Whitehat hacker accuses Injective of ghosting after $500M bug disclosure

A whitehat hacker has gone public over a months-long feud with the team behind Injective over its response to a critical bug disclosure.

According to the report, the vulnerability in question put $500 million at risk via a faulty validation system.

The pseudonymous crypto security researcher, who goes by the moniker al_f4lc0n, has accused Injective of ghosting them for three months, despite fixing the bug, and later lowballing the bounty payout.

Read more: Ethereum address poisoning spike, ‘wallets aren’t ready’ says researcher

The bug

The bounty hunter uploaded a full bug report to a GitHub repository called “injective-wall-of-shame.”

In the repo’s readme, entitled “I Saved Injective’s $500M. They Pay Me $50K,” they explain that the vulnerability allowed “any user to directly drain any account on the chain. No special permissions needed.”

The more detailed technical report describes how a faulty subaccount validation system allowed for an attacker to submit market orders on other users’ behalf.

The bug was exploitable by an attacker creating a worthless token and creating a spot market, pairing it with USDT. Both these actions are permissionless on Injective.

Then, by creating a sell order of the fake token, the attacker could force victim accounts to buy the worthless token for USDT, “at the attacker’s chosen price.” The USDT could then be permissionlessly bridged off Injective, to Ethereum.

The report claims this put all value on the blockchain at risk, and that the total was over $500 million at the time of disclosure.

The figure currently sits at $280 million, the vast majority of which is in the INJ token.

Embed: Oracle error adds to turmoil at DeFi giant Aave

The bounty

Injective is a blockchain network which lists the likes of Binance, Jump, Google and Pantera as partners, claiming “institutional and government players are joining us.”

Bug bounties are a common way for organizations to crowdsource continuous security monitoring from specialist whitehat bounty “hunters.”

Injective’s ImmuneFi page lists a maximum bounty of $500,000 for critical threats related to its blockchain and smart contracts.

The researcher claims, “a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity.”

They also allege that injective “ghosted” for three months after the fix, before offering a bounty 10x lower than the maximum. “To be clear: the $50K has not been paid either,” they stress. 

Protos has reached out to Injective for comment on al_f4lc0n’s claims, but hadn’t received a response before publication. This article will be updated should we receive one.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.