Audited Smart Contract Bug Forces Virtuals Protocol to Act Quickly

In an unexpected turn of events, a critical vulnerability discovered in an audited smart contract forced Virtuals Protocol, a blockchain company specializing in artificial intelligence (AI) agents, to implement a swift fix. 

The issue, disclosed by pseudonymous security researcher Jinu, has highlighted the importance of proactive bug bounty programs in the blockchain industry.

Discovery of the Vulnerability

On Dec. 3, 2024, Jinu identified a flaw in one of Virtuals Protocol’s audited contracts. However, when attempting to report the issue, Jinu was met with an unexpected obstacle: the company did not have an active bug bounty program. Additionally, the Discord group set up for reporting vulnerabilities had been closed, leaving Jinu without a direct channel to communicate the problem.

Also read: Elon Musk “Kekius Maximus” Frenzy Turns $66 into $3 Million in Days

Taking to X , Jinu expressed their frustration, “The vulnerability is simple and can impact the Virtuals ecosystem (but Virtuals probably doesn’t care about security).”

Jinu revealed that the bug stemmed from insufficient validation when creating AgentTokens, specifically related to the internal bond threshold. This loophole could have halted the generation of AgentTokens entirely, posing significant risks to the Virtuals Protocol ecosystem.

Virtuals Protocol Reacts Swiftly

After Jinu made the vulnerability public, Virtuals Protocol responded by contacting the researcher and implementing a patch. The company acknowledged the severity of the issue and apologized for the earlier miscommunication. In a message to Jinu, representatives stated, “Hey Jinu, we have verified the vulnerability and applied a patch below. Thank you for bringing this up to us and we apologize for the miscommunication between support and yourself. Let us internally review the severity of the issue and we will issue you a bug bounty shortly.”

Despite the fix, Virtuals Protocol has yet to determine the size of the reward for Jinu’s discovery. The researcher, who initially reviewed the smart contract after learning a friend had invested in a token created on Virtuals, expressed little expectation for compensation, “I spent about 30 minutes looking at the code to see if it was well done,” Jinu shared.

The Relaunch of the Bug Bounty Program

To prevent similar oversights in the future, Virtuals Protocol has announced the relaunch of its bug bounty program. While the company has not disclosed details about the program’s structure or rewards, the move signals a renewed commitment to security and collaboration with the blockchain community.

Also read: Decentralized Exchanges Shatter Records with $462 Billion Trading Volume in December

The incident sheds some light on the necessity for robust security measures, even for audited contracts. Blockchain firms, particularly those operating in emerging fields like AI integration, face immense pressure to maintain trust and transparency. Bug bounty programs play a crucial role in incentivizing researchers to identify vulnerabilities before malicious actors exploit them.

Overall, this incident serves as a reminder of the dynamic and sometimes unpredictable nature of blockchain security. Even audited smart contracts are not immune to flaws, and the proactive engagement of white-hat hackers remains vital.