A blockchain security researcher known as Jinu has identified a critical vulnerability in Virtuals Protocol, a decentralized finance (DeFi) project designed to launch tokens on Uniswap upon reaching certain price thresholds through internal bonding mechanisms. The discovery raises concerns about security practices in rapidly evolving DeFi ecosystems.

In a series of tweets, Jinu explained that the vulnerability could potentially disrupt the Virtuals ecosystem by preventing the protocol from launching new tokens on Uniswap, a decentralized exchange. The issue stems from the way Virtuals Protocol creates pairs on the Uniswap V2 factory.

Vulnerability Details

The process involves the creation of an AgentToken using the Clones library. By predicting the contract address of the AgentToken through the nonce from AgentFactoryV3, an attacker could create a pair on Uniswap before the protocol does. Since Uniswap V2's factory reverts any attempt to create an already existing pair, this would block Virtuals Protocol from launching its token and providing liquidity.

Moreover, the initialise function of the AgentToken lacks validation to check whether the pair already exists on Uniswap. This oversight could be exploited to hinder the protocol's operations.

Jinu noted that upon discovering the vulnerability, attempts were made to contact the Virtuals Protocol team. However, the team reportedly responded that they were not running a bug bounty program and closed the Discord channel created for reporting the issue.

"I'm surprised that a project as big and hot as @virtuals_io doesn't care about security," Jinu remarked, expressing frustration over the initial response.‍

Virtuals Protocol Responds and Patches Vulnerability

Following the public disclosure, the Virtuals Protocol team acknowledged the issue. In a tweet, they thanked Jinu for bringing the vulnerability to their attention and confirmed that a patch had been implemented.

"Security is of the utmost importance to us—we're working on a bug bounty program and will announce full details soon," the team stated, indicating a shift towards more proactive security measures.