Injective Offered $50K for $500M Bug — White Hat Says Reward Violates Policy

Published: 2026-03-16 03:31:16 |

A white-hat researcher known as f4lc0n reported a critical Injective vulnerability that could have allowed attackers to drain more than $500 million of on-chain assets and empty arbitrary accounts. Injective applied a mainnet upgrade to patch the flaw, but the team remained largely silent for about three months before offering a $50,000 bug-bounty payment. f4lc0n disputes the award, saying it contradicts Injective’s public bug-bounty policy that ties maximum payouts to a percentage of funds at risk (up to 10%), and alleges the project provided no clear methodology for calculating the payment. The researcher has not received the $50,000 and says they will publicize the dispute and allocate 10% of future bounties to pressure Injective until full compensation is paid. Industry norms for critical, fund-theft vulnerabilities typically see much larger payouts (often $250k–$1M+), plus timely, transparent communication under responsible disclosure. The episode raises concerns about incentive alignment, disclosure practice, and protocol responsiveness—factors traders should weigh when assessing Injective’s security risk and counterparty reliability.

Bearish

This news is likely bearish for INJ in both the short and medium term. A disclosed critical vulnerability with a high funds-at-risk figure ($500M) undermines confidence in Injective’s security practices. Even though the bug was patched, the project’s delayed communication and a disputed, relatively small bounty ($50K) create reputational risk. Traders often react negatively to perceived governance or operational failures: short-term selling can follow as holders reduce exposure to protocol risk. In the medium term, persistent doubts about responsible disclosure and incentive alignment can depress demand for the token among risk-sensitive investors and partners, slowing adoption and liquidity. However, the price impact may be limited if no exploit occurred and the patch proves sound; a full rebound is possible if Injective resolves the dispute transparently, increases bounty levels to industry norms, and restores trust. Overall, expected immediate pressure on INJ sentiment and potential outflows justify a bearish classification.