The world of crypto bug bounties often rewards researchers who quietly prevent catastrophic exploits. But sometimes the story behind those fixes sparks controversy.
One security researcher now says he helped protect more than $500 million in assets on the Injective blockchain—only to be offered a fraction of the maximum bounty promised for critical vulnerabilities.
The dispute is now gaining attention across the security and crypto communities, raising fresh questions about transparency in bug bounty programs and how projects treat the researchers who help protect their networks.
Contents
A Track Record Of Successful Bug Hunting
Before the Injective incident, the researcher—known online as al_f4lc0n—had built a strong reputation in the bug bounty space. He frequently participates in security competitions and bounty programs hosted on Immunefi, one of the largest Web3 bug bounty platforms.
His track record includes several high-profile achievements. He secured first place in the Attackathon | Stacks competition and repeated that success in Attackathon | Stacks II. He also finished first in the XRPL Lending Protocol Attackathon, demonstrating consistent success in identifying serious vulnerabilities.
Outside competitions, he has also reported multiple issues through bug bounty programs, including at least one critical vulnerability and one high-severity bug prior to the Injective discovery.
By his own account, things were going well. Bug hunting had become both a passion and a reliable source of income.
That changed when he discovered a flaw that, according to him, could have allowed attackers to drain funds directly from user accounts on the Injective blockchain.
Critical Vulnerability Put $500M At Risk
While analyzing Injective’s infrastructure, the researcher says he uncovered a critical vulnerability capable of compromising any account on the chain.
The flaw allegedly required no special permissions or elevated access. According to his explanation, any malicious user could potentially exploit the vulnerability to drain funds directly from other accounts.
Given the scale of Injective’s ecosystem, the potential damage could have been enormous. The researcher estimates that more than $500 million worth of on-chain assets were exposed to risk at the time the bug existed.
Instead of exploiting the vulnerability, he chose to disclose it responsibly through Immunefi, the platform that manages Injective’s bug bounty program.
The report was submitted privately to ensure the vulnerability could be fixed before attackers discovered it.
Injective Moves Quickly To Patch The Issue
Shortly after the report was submitted, the response appeared to confirm the seriousness of the discovery.
According to the researcher, a mainnet upgrade proposal was introduced the very next day. The upgrade went through Injective’s governance process and included a fix for the reported vulnerability.
For him, this quick reaction showed that the Injective team fully understood the severity of the issue.
The bug had been addressed before any public exploitation occurred, meaning the ecosystem avoided what could have been one of the most damaging attacks in its history.
At that point, the researcher expected a typical bug bounty process to follow—technical discussions, severity confirmation, and eventually a reward based on the program’s published payout structure.
Instead, he says the process stalled.
Three Months Of Silence After The Fix
Following the patch, the researcher claims communication suddenly stopped.
He says there were no follow-up discussions, no requests for additional technical clarification, and no explanation about the reward timeline.
According to his account, nearly three months passed without meaningful communication from the project regarding the bounty payout.
For security researchers who depend on bug bounty programs, such silence can be frustrating. Responsible disclosure typically requires researchers to avoid publicly revealing details of vulnerabilities until the project resolves them.
That means the researcher could not openly discuss the discovery while waiting for the reward process to conclude.
After months without updates, he finally received a decision from the project.
Bounty Offer Sparks Dispute
When the response finally arrived, the researcher says the project offered him $50,000 for the vulnerability.
The number immediately raised concerns.
According to the Injective bug bounty program rules on Immunefi, the maximum payout for a critical vulnerability is $500,000. That figure is typically reserved for bugs capable of causing catastrophic financial losses or system compromise.
Given the potential impact of the vulnerability he reported, the researcher believed the reward should have been much higher.
He disputed the payout decision, asking for an explanation of how the amount had been determined and why it was significantly below the maximum range for critical issues.
But he says the response never came.
Researcher Says Payment Has Not Been Sent
Adding to the frustration, the researcher claims that the $50,000 bounty has not yet been paid, despite the decision being communicated.
He also says the project has not provided a detailed explanation for the reduced reward or for the long delay in communication.
The situation prompted him to speak publicly about the dispute in a post on X (formerly Twitter), where he described the experience and shared his frustration with the bug bounty process.
I Saved Injective's $500M. They Pay Me $50K.
I like hunting bugs on @immunefi . I'm decent at it.
– #1 — Attackathon | Stacks
– #2 — Attackathon | Stacks II
– #1 — Attackathon | XRPL Lending Protocol
– 1 Critical and 1 High from bug bounties (not counting this one)Life was…
— f4lc0n (@al_f4lc0n) March 15, 2026
In the post, he explains that while he cannot force the project to increase the reward, he intends to keep the issue visible.
He also announced a personal commitment to allocate 10% of his future bug bounty earnings toward keeping attention on the case until what he believes is fair compensation is provided.
Bug Bounty Transparency Under Scrutiny
The dispute highlights a recurring concern within the Web3 security community.
Bug bounty programs are designed to incentivize researchers to disclose vulnerabilities responsibly rather than exploit them. For the system to work effectively, researchers need confidence that programs will honor their reward structures.
When disagreements occur—especially involving high-severity vulnerabilities—they often spark broader discussions about transparency, payout fairness, and communication between projects and researchers.
In this case, the researcher believes his discovery protected hundreds of millions of dollars in assets. The project, however, has not publicly explained the reasoning behind the $50,000 reward.
Until further clarification emerges, the situation remains an unresolved conflict between a bug hunter who claims to have saved a network from a devastating exploit and a project that has yet to explain its decision.
For now, the researcher says he will keep pushing the story into public view—hoping it encourages stronger accountability across the growing Web3 bug bounty ecosystem.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
