In Brief:
- ZenGo X identified a double-spending vulnerability in BitClout, an app on the DeSo network.
- The double-spending exploit titled Griphook might’ve drained funds from the BitClout app’s Gringotts Bank reserve.
- ZenGo X was rewarded $75,000, the highest bug bounty offered, as part of DeSo’s bounty program for discovering the flaw.
ZenGo X, the research arm of crypto wallet ZenGo, identified a double-spending vulnerability in BitClout, an app on the Decentralized Social (DeSo) network.
The security flaw in question was a possible double-spending exploit that might drain funds from the BitClout app’s Gringotts Bank reserve.
The vulnerability was titled Griphook, a reference to the Goblin figure in Harry Potter who assisted in the Gringotts break-in from the Harry Potter.
DeSo, for example, has set up a BTC-DeSo bridge, which allows users to exchange Bitcoin for DeSo currencies.
Preemptive checks were conducted using BlockCypher, a popular blockchain explorer that provides real-time updates on Bitcoin transactions and offers an API to detect double spendings in Bitcoin.
BlockCypher was used to prevent any obvious double-spending attacks that would allow a user to receive new DeSo coins while keeping the original Bitcoin payment.
In the gap between DeSo and BlockCypher’s interpretations of double-spending was discovered the Griphook vulnerability.
The act of broadcasting two separate transactions to the Bitcoin network, both of which spend the identical set of coins, is known as double-spending.
DeSo’s approach to confirm transactions immediately improved the user experience, but it also exposed the company to vulnerabilities that, if not addressed, may lead to successful double-spending attacks.
DeSo coins are sent in exchange for Bitcoin from the Gringotts Bank, which was formed specifically for this purpose.
Gringotts Bank appeared to reload itself anytime it was depleted. As a result, it’s difficult to estimate the total amount of money that could have been stolen because it’s impossible to say how many times this attack could have been carried out without being noticed.
This large-scale trade of DeSo coins for Bitcoin would almost certainly have caused DeSo’s market price to plummet in the immediate term.
However, neither user funds nor the DeSo blockchain’s integrity was ever jeopardized because ZenGo X discovered the vulnerability.
ZenGo X was awarded $75,000, the highest bug bounty offered, as part of DeSo’s bounty program.
ZenGo X recommended that all incoming transactions to the bridge be manually confirmed, with a special focus on ancestor transactions to help detect possible double-spends. This has been implemented by DeSo.
Deploying different explorer APIs and reducing the quantity of DeSo tokens housed in Gringotts vaults are also suggested fixes.
DeSo CEO Nader Al-Naji applauded ZenGo by saying, “Not only did ZenGo alert us to this vulnerability, but they also worked with us closely to develop an optimal solution that fixes it without compromising user experience.”
Just last month Gerhard Wagner discovered a vulnerability in the Polygon Plasma Bridge which could allow an attacker to exit a burn transaction multiple times from the Polygon plasma bridge. This vulnerability put about $850 million of capital at risk, and Polygon awarded a $2 million bounty to the white hat hacker, the highest bounty paid in the global world of DeFi.
