# Immunefi vs Code4rena vs Sherlock: Where to Find and Report Bugs
If you can read Solidity well enough to spot a reentrancy or a broken access check, someone will pay you for it. The question is where. Three names dominate the conversation: Immunefi, Code4rena and Sherlock. They look similar from the outside (find bug, get paid) but they reward fundamentally different work. One pays for live exploits, the others pay for review work done against a deadline. Picking the wrong one for your situation wastes weeks.
This article breaks down the payout and severity models, the judging, the time commitment, and which platform actually fits a beginner versus a seasoned auditor.
The core split: bounties vs contests
There are two distinct business models here, and the difference shapes everything else.
Bug bounty (Immunefi). A protocol posts a standing program against code that is already deployed and holding real funds. You hunt on your own schedule. If you find a valid, in-scope vulnerability, you submit a private report and get paid based on its severity. There is no deadline and no competition pool. If you are the first to report a unique bug, the reward is yours.
Audit contest (Code4rena, Sherlock). A protocol opens a time-boxed competition (often a few days to a couple of weeks) on code that is usually not yet on mainnet. Many auditors review the same codebase at once. A shared prize pool is split among everyone who reports valid issues, weighted by severity and, on some platforms, by how many people found the same thing.
The practical consequence: bounties reward depth and patience on live targets, contests reward speed and breadth on fresh code. A duplicate finding is worthless on a bounty (someone beat you) but still pays a share in a contest.
Severity and payout models
All three lean on a similar severity ladder, but the money behaves differently.
Immunefi
Immunefi standardized severity around a vulnerability classification system with levels like Critical, High, Medium, Low. Smart contract critical findings are typically the ones that let you steal or permanently freeze funds. Payouts are tied to the program: many serious DeFi programs cap critical rewards as a percentage of funds at risk, with large absolute maximums. Crucially, a real exploit on a live contract is the highest paying single outcome in the entire space, because the protocol is avoiding a real loss.
The trade-off: you are competing against the whole world with no warning, and most reports are duplicates or out of scope. Income is lumpy. You can spend a month and find nothing payable.
Code4rena
Code4rena uses High, Medium as the paid severity tiers for most of the pool, with QA (quality assurance) and gas optimization reports handled separately and at lower value. The prize pool is fixed up front. Your share of a given issue depends on severity and on how the finding is split among everyone who reported it. Reporting a High that twenty other people also found pays far less than a High only you found.
This creates a real incentive to find rare bugs, not just the obvious ones. Beginners often farm the easy Mediums and end up with small payouts; the leaderboard is dominated by people who consistently surface unique Highs.
Sherlock
Sherlock also pays mainly on High and Medium, with a fixed contest pool, but adds two notable mechanics. First, it has historically offered a coverage or guarantee component on some audits, which raises the stakes for judging accuracy. Second, its severity definitions are strict and codified, which reduces argument but also means borderline findings get downgraded more aggressively. Sherlock tends to attract auditors who like precise, rules-driven judging.
How judging works
Judging is where these platforms feel most different, and it is the part beginners underestimate.
- Immunefi: the protocol team (sometimes with mediation) decides validity and severity. You usually need a working proof of concept that demonstrates the impact, not just a theory. Disputes happen privately.
- Code4rena: dedicated judges review all submissions after the contest closes, deduplicate them, assign severity, and the community can comment. It is transparent and you can see how your report fared against others.
- Sherlock: a head-of-judging plus protocol input, with a formal rules document. There is an escalation/appeals window where you can argue your case with references to the rules.
The common thread: a vague report gets rejected everywhere. A finding without a concrete attack path and impact is noise.
What a fundable report actually looks like
Severity is about impact, not cleverness. Here is a classic high-impact pattern: a withdrawal that updates state after the external call, enabling reentrancy.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
contract Vault {
mapping(address => uint256) public balances;
function deposit() external payable {
balances[msg.sender] += msg.value;
}
// Vulnerable: external call before state update
function withdraw(uint256 amount) external {
require(balances[msg.sender] >= amount, "insufficient");
(bool ok, ) = msg.sender.call{value: amount}("");
require(ok, "transfer failed");
balances[msg.sender] -= amount; // too late
}
}
The fix follows the checks-effects-interactions order:
function withdraw(uint256 amount) external {
require(balances[msg.sender] >= amount, "insufficient");
balances[msg.sender] -= amount; // effect first
(bool ok, ) = msg.sender.call{value: amount}("");
require(ok, "transfer failed");
}
Whatever the platform, you back this with a proof of concept. With Foundry the runnable PoC looks like this:
forge test --match-test testReentrancyDrainsVault -vvvvA judge wants to see the attacker contract, the call sequence, and the final balance delta. "This looks reentrant" is not a submission; a test that drains the vault is.
Time commitment
- Immunefi is open-ended. You can dip in for an hour or grind a target for weeks. There is no clock, but also no guaranteed payout for time spent.
- Code4rena contests are intense sprints. A serious entry means several focused days inside a short window, often nights and weekends, because the pool closes for everyone at the same moment.
- Sherlock is similar to Code4rena in cadence, with the added pressure that strict judging punishes a rushed, under-justified report.
If you have a day job, contests force a calendar collision. Bounties let you work async.
Which platform fits you
If you are a beginner
Start with contests, and start with Code4rena. Here is why:
Do a few contests, study how the top finders write, and only chase live bounties once you can reliably produce a working PoC.
If you are experienced
- Immunefi is where the largest single payouts live, if you can find a unique live bug and prove impact end to end. It rewards specialists who go deep on one protocol.
- Sherlock rewards disciplined auditors who write precise, rules-aligned reports and do not mind strict downgrades.
- Code4rena rewards range: people who consistently surface unique Highs across many contests build a strong, public track record.
Many professional auditors do all three: contests for steady, public reputation and live bounties for the occasional large hit.
How to get started, concretely
Practice before you compete
The single best predictor of contest success is pattern recognition: seeing a known class of bug fast, in unfamiliar code. That is a trainable skill, and it is cheaper to train on exercises than to learn it live in a prize pool.
On app.solingo-blockchain.xyz you can drill the exact vulnerability classes judges pay for, audit deliberately broken contracts, and practice writing the kind of concrete, impact-first findings that get accepted. Build the reflex first, then take it to a real contest.