ZenGo X fixes double-spending vulnerability on DeSo blockchain

Quick Take

• ZenGo X discovered a possible double-spending vulnerability in the DeSo blockchain.


• It received a $75,000 bug bounty, the greatest amount paid so far by the DeSo project.

ZenGo X, the research arm of crypto wallet provider ZenGo, says it discovered a double-spending vulnerability on the Decentralized Social (DeSo) network.

The security vulnerability in question involved a potential double-spending exploit that ZenGo X’s senior researcher Matan Hamilis said could drain funds held in the DeSo reserve called Gringotts Bank. 

DeSo rewarded ZenGo $75,000 — the highest-ever by the project — for discovering and reporting the vulnerability. ZenGo X also stated that the security did not pose any risks to user funds or the DeSo blockchain as a whole.

BitClout creator Nader Al-Naji launched DeSo in September after receiving a $200 million investment from backers including Andreessen Horowitz (a16z), Coinbase Ventures, Polychain Capital, and TQ Ventures among others. DeSo is a platform that supports a variety of decentralized social media platforms, including BitClout.

Breaking into Gringotts

To get funds on DeSo, users need to swap bitcoin using the BTC-DeSo bridge. Even though Bitcoin has a 10-minute block time for confirming transactions, the bridge was designed to release deso tokens automatically without waiting for confirmation of the initial bitcoin transaction.

This method opened the door to the possibility of a double-spend attack. For someone could make a bitcoin payment to the bridge, receive the deso and then, say, bribe a miner to do a different bitcoin transaction instead — so it wasn’t spent in the first place. In order to prevent such an attack, DeSo used blockchain explorer tool Blockcypher to scan for possible double spends.

ZenGo X, however, found that DeSo’s defense against double-spending was not sufficiently robust. It noticed that an attacker could fool the system using a very specific type of transaction, known as ancestor transactions.

These gaps could allow rogue actors to trick the bridge protocol into swapping bitcoin for deso tokens when the attacker had not sent any BTC across the bridge.

The vulnerability was dubbed “Griphook,” — a nod to the Goblin character in the Harry Potter story that assisted in the Gringotts break-in.

ZenGo X also claimed that an attacker could mount multiple attacks, taking advantage of Gringotts' automatic refill protocol to siphon millions of dollars from the DeSo vault.

Fixing the problem

ZenGo X’s suggested solution, which has been implemented by DeSo, was to initiate manual confirmation of all incoming transactions to the bridge with a special focus on ancestor transactions to better detect possible double-spends.

Other suggested fixes include deploying multiple explorer APIs as well as minimizing the amount of deso tokens held in Gringotts vaults.

“We’re quite confident that this solution will prevent similar attacks from taking place. We are convinced that the checks Bitclout's service is now performing will make similar attacks much more complicated to conduct by significantly reducing the probability of success and requiring the cooperation of very strong miners,” Hamilis told The Block.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。