TL;DR
- An anonymous researcher discovered a vulnerability in an audited contract of Virtuals Protocol related to the creation of AgentTokens.
- Despite quickly fixing the issue, the company has yet to announce an official reward for the researcher.
- The lack of an active bug bounty program and poor communication led to frustration in the community.
Virtuals Protocol, a firm focused on artificial intelligence agents, fixed a critical vulnerability in one of its audited contracts after being discovered by an anonymous researcher. This incident highlighted the importance of security in platforms based on smart contracts.
On December 3, 2024, a researcher under the pseudonym “Jinu” discovered a bug in the code of Virtuals Protocol’s audited smart contract. When reporting the vulnerability, Jinu found out that the protocol did not have an active bug bounty program, meaning that the discovery would not qualify for a reward. Additionally, the company closed the Discord group dedicated to reporting vulnerabilities, which further frustrated the researcher.
Critical Vulnerability in AgentToken Creation
Jinu explained in an X (formerly Twitter) post that the vulnerability stemmed from a lack of validation when creating the “AgentTokens” based on an internal bond threshold. According to Jinu, “The vulnerability is simple and can affect the Virtuals ecosystem.” Had it been exploited, this issue would have prevented the creation of AgentTokens until the contract was fixed.
Despite quickly addressing the issue, Virtuals Protocol has yet to offer an official reward for the discovery. In a message to Jinu, the company thanked them for reporting the issue and apologized for the initial poor communication:
“We have verified the vulnerability and applied the patch. Thank you for bringing this to our attention. We apologize for the miscommunication between support and yourself. We will review the severity of the issue internally and offer a bounty shortly”,
the company representatives stated.
Jinu, who became interested in Virtuals Protocol after a friend recommended it, mentioned he was unsure what type of rewards to expect for the discovery. This incident emphasizes the importance of having active bug bounty programs and improving communication within blockchain platforms, especially those managing valuable digital assets.
