Dispute Between Immunefi and Spectra Finance Over Bug Bounty Payments

A disagreement between leading Web3 security platform Immunefi and EVM-based derivatives protocol Spectra Finance has sparked public debate, following an Audit Competition that offered a $40,000 reward pool. At the heart of the conflict is a dispute over reward distribution and the terms governing valid bug submissions.

Background: The Audit Competition

In April 2025, Spectra Finance partnered with Immunefi to launch an Audit Competition aimed at securing its codebase ahead of production deployment. These competitions are a core part of Immunefi’s platform, offering whitehat security researchers incentives to identify vulnerabilities in smart contract systems.

Spectra’s competition listed a total reward pool of $40,000, including a baseline of $6,000 to be distributed even if no bugs were reported. The remaining funds were earmarked for verified security vulnerabilities based on severity.

The Core Dispute

Spectra’s Perspective

According to a public statement issued by Spectra Finance on June 23, 2025, the company claims it intended to reward researchers for all valid bug submissions. Spectra’s CEO alleged that Immunefi’s reward distribution criteria were either unclear or changed after the competition ended. The protocol expressed willingness to pay researchers directly but cited confusion over the final terms.

Immunefi’s Response

Immunefi, however, strongly refuted those claims in a parallel statement issued the same day. The platform asserted that Spectra had explicitly agreed to the program’s terms prior to the launch, including the standard reward distribution structure based on Immunefi’s severity classification system. Immunefi also stated that any perceived ambiguity was due to Spectra’s own misunderstanding, not changes on their end.

Key Issue: Guaranteed Reward vs. Severity-Based Distribution

The central point of contention is whether the full $40,000 reward was guaranteed for valid submissions or if Immunefi retained discretion in distributing the funds based on severity levels.

Some community members argued that the presence of valid bug reports should have triggered the full reward distribution. Others sided with Immunefi, suggesting that the classification and reward decisions were consistent with industry standards for audit competitions.

Community Reactions and Public Perception

The crypto security community on X (formerly Twitter) responded swiftly. Reactions were mixed but pointed.

• Support for Immunefi: Several users praised Immunefi for defending the interests of whitehat researchers and encouraged Spectra to follow through with payments.
• Criticism of Spectra: A portion of the community accused Spectra of attempting to avoid payment, branding the situation as a breach of good faith toward security researchers.
• Skepticism Toward Immunefi: A smaller group raised concerns about Immunefi’s handling of similar disputes in the past, particularly referencing a controversial case in November 2024 involving Trust Security.

The Trust Security Precedent

The Immunefi-Trust Security conflict remains fresh in the minds of many observers. That case centered around an “out-of-scope” bug submission that was denied payment. Immunefi suspended Trust for 90 days following the fallout, but the incident left lingering concerns about how Immunefi enforces or interprets bounty agreements.

These historical tensions have amplified scrutiny in the current Spectra case, particularly over Immunefi’s transparency and potential dominance in dispute resolution processes.

Arbitration Option and Unresolved Status

Notably, Immunefi introduced a formal arbitration system in January 2025 to handle bounty disputes between researchers and protocols. However, there is no indication that the Spectra case has been submitted to arbitration.

As of June 24, 2025, the issue remains unresolved. Spectra has stated that it will release further clarifications, but no mutual agreement or resolution has been announced publicly.