Cyvocate uncovered a critical flaw in a Web3-integrated payment system that allowed attackers to spoof blockchain payments without executing any real on-chain transaction. By forging responses from the blockchain API, malicious actors could have generated unlimited credits at no cost — leading to six-figure financial losses and irreparable reputational harm.
Our timely discovery and recommendations helped the client secure their verification pipeline, safeguarding user trust and protecting revenue.
Blockchain-based platforms rely on payment verification to maintain trust and integrity. In this case, the client’s system incorrectly trusted client-side blockchain responses instead of validating transactions server-side.
This oversight left the door open for attackers to fake successful payments — a fundamental breakdown in the payment logic that undermined the platform’s business model.
Through controlled testing, Cyvocate demonstrated how attackers could:
Illustration: Spoofed client response → Platform credits attacker account → No real blockchain transaction occurred
This loophole effectively allowed free money creation on the platform.
First, we intercepted the blockchain verification request. The platform accepted the following API response as proof of payment:
{
"status": "1",
"message": "OK",
"result": [
{
"blockNumber": "18954321",
"timeStamp": "1716720788",
"hash": "0xdecafbadbeef1234567890abcdef1234567890abcdef1234567890abcdef1234",
"from": "0x[attacker_wallet]",
"to": "0x[platform_wallet]",
"value": "38912322754369850",
"txreceipt_status": "1",
"confirmations": "12"
}
]
}