BlockBeats reported on January 3, according to Cointelegraph, that an unexpected vulnerability was found in an audited smart contract, and the Virtuals Protocol released a timely fix and restarted its bounty program.
On December 3, 2024, a security researcher known as Jinu contacted the Virtuals Protocol after discovering a vulnerability in their audited contract. However, after reporting the issue, Jinu learned that the company had not activated the bounty program, meaning that this discovery did not qualify for a reward.
The Virtuals Protocol confirmed the discovery of this white hat vulnerability.
Although the Virtuals Protocol has promptly fixed the vulnerability, it has yet to announce a bounty for Jinu. In a message sent to the researcher, the company thanked Jinu for reporting the issue and apologized for previous communication misunderstandings.
‘Hey Jinu, we’ve verified the vulnerability and applied a patch. Thank you for bringing this issue to us, and we apologize for the communication breakdown between the support team and you. Let us assess the severity of the issue internally and issue you a bounty soon.’ A company representative told the security researcher.
When asked about expectations for the bounty, Jinu stated that they were unclear about the typical reward for discovering vulnerabilities. Jinu indicated that their interest in the Virtuals Protocol stemmed from a friend investing in a token created on Virtuals.
‘I spent about 30 minutes reviewing the code to see if it was well-written,’ Jinu said, before discovering the vulnerability.