Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Injective is a Cosmos-based blockchain that includes an EVM runtime, in addition to the regular Cosmos features. It contains a subaccount module in which the account must be owned by the transaction signer.

The sub-account check actually ensures that the signer owns the specified sub-account. However, in the batching code within MsgBatchUpdateOrders, this check is not performed on three order types. This allows for complete circumvention of the security protection and gives attackers the ability to impersonate users on their operations.

To exploit this, an attacker would do the following:

1. Create a worthless token.
2. Create a spot market with FAKE/USDT.
3. Place a sell order for FAKE/USDT. This will sell their worthless token for a valuable token.
4. Use the vulnerability to force the victim to market buy the fake token. The attacker ends up with the valuable token.
5. Bridge out of Injective to Ethereum with the USDT.

The vulnerability appears straightforward, but the aftermath wasn't. The vulnerability was submitted on November 30th, 2025. On December 1st, they fixed the issue. After a while, the white hat asked for a follow-up but got nothing until February 11th, when they confirmed its validity. On March 5th, the bug bounty program offered a $50K bounty instead of the whitehats' expected maximum payout of $500K.

The impact of $500M seems off to me. At the time of writing, Injective's TVL is about $12M, so I don't know where the $500M comes from. Other than this, the statements from a now-deleted tweet from Injective seem pretty off. The whitehat responded in a Tweet as well. From changing conditions later to unresponsiveness, this seemed pretty bad. Immunefi paused Injective's bug bounty program for the time being.

Overall, a pretty simple vulnerability that had a tremendous impact. In a bear market, it's hard to get paid for your bugs, though. I feel for the whitehat, if all of the claims are accurate.