During a recent security audit, it was discovered by a member of the community that our identification method of pre-signed transactions was vulnerable to signature malleability, resulting in a malicious actor being able to commit a replay attack on past transactions. This bug gives malicious actors the ability to re-send (a single time) a transaction that you had sent in the past. While signature (transaction) malleability was fixed on the Ethereum network two years ago in the homestead hardfork, it was not fixed on their ecrecover pre-compiled contract that our token uses to verify signatures. The community member was awarded $3,500 for reporting this vulnerability which was not previously discovered by our team and external third-party security firm during the original audit of the COIN V2 token located here.
To that end, we’ve upgraded COIN to V3 and also included updates to:
- Resolve the replay attack vulnerability
- Provides additional upgrades such as allowing gas payment to be made in a token other than the one being transferred
- Other quality of life improvements
The details of the upgrade can be found here.
The COIN V3 token has once again been heavily audited internally and externally by Authio. As normal procedure and to reinforce security, Coinvest is launching a public bug bounty campaign with a reward system to compensate developers for their efforts and discovery of any potential issues.