BlockBeats News, March 16th, White-hat hacker f4lc0n disclosed that they had found a “critical” level vulnerability in the Injective Protocol that could allow extracting over $500 million in assets directly from the chain, but the project team only offered them a $50,000 bounty, far below the $500,000 upper limit for that level in their plan.
f4lc0n stated that the vulnerability allowed any user to empty any on-chain account without needing special permissions. After submitting a report through Immunefi, the Injective team initiated a mainnet upgrade vote the next day to fix the vulnerability but then went “missing in action” for the following three months. Currently, f4lc0n has disputed the bounty amount and claimed that the $50,000 reward has not been paid out yet. f4lc0n announced that they would allocate 10% of future bug bounty earnings to continue publicly disclosing this matter until Injective pays the reward as per the standard.
