White Hat Hackers Awarded $300K After Uncovering Critical Chainlink VRF Vulnerability

DeFi
Last updated:
Author
Trent Alan
Author Categories
About Author

Trent has a background and education in journalism and communications, with two decades of experience editing and writing on a diverse array of topics. In recent years, however, he has shifted his...

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews
Chainlink VRF
White hat hackers earn $300K Chainlink bounty for responsibly disclosing critical VRF vulnerability. Image by ZayNyi, Adobe Stock.

Decentralized oracle network Chainlink recently awarded white hat hackers Zach Obront and Or Cyngiser of Trust $300,000 for uncovering a critical vulnerability in its Verifiable Random Function (VRF) product. VRF allows smart contracts to access tamper-proof random values while maintaining security.

The bug discovery comes amid Chainlink’s increased institutional adoption of its Cross-Chain Interoperability Protocol (CCIP) technology. Major traditional institutions like Swift, Vodafone and South Korea’s largest gaming company have utilized Chainlink’s technology in recent months.

Uncovered Potential for Manipulation

According to Chainlink Labs

, Obront and Cyngiser identified an issue where a malicious VRF subscription owner could potentially prevent users from getting proper randomness rolls by blocking and rerolling until a desired outcome occurred. The team categorized it as a critical smart contract vulnerability.

Although the conditions required to exploit this loophole were specific, it still compromised the core functionality of Chainlink VRF in providing transparent and verifiable on-chain randomness. The primary risk came from a compromised or malicious subscription owner, a role typically controlled by the decentralized app using VRF.

Mitigation Implemented, $300K Bounty Paid

After consulting the researchers, Chainlink implemented a fix to guarantee randomness delivery even if the subscription owner tries exploiting the vulnerability. Obront and Cyngiser received $300,000 for responsibly disclosing the issue, positioning the bounty among the top 10 payouts in Immunefi’s history.

Chainlink runs bug bounty programs on HackerOne and Immunefi, awarding security researchers who help identify weaknesses in its systems. The network has paid out over $500,000 to date across 75+ resolved reports.

Crowdsourced audits on Code4rena have also been conducted to further strengthen security. The decentralized platform continues taking steps to secure its reputation for reliability and transparency amid growing adoption.

Increasing Real-World Use Cases

Chainlink’s VRF is used by dApps like Axie Infinity, PancakeSwap, and Aavegotchi to protect smart contracts. The company’s CCIP allows communication between different blockchains, eliminating a major obstacle in decentralized finance. Its adoption by institutional giants like Swift and Vodafone for tokenization indicates growing trust in the technology.

With decentralized finance expanding rapidly, Chainlink’s security and interoperability solutions are likely to see increased real-world application. Responsible disclosure and mitigation of issues like the recent VRF vulnerability will prove critical for maintaining reliability as use cases scale up.

More Articles

Blockchain News
SEC Acknowledges Spot Solana ETF Filings from Canary, VanEck, Bitwise, and 21Shares
Hassan Shittu
Hassan Shittu
2025-02-12 00:29:24
Blockchain News
Crypto Custodian BitGo Eyes IPO in H2 as Regulatory Support Strengthens: Report
Tanzeel Akhtar
Tanzeel Akhtar
2025-02-11 23:30:45
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors