As you probably know, most exchanges recently took offline all CryptoNote wallets (including Monero) due to
Double Counting Bug. We tried to reproduce an exploit of the double counting bug with GRAFT master (current GRAFT version) to prove that GRAFT is not affected. In order to do that, we have prepared a special testing branch with the exploit:
https://github.com/graft-project/GraftNetwork/tree/double-accounting-exploit, where we duplicated the “add_tx_pub_key_to_extra” call inside “construct_tx_and_get_tx_key(…)” method in cryptonote_core/cryptonote_tx_utils.cpp. The destination wallet with the bug was supposed to show the wrong (doubled) balance after the transfer from the exploited source wallet.
The destination wallet (GRAFT master, private testnet) before the test transfer shows 20 GRFT balance:
Now, we are transferring 10 GRFT from the exploited source wallet (private testnet), trying to “trick” the destination wallet:
The destination wallet after the transfer shows the correct amount (30 GRFT):
Here is the destination wallet log:
So this case is already handled in current Graft version (1.2.1), which is based on Monero v11, and the bug seems to be introduced in Monero v12, where subaddress functionality was implemented.
Therefore, current GRAFT wallets are safe for all users including exchanges.