by A significant flaw in Virtuals Protocol’s smart contract has been rectified, and the company has restarted its bug bounty program to compensate security researchers for new findings.
A serious flaw in one of its audited smart contracts has been fixed by Virtuals Protocol, a blockchain company that specializes in artificial intelligence agents.
An urgent remedy was made when a significant vulnerability in the project-audited contract was discovered by a pseudonymous security researcher. In an effort to stop vulnerabilities in the future, the business has also restarted its bug bounty program.
A vulnerability in the Virtuals Protocol may prevent token launches. Is this a feature or a bug in smart contracts?
Pseudonymous security researcher Jinu found a serious flaw in one of the certified smart contracts of the Virtuals Protocol on December 3, 2024. Although Virtuals Protocol did not have an active bug reward program, the researcher quickly reported the problem to the company.
Therefore, the finding was not eligible for a prize, even though it might have an effect on the environment of the protocol. The flaw in Uniswap V2’s platform token-launching process has been made public.
The problem is with Virtuals’ creation of token pairings, which is akin to Pump.fun’s strategy of introducing tokens via bonding mechanisms and price thresholds. A crucial problem that can prevent Virtuals from releasing new tokens was discovered by security researcher Jinu.
He noted that the Clones library is used in the AgentToken creation process, making future token addresses predictable by using the nonce of the AgentFactoryV3 contract. Furthermore, Uniswap V2’s createPair method is called by the AgentToken contract’s initialize function without first confirming that a pair already exists.
The factory of Uniswap V2 reverses the transaction if one does. Additionally, pairings with non-existent contracts can be created thanks to this weakness. By anticipatorily generating a Uniswap pair with the anticipated nonce, an attacker might take advantage of this and stop Virtuals from launching its tokens. Jinu used a proof of concept on Tenderly to illustrate this exploit.
Jinu suggested changing the AgentToken.sol contract such that it looks for pairs that already exist in Uniswap V2 before attempting to create one, avoiding the process if one already does. Virtuals failed to address the seriousness of the problem, even shutting down its special Discord channel for reporting vulnerabilities.
“I’m surprised that a project as big and hot as Virtuals doesn’t care about security,” Jinu said, expressing displeasure with the error. Virtuals Protocol: Thank Jinu for Pointing Out the Error: What Will Happen to Bug Bounties Next?
After Jinu made the problem public on X (previously Twitter), Virtuals Protocol got in touch with Jinu and quickly fixed it. The business expressed regret for the initial misunderstanding and acknowledged the seriousness of the bug. Virtuals Protocol sent Jinu a message that read:
After confirming the issue, we implemented a fix. We appreciate you alerting us about this. We regret the misunderstanding and will assess the problem’s seriousness before setting a bug bounty.
By adding the required validation procedures to the contract, they fixed the issue. The specifics of the repair and the new contract were made public on GitHub and BaseScan for transparency’s sake.
The reward amount for Jinu’s discovery has not yet been confirmed by Virtuals Protocol, nevertheless. According to the organization, before offering a reward, it evaluates the vulnerability’s impact internally.
