Exploiting found in WigoSwap Gitcoin grant voting

I was following the Fantom Gitcoin Grant progress very closely because PaintSwap/Estfor Kingdom was a part of it, and the better we did the more funding we got and hence the more development we could continue to do. I noticed some irregularities with the progression of some projects which did not fit expectations based on the project & community activity. There were a few that stood so I decided to investigate. This post is about the most obvious case of exploitation, that done by WigoSwap. I will define a few terms now which I'll use throughout so that we are on the same page: **Fanout** - which means an account which sends to many accounts **Daisy chain** - which mean an account which sends to 1 account, which then passes the rest of the resources (GCV and FTM) to the next account and so on in a chain like fashion. The WigoSwap multisig is 0x17d0f39f93acc2762bfe013c1b3fab0ccb56e335 which is defined on their documentation page. https://docs.wigoswap.io/extras/wigoswap-contracts#multisig-wallets ![](https://hackmd.io/_uploads/S1rYTfwlp.png) Their multisig receives 1 million GCV tokens as expected from the Fantom Foundation https://ftmscan.com/tx/0xfa2754e3567f891a40067ccd1bd1ca915724372c0abe20da1628c3c860706bd5 All projects received GCV tokens this way, it was the initial distribution mechanism from which the projects will then re-distribute 100 tokens to their users for matched voting. ![](https://hackmd.io/_uploads/S1chTGve6.png) The first transfer they ever did of these GCV tokens was 50k tokens to 0x7dfb6db89e46e8decf6fe10e500a409ea2af2244 https://ftmscan.com/tx/0x23a6703117bc35bf0f01154d410658b2b53449b7a6147b4bf53df80578b6a7d1 ![](https://hackmd.io/_uploads/rkBl0Gvla.png) Why send 50k to this account in particular? It’s just a normal EOA, so it’s probably just for easier distribution. What about the other 950k tokens? This was a brand new account as well and becomes very interesting 11 days later when it receives 39 FTM from: 0xbd8b5b5e87db8a6b979fc8b2c4ab39b32916e857 https://ftmscan.com/tx/0x0d1e48296914df4d8d0661e241df66b7b542e8c4fe80eb66580258bef0fa82ad ![](https://hackmd.io/_uploads/SyiW8QDx6.png) A couple hours later that account also sent 39 FTM to 0xef81922bac3b14e6130ef7f58a76be213c498ec3 https://ftmscan.com/tx/0x482d09875e468e5d83f196b79c75feee4a32de91736ce980edcd829550b80ade ![](https://hackmd.io/_uploads/Sk_XIXDgT.png) 3 days later it sends 49FTM to 0x804b5a6c7a13bd744948d4f86287be1fcfa756a1 https://ftmscan.com/tx/0x0bd4bf60ee2924dcf5cbd708d21e1e620aa8d354d9e4b018ccc770cf15f3b045 ![](https://hackmd.io/_uploads/H17rIXPxT.png) Checking that account you see it also received 7.9 from: 0x2574c5fdca3d90d52eee2d210ffb2972aed911ff https://ftmscan.com/tx/0x06f39faa4caa093b4b8e3d3f1e8678bdb0e642cfa6b009129c384e98c7a8a1d7 These accounts become interesting, hold on… ![](https://hackmd.io/_uploads/ByrDUXwl6.png) Lets take the second account 0x804b5a6c7a13bd744948d4f86287be1fcfa756a1 for instance. ![](https://hackmd.io/_uploads/r1h5CfDga.png) It got transferred some FTM, claimed an nft, voted in gitcoin, and transferred GCV tokens and the rest of the FTM to 0x00f0e21f84e7578cde19a466e952ec05940f0ead, what does that account look like? Oh it’s exactly the same! New account, mint, vote, transfer, and this goes on for another 5 times, a **daisy chain**. Now lets retrace back to 0x804b5a6c7a13bd744948d4f86287be1fcfa756a1 and follow where that 7.9 FTM came from. Oh look turns out this was also part of a daisy chain, 3 transactions back you get to 0x21b2bc7b324c38f77ce5b04394cae17118dee6d4 ![](https://hackmd.io/_uploads/Hkqgk7wx6.png) Remember the account from earlier that received 39FTM from 0xbd8b5b5e87? Well it also was sent 19 FTM here, lets continue the daisy chain of the first account to who sent it FTM. Following **38 daisy chained** accounts (all doing same thing) later… you end up at 0x9d56947907158890cef8f9f3182b00b06269cfff, an account with another split. ![](https://hackmd.io/_uploads/SJ7vJmDg6.png) Another interesting account it sends to is 0x0899829b37e9f3cca67fadff63700eae58c2694d. It was sent 15 FTM, and sends 1 FTM to many accounts.... ![](https://hackmd.io/_uploads/BkmtwmDlp.png) What do those accounts who receive ftm look like? Well I’m sure you can guess, it’s no surprise one example 0xf9ad6d92f216d3eb391c92712b538f34ca9d59d6 ![](https://hackmd.io/_uploads/rJZqkXPxa.png) So that was a fanout voting strategy and they all send the FTM back to this account: 0x919a121c326b117b617dee801b85c008bdd8fa26 You’ll notice on this account there are a lot of 0.5 FTM transfers to accounts. Lets take one of them for instance sending to 0x6733daa5a2bd57b6795c6e8da41192f02a316dcc Oh look it’s another fanout, voting and sending remaining FTM back to 0x919a121c326b117b617dee801b85c008bdd8fa26 ![](https://hackmd.io/_uploads/BJyyxmvxp.png) Great, but I wasn't even done with the previous daisy chain that this split into from a while ago... So lets go back to 0x9d56947907158890cef8f9f3182b00b06269cfff That was part of a 50 account daisy chain, going a few more back and you end up at 0x8Be31F7Bc584f1F68D07Df645115F56c9616f925 Oh it received 1 FTM from the previously connected account 0xbd8b5b5 but also received 1.5FTM from 0x745440152efe8770036cfb96891274ee99f9a6b9 https://ftmscan.com/tx/0xd38a9c515a8e85b49893a79a351653d7fd59c6effbae46f1eef4245e448ef6d0 ![](https://hackmd.io/_uploads/Byb4l7vxa.png) What happens if we follow that? You guessed it, following that a couple more times and you send up at an actual account with real transactions on: https://ftmscan.com/address/0x26303a8e493e98df9daea37e5b70c0d5a651680e Now further investigation could lead that somewhere else connected to some other WigoSwap accounts, but I didn't have the energy to continue looking at this one, because there's still other accounts to look at! Remember the other account which received 39 FTM? https://ftmscan.com/address/0xef81922bac3b14e6130ef7f58a76be213c498ec3 ![](https://hackmd.io/_uploads/H12cxmPea.png) This is also mid daisy chain, you can forward and back through that chain too, it’s all the same stuff So ok there’s definitely some shenanigans going on, but how do we know who is behind it? Following the FTM of the other accounts may lead somewhere but also may go to an CEX (I haven't had time to check), but there's something easier we can do, follow the GCV tokens! Each user should only be sent 100 GCV tokens because that is the maximum that the vote can be counted for so if an account receives many which is part of the exploits then what other explanation is there? Remember all the way back to account 0xbd8b5b5e87db8a6b979fc8b2c4ab39b32916e857 which sent 39 FTM to some of the daisy chain addresses? Well this is where things get interesting, it got sent 200k GCV tokens straight from the wigo multisig!! https://ftmscan.com/tx/0xcc67bfcc39b27955622f1e83654957f07be1a1a615e4832bf2f601666da03320 ![](https://hackmd.io/_uploads/SJ1Nb7DxT.png) It then sends 110 tokens to various accounts ![](https://hackmd.io/_uploads/ryqRt7wxp.png) and in the middle sends 5k GCV to 0x0bACB2cDd5a85D4a307E40624CA553466048B074 https://ftmscan.com/tx/0xc8067234ec46da467b7220999477d3ca2245fbdaeb6d70105d394ac1a4c5e906 ![](https://hackmd.io/_uploads/Hy_IW7vep.png) which as you guessed is part of the daisy chaining accounts mentioned before! So there are very close linked between the WigoSwap multisig and these exploiting accounts. It was not until the gitcoin passport dropped from 17 to 10 that WigoSwap took an almost 2x lead over the next participant, when they were almost last before that and most of these transactions happened after that. As per their medium article the GCV was distributed through a TG bot https://wigoswap.medium.com/get-your-gitcoin-passport-and-support-wigo-your-chance-to-make-a-difference-f4ace222d5a2 ![](https://hackmd.io/_uploads/ry45W7wla.png) So there are large GCV token transfers to these malicious accounts directly. Even with this blockchain evidence maybe you are still not convinced, but there is something the team did out in the open which is against the rules, bribing. ## Bribing As per https://support.gitcoin.co/gitcoin-knowledge-base/about-gitcoin/policy/understanding-potential-attack-vectors/bribery-quid-pro-quo ![](https://hackmd.io/_uploads/r1UrfQPla.png) So bribing is against the rules and should result in expulsion. Did WigoSwap do any of that, lets see https://x.com/WigoSwap/status/1704065833943621697?s=20 ![](https://hackmd.io/_uploads/rktjGXPxT.png) https://wigoswap.io ![](https://hackmd.io/_uploads/BJLxBmwl6.png) Old claim form still active: https://docs.google.com/forms/d/e/1FAIpQLSfiBl-Eh4rQEew7SD5qHY29pM7cVAuwNkY3eOx4aC26YU67dA/viewform ![](https://hackmd.io/_uploads/SycEBXDeT.png) The sites are now defunct but luckily I took screenshots before: ![](https://hackmd.io/_uploads/HJiQBmPxa.png) https://gitcoin.gowigo.xyz/#tiers ![](https://hackmd.io/_uploads/BJWNSmvl6.png) ![](https://hackmd.io/_uploads/r1INBmwl6.png) https://gitcoin.gowigo.xyz/#claim ![](https://hackmd.io/_uploads/SkthEXwea.png) TLDR; The bribing alone should probably be enough reason for disqualification, as it is clearly against gitcoin rules to offer direct incentives for voting. Any users who don't even care about any of the fantom projects could have a reason to vote because there is no penalty or cost in doing so, but it dilutes the other projects who are playing by the rules. There were a number of suspicious accounts (60+ that I found) doing fan-out and daisy chain voting which are all connected to each other and received large GCV token allowances directly or indirectly from the WigoSwap multi-sig address. Regards, 0xSamWitch (PaintSwap & Estfor Kingdom)