One of the things that I like to do before moving my money to a new bank account or wallet is to transfer small amounts of money in and out of the service that I am testing, which is almost a rule of thumb in my case. Before moving any significant amount, I should test the Chivo wallet if the government is looking for ways to trap my money within their custodian service. I know that Chivo wallet is a government-sponsored bank account. As such, I don't trust it at all because I know the possibility exists that my money may never be available to me in the way of actual bitcoin. Still, just their custodian Bitocin, because of that risk I was testing.
I noticed that my withdrawal was sent in one of those tests I was doing, but the Chivo wallet didn't report it and returned my money. That's when I exactly discover the bug. To make sure it was not a one thing mistake, I decided to test a couple of times more. After a few tests, I decided that this was indeed a bug and went to social media and published my findings. To my surprise, no one seems to be interested, and I think that up to this day, not even Chivo wallet administrators are aware of the issue as far as I know.
I made the video public hoping that customer service at Chivo wallet rectifies the error and fixes whatever is going on with the application. The bug is straightforward you withdraw your funds, and the application, instead of deducting your funds it gives back your credit like if you haven't sent any money, but in the other application, you already got your funds. I tested it using android devices on both circumstances, and if you watch the video, you will notice that you need two accounts, two phones, one to send and one to receive.
The application marks the money as not sent, but in reality, the LN transaction reaches the other side, and as such, your credit within Chivo doesn't get deducted. It is pretty much like having an unlimited bank account where you can withdraw, and your available money doesn't decrease. Now, this is not fraud or hack of the application. Pretty much, you are using your own money and your account that has your name and personal data, so the government will know how exploited the bug. Still, the government didn't beta test for these easy issues before launching the application.
The bug that I discovered doesn't require any technical know-how, just a balance and a few transactions that the system will detect as not processed, but in reality, they were sent. I am not reverse-engineering the application or modifying the application in any way or form, which means more sophisticated attacks may be possible using the Chivo wallet systems. If the government didn't bother to introduce some beta testers before launching, that means there are more complicated bugs waiting to be discovered and exploited.
Not to mention that after reaching support, my account got ban or canceled because now I can't access my Chivo account, so if you have a bug and you want to report it, the people who work for the El Salvador government would instead ban you than to address the issue. I presume they will not be interested in any bug hunter program. I don't know if I will get access to my Chivo account in the future, but I know they are not interested in people discovering bugs. They want to say that the Chivo wallet works and works without any issue. After all, that is the official report from the government.
The Chivo wallet has been pledge with bugs from the get-go, and many users reported issues from the start, and now even identity fraud as well. I know that Chivo wallet has identity fraud issues, It is possible that the bug I discovered has not been fixed just yet, so I would say that it is not safe to invest any amount of money and leave it in the wallet for the time being not at least we know all bugs have been fixed. Knowing that funds could be drained is enough reason to say to others that they should not trust Chivo wallet with their money at this point and that people should look to move their satoshis out of the application or into actual dollar bills.
I don't know what will happen with my Chivo account or what the operators will do next. I don't even know if they will report the issue of satoshis that I took from the exploit, and I don't even know if they have noticed the problem, but I left them an email with my information to contact me about it. I will update this article or create another one once I have news. I think those in charge of the application would not like to admit they lost money via a bug that will look bad in the local channel news and probably mean they have some questionable employees who didn't d their job that well.
Note the video is in Spanish and I am sorry I won't be able to upload a dub version at this time.