Chainlink VRF Vulnerability Thwarted by White Hat Hackers; $300K Reward
Decentralized oracle network Chainlink (LINK) recently handed out a $300,000 bounty to white hat hackers Zach Obront and Or Cyngiser (Trust), who managed to uncover a critical bug in the system. This bug could have potentially skewed the Verifiable Random Function (VRF) that is utilized by several crypto projects, including Axie Infinity, PancakeSwap, and Aavegotchi.
The VRF is essentially a random number generator (RNG) that enables smart contracts to access random values without compromising security. It is a vital component for protecting smart contracts with tamper-proof randomness that cannot be manipulated, ensuring verifiable outcomes using cryptographic proofs.
Last year, Trust and Obront submitted a report detailing how a malicious VRF subscription owner could have interfered with the neutral randomness roll by blocking and rerolling randomness until they received a desired value. The Chainlink team classified this bug as a critical-impact smart contract vulnerability.
The team added that the bug, “could compromise Chainlink VRF’s intended use of providing transparently verifiable tamper-resistant onchain randomness”. However, they also mentioned that the exploitable scenario required specific conditions to be met and would be detectable onchain.
Following the identification of the bug, Chainlink has implemented a security feature to prevent malicious VRF owners from exploiting the issue.
In addition to these developments, Chainlink’s Cross-Chain Interoperability Protocol (CCIP) technology has been gaining significant traction from major traditional institutions. Global financial messaging network Swift utilized the technology in a tokenization experiment, and South Korean gaming giant also utilized it to power an interoperable Web3 gaming ecosystem. Even Hong Kong authorities have adopted it for value exchange in its Central Bank Digital Currency (CBDC) trials.
This increased adoption has also had a positive impact on Chainlink’s native LINK token and Grayscale’s Chainlink Trust (GLNK), an institutional investment vehicle, both of which have seen a surge in value.
Overall, the uncovering of the VRF vulnerability and the subsequent reward for the white hat hackers, along with the institutional interest in Chainlink’s technology, highlights the importance of robust security measures in the rapidly evolving world of decentralized finance and blockchain technology.