Chainlink VRF vulnerability thwarted by white hat hackers with $300K reward
Decentralized oracle network Chainlink (LINK) paid a $300,000 bounty to white hat hackers Zach Obront and Or Cyngiser (Trust), who uncovered a critical bug that could have skewed its Verifiable Random Function (VRF).
The bug
VRF is a random number generator (RNG) that allows smart contracts to access random values without compromising security.
The product is used by several crypto projects, including Axie Infinity, PancakeSwap, and Aavegotchi, to protect their smart contract with tamper-proof randomness that cannot be manipulated and ensure verifiable outcomes using cryptographic proofs.
Last year, Trust and Obront submitted a report on how a malicious VRF subscription owner could have prevented users from getting this neutral randomness roll by blocking and rerolling randomness until they received a desired value.
According to the Chainlink team, this bug was categorized as a critical-impact smart contract vulnerability, adding that:
“While it could compromise Chainlink VRF’s intended use of providing transparently verifiable tamper-resistant onchain randomness, the exploitable scenario required a number of specific conditions to be met and would be detectable onchain. Most notably, the subscription owner—a role typically controlled by the team behind the dApp using VRF—must be malicious or compromised.”
Following the incident, Chainlink implemented a security feature to prevent malicious VRF owners from exploiting the issue.
Chainlink enjoying institutional interest
Chainlink’s Cross-Chain Interoperability Protocol (CCIP) technology has seen an increase in adoption from adoption from major traditional institutions.
The global financial messaging network Swift used the technology in a tokenization experiment that involved the transfer of tokens across multiple blockchains in August. South Korean gaming giant also used it to power an interoperable Web3 gaming ecosystem in October.
Also, Hong Kong authorities adopted it for value exchange in its Central Bank Digital Currency (CBDC) trials.
As a result, Chainlink’s native LINK token and Grayscale’s Chainlink Trust (GLNK), an institutional investment vehicle, have seen their value surge to new highs.
