Decentralized oracle network Chainlink recently awarded white hat hackers Zach Obront and Or Cyngiser of Trust $300,000 for uncovering a critical vulnerability in its Verifiable Random Function (VRF) product. VRF allows smart contracts to access tamper-proof random values while maintaining security.
The bug discovery comes amid Chainlink’s increased institutional adoption of its Cross-Chain Interoperability Protocol (CCIP) technology. Major traditional institutions like Swift, Vodafone and South Korea’s largest gaming company have utilized Chainlink’s technology in recent months.
According to Chainlink Labs, Obront and Cyngiser identified an issue where a malicious VRF subscription owner could potentially prevent users from getting proper randomness rolls by blocking and rerolling until a desired outcome occurred. The team categorized it as a critical smart contract vulnerability.
Although the conditions required to exploit this loophole were specific, it still compromised the core functionality of Chainlink VRF in providing transparent and verifiable on-chain randomness. The primary risk came from a compromised or malicious subscription owner, a role typically controlled by the decentralized app using VRF.
After consulting the researchers, Chainlink implemented a fix to guarantee randomness delivery even if the subscription owner tries exploiting the vulnerability. Obront and Cyngiser received $300,000 for responsibly disclosing the issue, positioning the bounty among the top 10 payouts in Immunefi’s history.