A pseudonymous security researcher discovered a critical flaw in Virtuals Protocol’s audited contract, leading to an urgent patch.
Virtuals Protocol, a blockchain company specializing in artificial intelligence agents, promptly implemented a fix and reinstated its bug bounty program in response to an unexpected flaw discovered in an audited smart contract.
Jinu, a security researcher who operates under an assumed name, reached out to Virtuals Protocol on December 3, 2024, following the identification of an error in one of its audited contracts.
Nevertheless, Jinu discovered that the company did not have an active bug bounty program, which meant that the discovery did not qualify for a reward, after reporting the issue.
White-Hat Infiltrator Discloses Vulnerability
The Discord group established exclusively to disclose the vulnerability was also closed by the Virtuals Protocol team, as per Jinu. Jinu stated in an X thread:
“The vulnerability is simple and can impact the virtuals ecosystem (but virtuals probably doesn’t care about security).”
Jinu informed Cointelegraph that the vulnerability was caused by a lack of validation during the creation of AgentTokens based on the internal bond threshold.
Jinu stated, “If exploited, this vulnerability would have prevented the generation of AgentTokens until the contract was resolved.”
Virtuals Protocol promptly contacted Jinu following the information’s public disclosure on X and implemented an immediate solution.
Reward For Defect Discovery Has Not Yet Been Determined By Virtuals Protocol
Virtuals Protocol has not yet disclosed a bug bounty reward for Jinu, despite the timely resolution.
The company expressed its gratitude to Jinu for reporting the issue and issued an apology for the previous miscommunication in a message to the researcher.
“Hello, Jinu.” We have confirmed the vulnerability and implemented the remedy listed below.
We appreciate your bringing this matter to our attention, and we regret any confusion that may have arisen between you and our support team.
The security researcher was informed by company representatives that they would be issued a bug bounty in the near future after conducting an internal evaluation of the severity of the issue.
When questioned about bounty expectations, Jinu stated that they are unaware of the common rewards for bug discoveries.
After an acquaintance invested in a token created on Virtuals, Jinu informed Cointelegraph that they became interested in Virtuals Protocols.
Before the flaw was discovered, Jinu stated, “I spent approximately 30 minutes reviewing the code to determine its quality.”
Virtuals Protocol has been contacted by Cointelegraph for a response.