We are excited to announce that we’ve upgraded Glo Dollar's smart contracts to V3, which comes after a previously unannounced upgrade from V1 to V2. 

We completed these upgrades for two main reasons: 

1. Addressing a critical security issue identified by our team on April 3rd;
2. Introducing much requested permit features.

Here, we delve into the details of the upgrade, including the security issue, the audit process, and the permit feature.

Resolving the Critical Security Issue

On April 3rd, the Glo team identified a critical security vulnerability. This vulnerability allowed any holder of Glo Dollar to increase their balance by sending any amount of Glo Dollar to themselves, after which their total balance would be increased by the sent amount. A malicious actor could have exploited this issue to steal funds.

Once we identified the issue, we took immediate action to confirm that it had not been taken advantage of, and then fixed the issue by upgrading from V1 to V2 on April 4th. 

How did this happen?

Our audit process for V1 of the smart contracts involved three phases: an internal audit, an audit by an independent researcher, and an institutional audit by a reputable audit firm. 

As part of the second audit, an independent researcher identified a gas optimization which we chose to incorporate. While doing this, we inadvertently introduced a vulnerability by initializing the toBalance variable before we deducted the amount to be sent from it. Unfortunately, this bug was not caught in the next round of reviews. 

We’re glad we caught it ourselves as part of expanding our testing suite, and that we identified it before Glo Dollar was made widely available to the public. We consider this a humbling learning experience.

Improving Our Audit Process for V3

To ensure that we do not introduce new issues in future upgrades, we revised our audit process to require two distinct auditing parties to review the same code before releasing it. This guarantees that any accepted recommendation made during the audit process is afterwards reviewed by at least two new auditors. This added layer of scrutiny reduces the likelihood of undetected vulnerabilities, and incentivizes us to only incorporate critical security fixes.

We applied this new audit process for our upgrade to V3, going through the following steps:

1. Our internal audit took place in the week of May 8th
2. Next, 0xmacro audited V3 in the week of May 15th. Their report includes a number of non-critical recommendations, which we chose to postpone to a future upgrade of the smart contracts to keep the smart contract stable for the next audit.
3. Finally, AfterDark’s https://twitter.com/sjkelleyjr and @securerodd audited V3 in the week of May 29th. Their report includes a number of non-critical recommendations, which we chose to postpone to a future upgrade of the smart contracts so that we could proceed with the upgrade without restarting the audit process. 

After we got these positive audit results back, we upgraded the smart contracts from V2 to V3 on June 6th.

Adding Permit Capability With V3

Beyond addressing the security issue with V2, we leveraged this audit cycle to expand the Glo Dollar smart contracts with the permit feature. This function allows web3 apps to request approval to spend users’ tokens without them needing to pay gas. This feature has been requested by both the community as well as our (soon to be announced!) issuance partner because it empowers builders to create more user-friendly applications. We anticipate this permit feature will play a pivotal role in the Glo ecosystem as more and more people start to build businesses on top of Glo Dollar.

Bug Bounty Program

As part of our commitment to maintaining the utmost security, we have an ongoing bug bounty of $50,000 on  Immunefi. This bounty encourages security researchers to identify potential vulnerabilities and report them, ensuring continuous improvement and strengthening the overall security of the Glo ecosystem. Please consider participating!

‍