Last updated:
Journalist
Hassan Shittu
Journalist
Hassan Shittu
Share
Why Trust Cryptonews
Ad Disclosure
We believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships. Read more
Virtuals Protocol, a blockchain firm specializing in artificial intelligence agents, has resolved a critical bug in one of its audited smart contracts.
A pseudonymous security researcher identified a critical vulnerability in the project audited contract, prompting an urgent fix. The company has also relaunched its bug bounty program to prevent future vulnerabilities.
Virtuals Protocol Vulnerability Could Block Token Launches: Is This A Smart Contract Bug Or Feature?
On December 3, 2024, pseudonymous security researcher Jinu discovered a critical vulnerability in one of Virtuals Protocol’s audited smart contracts.
The researcher promptly reported the issue to Virtuals Protocol, but the company did not have an active bug bounty program.
Consequently, despite its potential impact on the protocol’s ecosystem, the discovery did not qualify for a reward.
The vulnerability stemmed from the platform token-launching mechanism on Uniswap V2 has been exposed.
The flaw lies in how Virtuals creates token pairs, a process similar to Pump.fun’s method of launching tokens through price thresholds and bonding mechanisms.
Security researcher Jinu identified a critical issue that could block Virtuals from launching new tokens.
He pointed out that the AgentToken creation process uses the Clones library, which makes future token addresses predictable based on the AgentFactoryV3 contract’s nonce.
Additionally, the initialize function in the AgentToken contract calls Uniswap V2’s createPair function without verifying if a pair already exists.
If one does, Uniswap V2’s factory reverts the transaction. This flaw also enables the creation of pairs with non-existent contracts.
An attacker could exploit this by preemptively creating a Uniswap pair with the predicted nonce, preventing Virtuals from launching its tokens. Jinu demonstrated this exploit using a proof of concept on Tenderly.
Jinu recommended modifying the AgentToken.sol contract to check for existing pairs in Uniswap V2 before attempting creation, skipping the process if a pair already exists.
Despite the severity of the issue, Virtuals did not respond, even closing its dedicated Discord group meant for reporting vulnerabilities.
Jinu expressed frustration at the oversight, remarking, “I’m surprised that a project as big and hot as Virtuals doesn’t care about security.”
Virtuals Protocol Appreciate Jinu for Highlighting Flaw: What’s Next for Bug Bounties?
Following Jinu’s public disclosure of the issue on X (formerly Twitter), Virtuals Protocol contacted Jinu and implemented a rapid fix.
The company acknowledged the bug’s severity and apologized for the initial miscommunication.
In a message to Jinu, Virtuals Protocol said:
“We have verified the vulnerability and applied a patch. Thank you for bringing this to our attention. We apologize for the miscommunication and will review the severity of the issue to determine a bug bounty.”
They patched the vulnerability by updating the contract to include the necessary validation steps. For transparency, the new contract and fix details were published on BaseScan and GitHub.
However, Virtuals Protocol has yet to confirm the reward amount for Jinu’s discovery. The company stated that it internally assesses the impact of the vulnerability before issuing a bounty.
