Anonymous white hat claims Injective offered only $50K for reporting $500M bug

An anonymous security researcher known as f4lc0n has claimed on X that they were offered a mere $50,000 bounty for reporting a critical vulnerability on Injective (INJ) that could have enabled the theft of over $500 million in assets. The researcher stated that the flaw would have allowed an attacker to directly steal cryptocurrency from any account on the Injective chain. According to f4lc0n, the Injective team fixed the issue with a mainnet upgrade but remained silent for three months. The team recently informed the researcher of the $50,000 reward, which f4lc0n contests as it is significantly lower than the bug bounty program's stated maximum of 10% of funds at risk. The researcher emphasized that they have received no response to questions about the bounty calculation or the three-month delay, and that even the $50,000 has not yet been paid.