On December 3, 2024, an unexpected bug was discovered in one of Virtuals Protocol’s audited smart contracts by pseudonymous security researcher Jinu. This led to a timely fix and the reactivation of their bug bounty program.
Background on the Discovery
Jinu contacted Virtuals Protocol after discovering the vulnerability in their contract. However, upon reporting the issue, Jinu learned that the company did not have an active bug bounty program, which meant the discovery would not qualify for a reward.
According to Jinu, the Virtuals Protocol team also closed the Discord group created solely for reporting vulnerabilities. In an X thread, Jinu stated:
"The vulnerability is simple and can impact the virtuals ecosystem (but virtuals probably doesn’t care about security)."
Jinu explained to Cointelegraph that the vulnerability was related to a lack of validation when creating AgentTokens based on the internal bond threshold. If exploited, this vulnerability would have prevented AgentTokens from being generated until the contract was fixed.
The Fix and Re-Activation of Bug Bounty Program
After the information was made public on X, Virtuals Protocol contacted Jinu and issued an immediate fix. Despite the timely fix, Virtuals Protocol has yet to announce a bug bounty reward for Jinu.
In a message to the researcher, the company thanked Jinu for reporting the issue and apologized for earlier miscommunication:
"Hey jinu we have verified the vulnerability and applied a patch below. Thank you for bringing this up to us and we apologize for the miscommunication between support and yourself. Let us internally review the severity of the issue and we will issue you a bug bounty shortly,"
When asked about the bounty expectations, Jinu stated that they were unaware of the general rewards for bug discoveries. Jinu told Cointelegraph that they got interested in Virtuals Protocol after a friend invested in a token created on Virtuals.
"I spent about 30 minutes looking at the code to see if it was well done," Jinu said before they came across the bug.
The Importance of Bug Bounty Programs
Bug bounty programs are crucial for blockchain firms, as they incentivize white-hat hackers like Jinu to discover vulnerabilities in their contracts. This not only helps improve security but also ensures that any potential issues are addressed promptly.
Virtuals Protocol’s decision to re-activate its bug bounty program is a positive step towards prioritizing security and encouraging responsible disclosure of vulnerabilities.
The Role of White-Hat Hackers
White-hat hackers like Jinu play a vital role in identifying vulnerabilities in blockchain contracts. Their contributions help firms like Virtuals Protocol improve their security posture and prevent potential attacks.
In an interview, Jinu shared their experience with Cointelegraph:
"I’m not aware of the general rewards for bug discoveries. I got interested in Virtuals Protocols after a friend invested in a token created on Virtuals."
Jinu’s discovery highlights the importance of having an active bug bounty program and engaging with white-hat hackers to identify potential vulnerabilities.
Conclusion
The incident serves as a reminder that even audited smart contracts can have unforeseen bugs. It also emphasizes the need for blockchain firms to maintain an active bug bounty program, which encourages responsible disclosure of vulnerabilities.
Virtuals Protocol’s timely fix and re-activation of its bug bounty program demonstrate their commitment to security and prioritizing user protection. As the crypto space continues to evolve, it is essential for blockchain firms to prioritize security and engage with white-hat hackers to ensure the stability of their contracts.
Recommendations for Blockchain Firms
- Maintain an Active Bug Bounty Program: Encourage responsible disclosure of vulnerabilities by having a clear bug bounty program in place.
- Engage with White-Hat Hackers: Collaborate with white-hat hackers like Jinu to identify potential vulnerabilities and improve security posture.
- Prioritize Security: Invest in robust security measures to prevent potential attacks and ensure user protection.
By following these recommendations, blockchain