- A researcher disclosed a critical vulnerability that put approximately $500 million at risk on the Injective blockchain.
- The bug allowed an attacker to create a worthless token and force victim accounts to buy it, potentially draining funds.
- The researcher claims Injective delayed response and offered a bounty significantly lower than the disclosed maximum payout.
A pseudonymous security researcher has publicly detailed a months-long dispute with the team behind the Injective blockchain over their handling of a critical bug disclosure that put substantial funds at risk. According to a report posted to a public GitHub repository, the vulnerability could have allowed “any user to directly drain any account on the chain,” potentially jeopardizing hundreds of millions of dollars. The researcher, who goes by al_f4lc0n, accused Injective of ghosting them for three months after the fix was deployed.
Consequently, the researcher alleges that after the silence, the project offered a bounty payment far below the listed maximum for critical threats. The technical report explains the flaw stemmed from faulty subaccount validation, which could let an attacker create a worthless token and a paired market, then force sell orders on victim accounts. This method could siphon funds like USDT, which could then be bridged off the chain. The researcher states that Injective later implemented a mainnet upgrade to resolve the issue, confirming its severity.
Meanwhile, the researcher’s GitHub repository titled “injective-wall-of-shame” outlines the saga, including the claim that the offered $50,000 bounty has not yet been paid. Injective, which lists partners including Binance and Google, maintains a bug bounty program on Immunefi with a maximum reward of $500,000 for critical vulnerabilities. The researcher contends their disclosure warranted a higher reward given the scale of the risk, which they estimated at over $500 million based on total value locked on the blockchain at the time.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
