Injective Patches $500M Bug, Slashes Hacker Bounty 90%

Edgen Crypto·Mar 16 2026, 02:32

Share to

Share to

Copy link

Key Takeaways

A white hat hacker discovered a critical vulnerability on the Injective chain that could have compromised over $500 million in user assets. While the bug was fixed, the project's handling of the bug bounty has sparked a dispute that threatens its relationship with the security community and investor confidence.

A white hat hacker discovered a critical vulnerability that placed over $500 million in user assets on the Injective protocol at risk of being drained.
After patching the bug, the Injective team offered a disputed $50,000 bounty, a 90% reduction from the advertised maximum for such a severe vulnerability.
The conflict risks damaging Injective's reputation and could discourage security researchers from reporting future flaws, creating long-term security risks for the protocol.

Critical Bug Exposed Over $500M in Injective Assets

A white hat hacker operating under the alias "f4lc0n" discovered a critical security flaw within the Injective protocol that could have resulted in catastrophic losses. The vulnerability, reported through the bug bounty platform Immunefi, would have allowed an attacker to drain assets from any user account on the chain. The potential financial exposure was estimated to be over $500 million.

The Injective team successfully patched the bug after being alerted, preventing any funds from being stolen. The exploit's severity highlights the persistent security challenges facing decentralized finance protocols, where a single coding error can place hundreds of millions of dollars in jeopardy.

Injective Slashes Bounty Payout, Sparking Dispute

Following the patch, the Injective team's handling of the bug bounty created a significant conflict. According to the hacker, the project offered a reward of just $50,000, which remains unpaid. This figure represents a fraction of the maximum $500,000 bounty advertised by Injective's Immunefi program for discovering critical-level vulnerabilities.

The 90% reduction from the maximum advertised payout has drawn criticism from the security community. Such disputes can erode trust between projects and the white hat hackers they rely on to secure their ecosystems. By significantly underpaying for a bug that saved the protocol from a potential $500 million exploit, Injective risks creating a reputation for failing to properly compensate security researchers for their work.

Unpaid Bounty Creates Long-Term Risk for INJ

The dispute's fallout extends beyond a single payment, creating significant reputational and security risks for the Injective protocol. A strained relationship with the white hat community could deter other researchers from disclosing vulnerabilities in the future, potentially leaving critical flaws undiscovered. This could weaken the protocol's long-term security posture.

For investors, the incident raises questions about the project's governance and its commitment to robust security practices. The failure to honor the spirit of its bug bounty program may be perceived as a red flag, potentially impacting confidence in the INJ token and the platform's ability to safeguard user assets against future threats.