The research arm of ZenGo – a crypto wallet provider – ZenGo X has uncovered a vulnerability in BitClout, a crypto app listed on the DeSo (Decentralized Social) Network.
Matan Hamilis, a senior researcher at ZenGo X stated that security vulnerability could allow for double-spending of cryptocurrencies and can be used to drain Gringotts Bank which is the reserve of BitClout. In response, Decentralized Social Network gave ZenGo a reward of $75,000 for the discovery and reporting of the security vulnerability. This reward becomes the highest ever reward paid by the DeSo project.
In the statement from ZenGo X, it was added that the vulnerability doesn’t put the user funds at risk or even the whole DeSo Blockchain.
In September, the creator of BitClout, Nader Al-Naji launched the Decentralized Social Blockchain Network after landing a $200 million funding from his investors which includes Coinbase Ventures, TQ Ventures, Andreessen Horovitz (a16z), Polychain Capital among others on the list. The platform was created to support decentralized social platforms in their varieties, including BitClout.
Breaking into Gringotts Bank
Users on DeSo who need to fund their accounts will need to swap BTC using the BTC-DeSo bridge. The bridge was designed to release the token immediately and automatically for the users even though there is a 10-minute confirmation requirement for every transaction on the BTC blockchain.
The very setup made the platform susceptible to double-spending attacks. After spending BTC on the platform to receive DeSo, users can bribe miners to do an entirely different transaction instead, which leaves the BTC as though it is unspent in the first place. As a way of preventing the attack, the blockchain is using Blockcypher, a tool on blockchain explorer to scan for possible double-spending.
However, the report from ZenGo X reveals that the defense setup of DeSo against double-spending is not quite robust. They noted that an attacker could use a rare type of transaction called ancestor transactions. This means that an attacker initiates the bridge protocol by swapping BTC to Deso tokens without sending BTC across the bridge.
The vulnerability got its name, “Griphook” from the nod to the Goblin character in the Harry Potter plot that was sued to break into Gringotts. Multiple setups from attackers can see them empty the DeSo vault in minutes because of its automatic refill protocol.
The Fix to the Problem
In the report, ZenGo X gave a suggestion to DeSo which has been implemented already. The solution is to set up a manual confirmation for all transactions coming into the bridge which will have its attention on ancestor transactions and will detect all double-spending possibilities.
Other fixes suggested were the deployment of multiple explorer APIs and the reduction of deso tokens kept in the Gringotts per time.
Speaking with The Block, a crypto blog, in an interview, Hamilis said they have a strong assurance that the solutions suggested will prevent every similar attack. With the checks that are underway, the probability of an attacker’s success has reduced.