---

Code4rena announced on May 13, 2026 that it is shutting down, ending a platform that grew to more than 16,600 registered security researchers and completed over 511 competitive audits since its launch. Immunefi, the dominant infrastructure provider for Web3 bug bounties, confirmed it will migrate Code4rena's active bounty programs, outstanding reward pools, and researcher accounts onto its own platform. Analysts say the closure reflects a broader consolidation trend in the Web3 security sector, where independent mid-tier platforms have faced mounting pressure from larger integrated competitors, a pattern examined in detail below.

"This community has meant a great deal to everyone who has been part of building it, and sharing this news is not easy," the Code4rena team wrote on X. The platform added that all ongoing work will be honored: "Every active competition and bounty will be seen through to a full and proper close."

Code4rena currently lists nine live bug bounty programs, with reward caps ranging from $10,000 for Kite AI to $250,000 for Moonwell. Other active programs cover protocols including Renegade, Succinct, Legion, Rujira, Intuition, Glow Finance, and GMTrade. Those programs will transfer to Immunefi's infrastructure as part of the migration.

A Competitive Audit Pioneer Winds Down

Code4rena built its reputation on the competitive audit model, a format where independent security researchers (called "wardens") work within a fixed time window to find vulnerabilities in smart contract code. Over its lifetime, wardens surfaced 26,898 unique findings, including 1,607 classified as high severity. The platform estimates it prevented roughly $12 billion in potential exploits. That track record made Code4rena a meaningful part of the Web3 security stack, particularly for protocols that wanted broad researcher coverage before and after launch.

The shutdown comes approximately 20 months after Paradigm-backed blockchain security firm Zellic acquired Code4rena in August 2024. At the time, Zellic framed the deal as creating a hybrid "Audits+" service combining its own consultative work with Code4rena's open competitive format. Zellic wrote in a blog post: "There won't be any major changes to Code4rena as you currently know it." The decision to wind down the bug bounty business appears to contradict that earlier pledge.

The fate of Code4rena's flagship competitive audit product remains less clear. Only the bug bounty vertical is confirmed to be transferring to Immunefi, and it is uncertain whether Zellic's own audit services will absorb some or all of the competitive audit function. No announcement addressing that question has been made.

Immunefi's Scale and the IMU Token

Immunefi already operates at a substantially larger scale than Code4rena's bounty vertical. The platform reports more than 60,000 registered security researchers, over 10,000 active programs, protection of over $190 billion in user funds across 650-plus protocols, and more than $110 million paid out in bounties since launch. The Web3 bug bounty market currently carries over $162 million in available reward pools across platforms. The contrast in active program count alone is striking: Code4rena listed nine live programs at the time of its closure announcement.

In January 2026, Immunefi launched its native governance token, IMU, with a total supply of 10 billion tokens. The token's fully diluted valuation sat at approximately $133.7 million at listing. IMU holders can vote on bounty standards, platform features, and community treasury decisions. Immunefi has also introduced token staking mechanisms that, as described in platform documentation, grant researchers priority access to certain programs, a structural detail that carries implications for who can effectively compete on the platform.

What This Means for Researchers in South Asia and Africa

The migration has practical consequences for security researchers outside the United States, particularly in South Asia and Africa, where competitive audit platforms have served as one of the few accessible, borderless income paths in the technology sector.

Web3 developer communities have grown significantly across South Asia, including in India, Pakistan, and Bangladesh. In India, web3 developers earn an average of roughly $13,173 per year in local market compensation. A single critical-severity bug bounty on Immunefi pays an average of around $13,000, with top payouts exceeding $3 million. That income asymmetry has made open-competition platforms like Code4rena especially attractive to skilled researchers in lower-income markets, where no institutional affiliation or employer sponsorship is required to participate.

Code4rena's prize-pool model, where rewards were distributed among all researchers who submitted valid findings, sometimes gave less-established researchers a realistic path to income even when competing against experienced professionals. Immunefi's platform operates differently, with a tier system and distinct program access structures. The reported IMU staking mechanism for priority program access could raise effective entry barriers for researchers who cannot afford to lock up significant capital.

In Nigeria, Kenya, South Africa, and other parts of Sub-Saharan Africa, bug bounty income represents one of the few genuinely permissionless financial opportunities available to tech workers who lack access to conventional payment infrastructure. The shift to Immunefi consolidates program access onto a single platform, which increases the total pool of available programs but reduces the competitive diversity that smaller platforms once provided.

Consolidation Continues Across Web3 Security

The Code4rena shutdown is part of a broader pattern. The Web3 security sector lost more than $606 million to exploits in April 2026 alone, and $3.4 billion was stolen across crypto markets in all of 2025. Despite that demand for security services, the economics have pushed projects toward integrated security stacks rather than separate providers for audits, competitions, and standing bounties. Sherlock, with more than 11,000 registered researchers, and HackenProof remain as alternatives, but the field is narrowing considerably relative to Immunefi's 60,000-plus researcher base. For protocols in emerging markets looking for affordable pre-launch audit options, the loss of Code4rena's competitive format reduces available choices, and there is growing concern in the industry that smaller teams may be pushed toward more expensive firm-based audits as a result.