Injective bug bounty dispute emerges after a security researcher claims the project underpaid a reward for reporting a $500M vulnerability.
Author: Akshat Thakur
March 15, 2026 — Injective bug bounty dispute has emerged after a security researcher accused the project of underpaying a reward for reporting a critical vulnerability that could have exposed more than $500 million in user funds. The researcher, known as @al_f4lc0n, said the vulnerability was responsibly disclosed through the Web3 bug bounty platform Immunefi. However, after months of communication delays, the researcher claims the project offered only $50,000 instead of the program’s advertised maximum reward of $500,000.
High Signal Summary For A Quick Glance
MsgBatchUpdateOrders function in Injective’s exchange module.
OxDontonka
@0xDontonka
@al_f4lc0n @0xcastle_chain @immunefi crazy story. sorry man. i think whitehats need to factor in their bounty selection how is the project going, if the project seems to be dying out as their token price, not generating revenue (and profit) that should be a pass. Also bounty that change platform is not a good sign,
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was
12:38 PM·Mar 15, 2026
DeFiDegen
@defidegen22
@al_f4lc0n @immunefi Dont expect much out of them. Their sold business is selling tokens and funding themselves.
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was
12:02 PM·Mar 15, 2026
crypt0jt.𝕏
@crypt0jt
@al_f4lc0n @immunefi Take the $50k... This alt will disappear like the rest of them soon, then you'll have nothing.
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was
11:58 AM·Mar 15, 2026
Steady attention without excessive speculation.
Injective is a Layer 1 blockchain designed for decentralized finance applications, particularly trading and derivatives markets. The network enables users to create spot markets, derivatives products, and other financial instruments onchain.
Since its launch, Injective has attracted backing from major investors and has grown into a platform supporting billions of dollars in decentralized finance activity. Its architecture focuses on high-speed trading and interoperability across blockchain networks.
Like many DeFi platforms, Injective operates bug bounty programs to encourage security researchers to report vulnerabilities before attackers exploit them.
The Injective bug bounty dispute began after the researcher reported a vulnerability involving the protocol’s order batching system.
According to the report, the issue was related to the MsgBatchUpdateOrders function within Injective’s exchange module. This feature allows users to submit multiple order operations in a single transaction.
While limit orders and cancellation requests included validation checks to confirm the account owner, the researcher claimed that the platform failed to properly validate market orders.
This meant that an attacker could potentially submit a transaction using another user’s subaccount identifier. If exploited, the flaw could have allowed unauthorized transfers of funds from affected accounts.
The Injective bug bounty dispute traces back to late 2025 when the vulnerability was initially discovered.
The researcher submitted the report through Immunefi on November 30, 2025. Shortly afterward, Injective proposed a network upgrade that addressed the issue.
According to the researcher, communication then stalled for several months without further updates regarding the reward evaluation.
In early March 2026, the project reportedly offered a bounty of $50,000. The researcher argues that the vulnerability met the criteria for a critical bug under the program’s guidelines, which allows rewards of up to $500,000. As of now, the researcher claims the reduced bounty has not yet been paid.
Key milestones in Injective Protocol
Eric Chen and Albert Chon launch Injective as a decentralized exchange protocol on Ethereum, raising $3.6M in seed funding from Binance Labs, Pantera Capital, and others.
Team expands focus on building a Layer-2 orderbook DEX optimized for derivatives trading.
Testnet goes live, enabling cross-chain trading simulations for early users and developers.
Helix upgrade brings sub-second finality; RWA hub launched for tokenized assets; TVL crosses $1B.
Injective joins Immunefi, offering up to $500K for critical vulnerabilities in smart contracts and blockchain core.
Researcher @al_f4lc0n submits a critical flaw in MsgBatchUpdateOrders via Immunefi — capable of enabling unauthorized fund drains of $500M+.
Injective proposes and passes Proposal 601 for an emergency mainnet upgrade to patch the reported vulnerability.
After three months of silence, Injective offers $50K (10% of max). Researcher disputes the amount as severely undervaluing the critical impact.
Researcher goes public on X, sharing PoC and full report, accusing Injective of underpayment. No official response yet; community backlash grows.
Immunefi is one of the most widely used bug bounty platforms in the Web3 ecosystem. The platform hosts programs for numerous blockchain projects and has facilitated more than $100 million in payouts to security researchers.
Bug bounty programs are designed to incentivize ethical hackers to report vulnerabilities rather than exploit them. Rewards are typically determined by the severity of the issue and the potential financial impact.
However, disagreements over classification, scope, or payout levels have occasionally led to public disputes between researchers and blockchain projects.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
THORChain Burns 65M RUNE and Cuts Total Supply to 360M
MoonPay Launches MoonAgents Card for AI Crypto Spending
SBI Visa Crypto Card Launches in Japan With XRP Rewards
Carrot DeFi Shuts Down After Drift Exploit Drains $8M
THORChain Burns 65M RUNE and Cuts Total Supply to 360M
MoonPay Launches MoonAgents Card for AI Crypto Spending
SBI Visa Crypto Card Launches in Japan With XRP Rewards
Carrot DeFi Shuts Down After Drift Exploit Drains $8M
