PSDT Standard Updated — Vulnerability is now Closed on drc-20.org
Doge Labs’ Research team uncovered an exploitable vulnerability in the Doginals protocol network. Here’s how we updated the standard and how you can make sure your collectibles are safe.
TL;DR
- An ecosystem-wide vulnerability allowed old partially signed transactions (PSDTs) to be completed by unauthorized third parties.
- We’ve since upgraded the standard and now all NEW listings and delistings on drc-20.org are SAFE from this exploit.
- We’ve released an easy-to-use tool to verify and make your old funds SAFE within the Doge Labs ecosystem. 🔒
What’s Going On?
We began to receive a small number of user reports claiming their delisted Shibescriptions were being purchased.
Obviously this alarmed us. As we do with any serious report, Doge Labs’ Research Team, DataBite, looked into the claims in order to verify what might be happening.
Thankfully, most reports turned out to be invalid. The Doginals ecosystem is very young, and the technology is tricky. In fact, roughly 91% of tickets submitted to us are the result of users misunderstanding Dogecoin the blockchain, the Doginals ecosystem, or simply not waiting long enough for transactions to be confirmed.
However, this wasn’t the case for all of the reports.
Indeed, some user assets appeared to have been purchased in the exact tick and amounts of previous network delistings. The fees paid for these transactions were being distributed to various Doginal marketplaces, which also really surprised us at first.
Important Background Information
To set the stage, you need to understand a few things about how Doginals work “behind the scenes”:
- When listing an inscription on an automated marketplace, the marketplace itself creates a PSDT hex for the user, which the user signs in order to list their assets.
- This PSDT hex is “publicly available” — broadcast to your wallet when making a listing. There is no way around this, and there’s nothing inherently bad about it. This is needed because both marketplace and wallet are separate entities, and can only execute any transaction after a wallet owner has approved a transaction first.
- This, however, also enables third parties to monitor ALL marketplaces, and store this PSDT hex information (should they so choose), allowing them to also list your listings (against your will if you take it).
- If a users delists, the listings disappear from the marketplace they delisted from.
- However, anyone who has stored this PSDT hex can still “complete” the purchase at a later date, UNLESS the PSDT hex has been completed by another entity first.
That brings us to the next important piece of information:
Some marketplaces in the Doginals ecosystem scrape listings from other marketplaces in order to fill their order books, or capture more trading volume.
However, it appears they failed to scrape delisting events as well.
Thus, when a user delists their assets on one marketplace, these listings remain available for sale on the scrapers’ marketplaces as well.
NOTE: Doge Labs does NOT scrape listings, and we have NOT given permission to have our listings scraped. All of this is done without our consent and there’s not much we can do about it.
While investigating these first reports, we realized that delistings weren’t being scraped by these other marketplaces, and thus sometimes delisted assets were being bought, confusing their (ex)-owners.
Until it wasn’t…
You see, the root cause of this interaction in the first place resides in the way Doginals as an ecosystem currently operates: That’s to say, delisting an asset doesn’t actually invalidate the original PSDT transaction.
This means two things:
- Good actors unwittingly find “legitimate” listings on scraper marketplaces and purchase assets successfully after a seller has already delisted their asset(s) on their intended marketplace.
- Bad actors who realize the root cause of this interaction are able to scrape data to find delisted assets from everywhere — even if these listings hadn’t been scraped by another marketplace in the first place.
In fact, while most reported cases seemed to fall under category 1, as the reports kept coming in, we increasingly began to fear that there may be a purposeful effort to scoop old, cheap delistings underway.
Upgrading the Doginals Ecosystem’s PSDT Standard
As soon as we realized what was going on, we began to construct an upgrade to the PSDT standard for the Doge Labs ecosystem — because, as always, safety of our user’s funds is our number one priority.
We’re happy to report that as of December 9th, ALL new Doge Labs listings (and subsequent delistings) will effectively “complete” your PSDT, making it impossible for your assets to be purchased via this vulnerability anymore.
Important: This also means that your drc-20 assets will move from transferable to available after each delisting event.
What Now?
Now it’s time to make sure your funds are safe.
If you’ve only ever listed your assets on the Doge Labs Marketplace, the process is quite straight forward:
- Head over to drc-20.org.
- Connect your Doge Labs Wallet.
- Go to your Account page.
- Click on the orange “Clear PSDTs” button.
5. Click the orange refresh button on this page.
6. Click “CLEAR” next to each listing that appears.
NOTE: If you see an “Unlist” button instead, these show your current active listings on drc-20.org.
NOTE: While listings from all marketplaces will be displayed here, ONLY your Doge Labs listings will have a CLEAR button available next to them at this time.
Any PSDTs that don’t show a CLEAR button are potentially vulnerable.
If you’ve ever listed assets on another marketplace besides drc-20.org, we recommend that you transfer these assets to a fresh Doge Labs Wallet immediately (as described in the next step below). 👇
My PSDTs are from Somewhere Else, Help!
The process to protect the rest of your inscriptions is a tiny bit more work, but here’s what you can do.
- Load your wallet into the Doge Labs Wallet via seed phrase or private key.
- Head on over to the Doge Labs Account page.
3. Click on the orange “Clear PSDTs” button (above the search bar).
4. Click on the refresh button (left of the search bar) on this page.
5. Create a fresh wallet inside the Doge Labs Wallet. Do this by clicking on the gray box in the top right.
6. Click on the “+” button in the top right and create a new wallet via mnemonics.
7. Transfer the inscriptions from your wallet imported via seed phrase to the fresh wallet you just created.
WARNING: Once you’ve done this, do NOT list your assets on a marketplace that hasn’t implemented a fix for this PSDT vulnerability yet (unless you want them to be made vulnerable again).
What’s Next?
As soon as we realized old listings were being bought up by what appeared to potentially be a bad actor (or actors), our first priority was to protect as many of the most vulnerable members of the community as possible.
The Doge Labs team developed a tool to scan for these exposed “delistings” and have saved as many discounted assets as we could with the following wallet:
- DFMC4s3UFk3WGQgnNHsQ5XjMJPpPSgvStR
While we were limited in what we could save due to time, technical, and financial constraints (we had to literally cash each vulnerable listing…), we chose to prioritize listings we thought were the most vulnerable to attacks.
If you believe you have been included in this protection sweep, please submit the following form and we will reunite you with your now PSDT vulnerability-free assets ASAP:
NOTE: Please submit the claim form within the next 60 days. We of course wish to give ample amounts of time for the claiming process, but we also need to be mindful of people using an over-extended period here as a safe, free form of arbitrage for these assets. We are currently risking a non-insignificant sum of our team members’ funds for this, so please try not to abuse it ❤.
For all other remaining vulnerable listings, don’t forget to use our Clear PSDT tool to ensure your PSDTs have truly been cleared.
While Doginals is still undoubtedly brand new tech and a young, promising new protocol, it will always be our goal to institute and protect our users’ assets to the best of our ability.
We appreciate everyone who has shown us patience recently as we investigated and subsequently upgraded the PSDT standard, as well as built these tools for the community.
Disclaimer: Nothing presented here should be construed as financial advice. This blog post is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. There are always potential errors in these articles, and everyone should act with care — especially with tech as new as Doginals. Please be careful and always do your own research.
By engaging with drc-20.org and Doge Labs products, you agree to our Terms of Use: https://drc-20.org/legal/terms
About Doge Labs
Doge Labs is the leading infrastructure provider in the Dogecoin Ordinals (or ‘Doginals’) ecosystem. We are most well known for establishing the first Ordinals standard on Dogecoin, creating the first automated marketplace on Doge, and operating the number one Dogecoin wallet on Chrome.
With our marketplace, wallet, explorer, inscription tool, and launchpad, we offer the most advanced inscription ecosystem outside of the Bitcoin network. Our suite of products is designed to meet the needs of both consumers and developers, delivering a practical solution for Dogecoin Ordinal participants across various verticals.
Doge Labs also developed and operates the original Ordinals Theory-compliant Doginals indexer, solved the PSBT issue on Doge through our Partially Signed Dogecoin Transaction (PSDT) tech solution, and is the inventor and operator of Dogecoin’s primary Ord, Wonky-ord.dogeord.io.
Our goal is to make Ordinals accessible to the masses. We’ve ensured our ecosystem is turn-key ready, anticipating the moment when institutional-grade entities will decide to engage with inscriptions.
At Doge Labs, we are dedicated to shaping the future of Dogecoin Ordinals through user-friendly experiences, powerful tools, and innovation.
