Thanks to Discord user Hendrik for pointing me to this bug report on the chia-blockchain repository. It describes a possible bug, that the author Wallentx is calling “#dripgate” where the xch contract address for his plot nft was sent a mojo from an anonymous faucet and caused a wallet corruption bug where he is no longer able to claim “Self Pooling” block rewards.
Basically there is a potential situation where a malicious actor can monitor addresses that win blocks, send them to a faucet and have the faucet corrupt their wallets before they can claim their rewards.
I do not yet know if this is a real issue, I am currently syncing a new wallet to test. But if real this could be a very serious security issue with the on-chain pooling protocol.
Thanks for this interesting bug report. This doesn’t create any permanent corruption of the pool wallet. Chia sent directly to the P2 address are not claimable and ideally shouldn’t be shown in the wallet at all. In testing with testnet, the current wallet code will return an error if you have “real” claimable rewards in your pool wallet in this case where you have a mix of claimable and non-claimable (T)XCH. However, this will be fixed in a future release of the wallet such that all truly claimable rewards are claimable while ignoring any other chia in the pooling wallet. Note we plan to make some further fixes to make it harder to get into this state (eg, we will prevent you from sending chia to your own P2 address).
I think this response downplays the potentially serious nature of this bug, based on this response it sounds like any rewards assigned to a singleton address will be unclaimable until some future update. It is good to hear it is likely fixable and not permanent, but it would be good to have an eta for this fix, but it would be good to hear that from a core developer too.