Jinu, a security researcher, recently discovered a significant weakness in the Virtuals Protocol smart contract system, specifically regarding the production of token pairs on Uniswap V2. This issue arose from a fault in the Agent Token.sol contract, which lacked validation to check for current pairs on the Uniswap V2 factory contract.
Without this crucial protection, malevolent individuals could have created token pairings in advance, thereby undermining the legitimacy of the platform and potentially disrupting upcoming token releases. In response to this information, Virtuals Protocol swiftly deployed a patch.
Thank you @lj1nu for bringing this to our attention – a patch has been pushed. Security is of the utmost importance to us – we’re working on a bug bounty program and will announce full details soon. https://t.co/O0Axqlio8h
— Virtuals Protocol (@virtuals_io) January 3, 2025
Virtuals Protocol: Strengthening Security Through Validation and Collaboration
The team took decisive action by incorporating validation procedures for the Agent Token.sol contract. By ensuring that existing pairs are accurately validated before any new ones are generated, these improvements effectively close the vulnerability. Virtuals Protocol also published detailed information about the enhancements on platforms like BaseScan and GitHub to promote transparency.
Additionally, Virtuals Protocol announced plans to reopen its bug bounty program to encourage further security research. The team aims to engage the wider cybersecurity community in platform protection by rewarding vulnerabilities that are found and reported.
The company is currently evaluating appropriate compensation for the researcher’s work, as Jinu’s essential contribution in exposing this issue has been recognized. This proactive approach not only underscores Virtuals Protocol’s commitment to enhancing its security framework but also sets a standard for transparency and collaboration within the blockchain community.
However, this incident occurred amid notable activity involving the platform’s native cryptocurrency, VIRTUAL. Previously, in a public action, the suspected official address of Virtuals Protocol withdrew 4 million VIRTUAL tokens from its liquidity pool wallet.
Notably, as we previously noted, on-chain movements were highlighted when one million VIRTUAL coins were transferred to a Bybit deposit address shortly after the withdrawal. Meanwhile, at the time of writing, the VIRTUAL token was trading at approximately $4.22, up 20.13% over the last 7 days and 165.28% over the last 30 days.