I have a general rule of exploit sales which nobody has shot me down on yet and I'm increasingly confident about: people are buying non-speculative outcomes. Every dorm room conversation about vulnerability valuation inevitably veers into speculation about what bank-shot outcomes a buyer might hope to achieve with a purchase. The reality is that unless the buyer is getting exactly an outcome they already planned (and, usually, have already repeatably achieved), they're not interested. Exploits have to slot into existing business processes.

This explains reliable, stealthy, zero-interaction full-chain iOS vulnerabilities, which fit into every intelligence, military, and law enforcement business process pin-compatibly. It explains browser vulnerabilities and ATO vectors.

And it also approximates the market for blockchain vulnerabilities: if the exploit is "literally transfer untraceable cash from victims to buyer", lots and lots of criminal organizations already have that business process; you probably simplify their existing repeatable process.

Blockchain vulnerabilities thus have a very credible market. As bonus: the work of discovering and POC'ing these vulnerabilities may be gnarly, but the engineering required to exploit them at scale probably isn't. It doesn't take months of R&D to make the exploit "reliable", it generates straight cash until it dies (and probably has a half-life measured in minutes), and so on.

Every lucrative class of vulnerability has some kind of story like this; they all fit into some existing, very clearly stated demand.

We get into trouble trying to generalize. All the markets are very specific; they're all sui generis. Most vulnerabilities are worth zero. There are mobile OS RCEs that are probably worth zero!

I can and I do, I say it all the time.