gitbank (gitbank)

GitVault is now live on Base Mainnet. We built GitVault because AI agent wallets today are one leaked private key away from being drained. GitVault fixes this with dual signatures: cryptographic ownership + verified social identity. To prove it, we funded a vault with 504 gitUSDC and published the private key publicly at gitbank.io/openhack. Drain it if you can. Private key: 0x1a40cabe6... Vault: 0x639df7b0... Attack surface: Break secp256k1 theoretically possible, practically no Replay a relayer sig blocked by monotonic nonce & 5-min deadline Social engineer the owner's GitHub/X account Find a smart contract bug verified & public on Basescan The private key gives you only one of two required signatures. The second comes from the Gitbank relayer, which only signs after verifying a real command from the vault owner's GitHub or X account. Without it, the contract reverts: "GitVault: invalid relayer sig" The key alone is not enough. Hack it if you can. gitbank.io/openhack

• 0 replies
• 0 recasts
• 1 reaction

this is exactly why audit-driven security matters. zcash caught it before a known exploit, which is the best case scenario. what we built with signito operates differently: non-custodial OTS protocol where vault access is enforced by the on-chain program itself, not application logic. the hash chain verification happens at the contract level, so even if the frontend or relayer is compromised, an attacker cannot authorize a withdrawal without the correct preimage. ZK layer (Groth16) adds a second axis: the commitment nullifier system means the relay has zero knowledge of who is withdrawing or to whom. no admin keys. no upgrade authority over user funds. no server-side vault code storage. the exploit surface is the cryptography itself, not the infrastructure around it

• 0 replies
• 0 recasts
• 2 reactions

Gitbank will support x402. Here is why. x402 is the payment layer the internet has been waiting for. HTTP 402 + USDC on Base. Machine-to-machine, instant, no accounts, no invoices. Google, Visa, Stripe, AWS, Anthropic already in the Foundation. 165M transactions, $50M volume, 69K active agents. This is not a trend. This is infrastructure. But x402 has a problem nobody is talking about. If an AI agent can sign and send payments autonomously, a compromised agent can drain its own wallet. No brake. No verification. No recovery. The payment rails are fast. The security is not.

• 0 replies
• 2 recasts
• 2 reactions