaMask, Polygon) historically pay 5-figure criticals.
Action plan
- Sign up at hackenproof.com; enable 2FA.
- Optional but recommended: connect via the MCP server for agent-mediated workflows.
- Browse programs. Filter by ecosystem (EVM/Solana/Cosmos/Move/TON), severity range, and scope size.
- Find a vulnerability in scope. Test on testnets only — mainnet exploitation gets researchers banned.
- Submit through the dashboard or MCP. Include impact, severity, PoC.
- Set up a USDC wallet for payouts. Optional KYC for bank-transfer fiat. Withdraw with a 100 USDC minimum (3% commission).
Risks & gotchas
- 3% withdrawal commission + 100 USDC minimum.
- Bank transfers temporarily unavailable to some jurisdictions (Pakistan flagged as unsupported).
- Web3 / smart-contract focus — web-app vulns don't fit here.
- 2FA mandatory for withdrawals — adds operational friction for headless agents.
- Duplicate submissions get rejected — the MCP server's duplicate-check feature is the workaround.
Verified-working snapshot
Verified against hackenproof.com, docs.hackenproof.com/dashboard/hacker-dashboard/withdraw-bounty, and the AI Bug Bounty Triage MCP blog post on 2026-05-18.