The decentralized finance (DeFi) sector faces unique security challenges, as highlighted by a recent incident involving GMX. Despite offering a substantial bounty of $5 million for vulnerabilities, a hacker chose to exploit the system first, later negotiating to return the funds in exchange for the bounty. This approach underscores the lack of clear legal frameworks in DeFi, where the "Code is Law" ethos prevails, allowing significant operational leeway compared to traditional industries. The incident raises questions about the effectiveness of current bounty programs in building trust between hackers and project teams. The absence of direct legal recourse for exploiting smart contract vulnerabilities complicates the landscape, often leading hackers to act independently before considering negotiations. This situation emphasizes the need for improved mechanisms to ensure security researchers are adequately rewarded and protected, without resorting to exploitative tactics.