White hat claims Injective offered only $50K for bug that risked $500M

An anonymous security expert known as f4lc0n has claimed on X that they were offered only a $50,000 reward for reporting a critical flaw in Injective (INJ) that could have enabled the theft of over $500 million in assets. The researcher stated that the vulnerability would have allowed an attacker to directly steal cryptocurrency from any account on the Injective chain. According to f4lc0n, the Injective team fixed the issue with a mainnet upgrade but remained silent for three months without any discussion. The team recently informed the researcher that a $50,000 reward had been set, a figure f4lc0n notes is far below the bug bounty program's stated maximum of 10% of funds at risk. The expert emphasized that they have received no answers regarding the reward calculation or the three-month silence, and the $50,000 has not yet been paid.