Decentralized oracle network Chainlink recently awarded white hat hacker Zach Obront and Or Cyngiser of Trust $300,000 for discovering a critical vulnerability in its verifiable random function (VRF) product. VRF allows smart contracts to access tamper-resistant, random values while maintaining security.
The discovery of the bug comes amid Chainlink’s growing institutional adoption of its Cross-Chain Interoperability Protocol (CCIP) technology. Major traditional institutions such as Swift, Vodafone, and South Korea’s largest gaming company have used Chainlink technology in recent months.
Possibility of manipulation detected
According to Chainlink Labs, Obront and Cyngiser identified an issue where a malicious VRF subscription owner could prevent users from getting proper random spins by blocking and restarting until the desired outcome occurred. The team has classified it as a critical security vulnerability in smart contracts.
Although the conditions required to exploit this vulnerability were specific, it still compromised the core functionality of the Chainlink VRF by providing transparent and verifiable randomness on the chain. The primary risk came from a hacked or malicious subscription owner, a function typically controlled by the decentralized application using a VRF.
Commutation was implemented, and a $300,000 reward was paid
After consulting researchers, Chainlink implemented a fix to ensure random delivery even if the subscription owner tries to exploit the vulnerability. Obront and Cyngiser received $300,000 for responsibly exposing the issue, making the reward among the top 10 payouts in Immunefi history.
Chainlink runs bug bounty programs on HackerOne and Immunefi, rewarding security researchers who help identify vulnerabilities in their systems. The network has paid more than $500,000 so far on more than 75 resolved reports.
Collaborative audits have also been conducted on Code4rena to further enhance security. The decentralized platform continues to take steps to ensure its reputation for reliability and transparency amid growing adoption.
Increasing real-world use cases
Chainlink’s VRF is used by decentralized applications like Axie Infinity, PancakeSwap, and Aavegotchi to secure smart contracts. The company’s CCIP enables communication between different blockchains, removing a major hurdle in decentralized finance. Its adoption by giant organizations such as SWIFT and Vodafone for tokenization indicates growing confidence in the technology.
With the rapid expansion of decentralized finance, Chainlink’s security and interoperability solutions will likely see greater real-world application. Responsible detection and mitigation of issues like the recent VRF vulnerability will be critical to maintaining reliability as use cases increase.