News
Chainlink VRF vulnerability thwarted by white hat hackers with $300K reward Chainlink VRF vulnerability thwarted by white hat hackers with $300K reward

Chainlink VRF vulnerability thwarted by white hat hackers with $300K reward

Chainlink's technology has enjoyed high institutional adoption recently.

Chainlink VRF vulnerability thwarted by white hat hackers with $300K reward

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

Receive, Manage & Grow Your Crypto Investments With Brighty

Decentralized oracle network Chainlink (LINK) paid a $300,000 bounty to white hat hackers Zach Obront and Or Cyngiser (Trust), who uncovered a critical bug that could have skewed its Verifiable Random Function (VRF).

The bug

VRF is a random number generator (RNG) that allows smart contracts to access random values without compromising security.

The product is used by several crypto projects, including Axie Infinity, PancakeSwap, and Aavegotchi, to protect their smart contract with tamper-proof randomness that cannot be manipulated and ensure verifiable outcomes using cryptographic proofs.

Last year, Trust and Obront submitted a report on how a malicious VRF subscription owner could have prevented users from getting this neutral randomness roll by blocking and rerolling randomness until they received a desired value.

According to the Chainlink team, this bug was categorized as a critical-impact smart contract vulnerability, adding that:

“While it could compromise Chainlink VRFโ€™s intended use of providing transparently verifiable tamper-resistant onchain randomness, the exploitable scenario required a number of specific conditions to be met and would be detectable onchain. Most notably, the subscription ownerโ€”a role typically controlled by the team behind the dApp using VRFโ€”must be malicious or compromised.”

Following the incident, Chainlink implemented a security feature to prevent malicious VRF owners from exploiting the issue.

Chainlink enjoying institutional interest

Chainlink’s Cross-Chain Interoperability Protocol (CCIP) technology has seen an increase in adoption from adoption from major traditional institutions.

The global financial messaging network Swift used the technology in a tokenization experiment that involved the transfer of tokens across multiple blockchains in August. South Korean gaming giant also used it to power an interoperable Web3 gaming ecosystem in October.

Also, Hong Kong authorities adopted it for value exchange in its Central Bank Digital Currency (CBDC) trials.

As a result, Chainlink’s native LINK token and Grayscaleโ€™s Chainlink Trust (GLNK), an institutional investment vehicle, have seen their value surge to new highs.

Mentioned in this article