Virtuals Protocol Addresses Critical Bug, Promises Bounty for Security Researcher’s Discovery

Virtuals Protocol, a blockchain firm focused on artificial intelligence (AI) agents, has swiftly addressed a critical vulnerability found in one of its audited smart contracts, following a report by a pseudonymous security researcher. The issue, discovered on December 3, 2024, led to an immediate fix and the reactivation of the company’s bug bounty program.

The bug was uncovered by Jinu, a white-hat hacker, who identified a vulnerability in the protocol's contract related to the creation of AgentTokens. According to Jinu, the bug stemmed from a lack of validation when generating these tokens based on the internal bond threshold. If exploited, the vulnerability could have prevented the creation of AgentTokens until a patch was applied, potentially disrupting the virtual ecosystem powered by the protocol.

Upon notifying Virtuals Protocol, Jinu discovered that the company did not currently have an active bug bounty program. This meant that, at the time, the security researcher would not be eligible for any financial reward for the discovery. Additionally, Jinu reported that the Discord group, which was originally set up for vulnerability reports, had been closed by the company, further complicating communication around the issue.

Jinu shared their concerns on X (formerly Twitter), stating that the vulnerability was simple yet impactful, and expressing frustration with what appeared to be a lack of attention to security by Virtuals Protocol. "The vulnerability is simple and can impact the Virtuals ecosystem (but Virtuals probably doesn’t care about security)," Jinu commented.

Despite these initial setbacks, Virtuals Protocol quickly acknowledged the issue and applied a fix. In a message to Jinu, the company thanked the researcher for bringing the bug to their attention and apologized for earlier miscommunication. They also assured Jinu that they would review the severity of the vulnerability internally and issue a bug bounty reward once this assessment was complete.

“We have verified the vulnerability and applied a patch. Thank you for bringing this up to us, and we apologize for the miscommunication between support and yourself. Let us internally review the severity of the issue, and we will issue you a bug bounty shortly,” the company representatives stated.

Although Virtuals Protocol has not yet publicly disclosed the details of the bounty reward, Jinu expressed uncertainty about what the typical payout for bug discoveries in such scenarios might be. The researcher explained that they had become interested in Virtuals Protocol after a friend invested in a token created on the platform. Jinu spent around 30 minutes reviewing the code before stumbling upon the bug.

This incident underscores the importance of proactive security measures in the rapidly growing blockchain and smart contract space. It also highlights the vital role of ethical hackers in identifying vulnerabilities and preventing potential exploits. While Virtuals Protocol has taken quick action to address the issue, the event serves as a reminder of the need for ongoing vigilance and robust bug bounty programs to safeguard against security risks in the blockchain ecosystem.