Gate News: On March 17, crypto security researcher al_f4lc0n publicly accused the blockchain project Injective of slow communication and bounty dispute issues during the handling of a major security vulnerability. The vulnerability was said to have threatened over $500 million in on-chain assets, raising community concerns about the project’s security governance.
According to disclosed information, the vulnerability stemmed from a flaw in the sub-account verification mechanism, allowing attackers to execute transactions on behalf of others without permission. Specifically, attackers could create fake tokens and pair them with USDT, manipulate market orders to force victims’ accounts to buy worthless assets at abnormal prices, then transfer the funds to their own addresses and cross-chain to the Ethereum network.
al_f4lc0n published a full technical report on GitHub, stating that at the time of disclosure, the vulnerability covered all on-chain funds, with a risk scale exceeding $500 million. The confirmed potential loss is approximately $280 million, mostly involving INJ tokens. The report bluntly states that the vulnerability “almost allowed direct extraction of funds from any account.”
Regarding the bounty issue, the controversy has further escalated. The researcher said that after the vulnerability was fixed, the project team did not respond for three months. When they finally received a reward, it was only $50,000, far below the platform’s previously announced maximum bounty of $500,000, and has not yet been paid.
Public information shows that Injective previously set up high rewards on a bug bounty platform to encourage security researchers to disclose critical vulnerabilities. However, this incident has brought scrutiny to its vulnerability response process and incentive mechanisms.
As of press time, the project has not officially responded to the allegations. Industry insiders point out that as DeFi and on-chain asset scales continue to grow, the vulnerability disclosure process, response efficiency, and transparency of bounty payouts are becoming key indicators of a blockchain project’s security and trustworthiness. (Protos)
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
