§ Case study · Reverse engineering · Web3 2024 · 2 weeks · Disclosed

Gaganode

128 XOR keys broke 217,000 Web3 nodes.

One Python rewrite. Four times the throughput.

Reverse-engineered Meson Network's proprietary Java client. Exposed single-byte XOR 'encryption,' unauthenticated remote command execution, and IP spoofing across 217k deployed nodes. Rewrote the client in Python with asyncio for 4× the original throughput.

  • Reverse engineering
  • Python
  • asyncio
  • Web3
  • Java
  • Security
Throughput
1.2 Gbps
↑ from 300 Mbps · 4×
Connections / thread
10,000+
↑ from ~2,000
CPU usage
−45%
thread-per-conn removed
Latency
~70 ms
↓ from ~120 ms

Gaganode — ducks on laptops cover

§ Background

In February 2024, Meson Network’s CoinList sale closed in 24 minutes, raising $8.75 million by selling 5 million MSN tokens at $1.75 each. The pitch: a decentralized CDN protocol for AI training and big-data distribution, “built almost entirely on open source code.” Over 200,000 nodes deployed worldwide.

The story is good. The reality is a compiled Java binary in a .tar.gz that hasn’t been updated in over two years.

I shared the full thesis on BidClub — an invite-only research platform for high-signal, short-biased investment posts — in “The Façade of Open Source: Meson Network.” The post earned me a seat at BidClub. The full version lives here in the writing section.

§ The shell game

What’s actually published as Meson “open source”:

  • gaga-app-hub — the “open-source” client repo. Contains precompiled binaries and minimal scripts. No actual source code for the daemon.
  • meson-electron — an Electron desktop UI (Vue + Node.js) that wraps and launches the binaries.
  • gaga_android_sdk — an Android SDK that allows developers to embed Meson’s mining functionality into any Android app, invisibly to the user, with no consent prompt.
  • gaga_android — a standalone Android app integrating the same .jar-based SDK. Permissions requested include RECEIVE_BOOT_COMPLETED, FOREGROUND_SERVICE, and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS — persistent, battery-bypass capable.

The actual logic — node communication, encryption, remote command execution — lives in opaque Go and Java binaries that are not open source and have not been updated since 2022. Three years of “decentralized infrastructure” without security updates.

Many ducks — the operational footprint

§ Decompilation surfaced three flaws

Using JD-GUI and JADX, I decompiled the binary and recovered the protocol structure: 16-byte headers (message type, client ID, body length) followed by variable-length bodies. Sensitive payloads were “encrypted” with a single byte of XOR.

§ 1 — Single-byte XOR “encryption”

The connect_key and remote command payloads used a one-byte XOR cipher. 128 possible keys. Brute-forced in milliseconds.

# Meson's "encryption" was one byte of XOR.
# Try all 128. Validate JSON. Done in ms.

for k in range(128):
    candidate = xor(ciphertext, k)
    if is_valid_json(candidate):
        return k, json.loads(candidate)

# Known-plaintext shortcut: first byte is always 0x00.
# → K = C[0]. No brute force needed at all.

In every connect_key I observed, the first plaintext byte was consistently 0x00. Since C = P ⊕ K and P = 0x00, the XOR key reduces to K = C[0] — a trivial substitution. I built a class to parse, decrypt, modify, and re-encrypt these keys, including changing the reported IP address before re-XOR’ing. The forged keys passed validation by Meson’s load-balanced child servers without complaint.

§ 2 — Unauthenticated remote command execution

The remote_server_client.java class allowed the server to push arbitrary system commands to nodes, “secured” only by the XOR scheme above. The message type was defined in msg_req_remote_cmd.java.

Real-world consequences:

  • Remote Code Execution. Attackers could execute destructive commands or install malware, especially on nodes running with privilege.
  • No authentication. The client never validated the server’s identity. Anyone who could intercept or forge packets could impersonate Meson servers.
  • Massive scale. Over 200,000 nodes deployed. Botnet potential at the protocol layer.

In my Python rewrite I neutralized this attack vector by simulating remote commands with safe AI-generated outputs, proving the vulnerability without putting nodes at risk.

§ 3 — IP spoofing via plaintext HTTP verification

Meson’s IP verification process issued an unencrypted HTTP GET to a remote endpoint to determine each node’s public IP. This request was routed through the local node and transmitted over plaintext HTTP.

By intercepting this request mid-proxy and injecting a forged X-Forwarded-For header, I was able to completely override the perceived source IP — making Meson’s API register any IP I chose.

Combined with the connect_key spoofing above, it became trivial to impersonate nodes from any location in the world.

§ Why a rewrite?

The Java client used thread-per-connection with synchronous I/O. Every node connection spawned dedicated threads for socket operations, heartbeats, and messages. For a network with potentially tens of thousands of nodes, this was a resource nightmare:

  • Thread overhead — each thread consumed 1–2 MB of stack space. At 10,000 connections, that’s 10–20 GB just for stacks.
  • Context switching — thousands of threads contending for CPU, drowning performance in overhead.
  • Resource contention — memory exhaustion and unpredictable latencies at scale.

For an I/O-bound application like Meson, where most time is spent waiting for network responses, this was incredibly wasteful. I rewrote the client in Python with asyncio.

§ The Python rewrite

The rewrite replaced thread-per-connection Java with a single-threaded asyncio event loop:

  • Asynchronous I/O. All network operations on non-blocking sockets. The GagaProtocol class processes incoming data asynchronously, looping while there’s enough data to process full headers and bodies.
  • Asynchronous DNS via aiodns — no blocking lookups.
  • One coroutine for heartbeats across all nodes (Java spawned a thread per node).
  • Safe remote command simulation. Actual command execution replaced with AI-generated outputs to prove the vulnerability without putting nodes at risk. A cache stores command results to avoid redundant API calls.
  • ~1,400 LOC excluding tests.

§ Outcomes

  • ~1.2 Gbps aggregated throughput vs. ~300 Mbps for the Java client (4×)
  • 10,000+ concurrent connections in a single thread (Java struggled past ~2,000)
  • Average latency cut from ~120 ms to ~70 ms under load
  • CPU efficiency improved 40–50% by eliminating thread overhead

§ The wider economic point

The infrastructure observed during analysis appears linked to IPCola.com, a residential proxy reseller. The majority of observed traffic was directed at Instagram, Facebook, and YouTube — strongly suggesting the actual users are clients bypassing censorship from within China. The main authentication server is hosted in Hong Kong.

Meson is monetizing user IP addresses under the guise of decentralization. The “AI training” and “CDN” narratives are window dressing for a residential proxy business with a token attached.

§ Where it stands

As of April 2025, over 217,000 Meson nodes remain vulnerable to the same RCE vector. Three years without code updates. No public response from the team. Every active node still reachable by the same attack path.

The Gaganode client is available on request. All exploit demonstrations were conducted ethically — no destructive commands issued, no data exfiltrated, all RCE simulated via AI-generated output rather than live execution.

The CAPTCHA designers made one critical assumption: that visual complexity equals computational complexity. Meson’s designers made the same assumption about decentralization. Visual complexity in software is just code, and code has patterns.

Let's take the housing off something.

Reverse-engineering, Web3 infrastructure, firmware teardowns, consulting. I answer email inside 24 hours.

me@mostafa.dk → Book a call