PLEASE NOTE: This article has been edited as a result of discussions with the CEO of Charity Engine.
Gridcoin miner Pomegranate has been somewhat of an enigma lately, with lots of users questioning where, and how, they are gathering a magnitude to rival that of GRCPool. At the time of writing, Pomegranate has two active CPIDs, detailed here and here. The first has a magnitude of 15833, while the second sits at 670. This second CPID has only just been advertised with a beacon, so its magnitude is expected to skyrocket over the next few weeks, taking Pomegranate to an estimated total magnitude of near 30,000. This is a significant amount of compute power being brought to bear.
After noticing the odd magnitude growth pattern of the user, and noting they do not take part in the community, @deltik and myself attempted to learn more about the network. We started digging and found that Pomegranate's computer power is generated through a custom BOINC client installed on computers all over the globe.
The software identifies itself as a modified BOINC version 7.0.80, which we believe is actually Charity Engine 7.0.80, a non-public release of Charity Engine that was likely bundled with other software. Note that the latest public release of Charity Engine available on their website is BOINC 7.0.76, which is hardly used by Pomegranate at all. Therefore, most of the clients being used to mine GRC were not downloaded off the Charity Engine website.
Collectively, the BOINC 7.0.80 network of computers Pomegranate controls is already yielding Pomegranate more than 4000 GRC per day. This converts to over $280/day or over $8400/month.
It does not appear that the people who have the BOINC 7.0.80 software computers are getting any sort of Gridcoin related credit, or even know that they are running BOINC tasks for Pomegranate. It's hard to prove the lack of something, but from our research we have found that there have been no announcements of connections to Gridcoin, notices of reward payouts, or community participation. There is one notable exception - Pomegranate claiming the GRC commemorative coin as if they were a legitimate miner.
Why would the user name themselves "Pomegranate" when their connections are to Charity Engine? It appears this is a side operation by Charity Engine to make more money from the network they control, after they were unable to sell off all their compute power to industry. To back this up, the software has previously been used to mine ETH on user machines running both the BOINC 7.0.80 (bundled software) and BOINC 7.0.76 (direct download) copies of their client, until a user questioned the mining on the Charity Engine forums.
Although inconclusive on their own, here are further findings relating to Pomegranate that concerned us:
BOINC 7.0.80 is an uncommon version, accounting for 0.58% of all BOINCstats BAM! client versions as of 11 December 2017, yet nearly 100% of Pomegranate's computers run that version.
The vast majority of clients are a hodge-podge of low-end to middle-of-the-road computers running older versions of Microsoft Windows. Here are the computers belonging to Pomegranate as seen on VGTU, where they forgot to hide their hosts. These hosts have since been hidden.
If Pomegranate were a real pool where users are aware that their computers are being used for BOINC, like GRCpool, there would be a lot more diversity expected. See CPID 7d0d73fe026d66fd4ab8d5d8da32a611 for an example of one of GRCpool's CPIDs.
Pomegranate runs yoyo@home, but yoyo@home does not allow weak authenticators. This means that open pools like GRCpool can't allow users on that project because any connected user would be allowed to take over the account. It's likely that the owners of the computers running Charity Engine have no idea about the yoyo@home strong authenticator stored on their machines.
SRBase discovered that some work units are being wasted because of a bug with BOINC 7.0.80 and publicly asked users to upgrade BOINC, but how can those who don't know about the software installed on their computers know to do this? Charity Engine, just like BOINC, cannot update itself.
Curiously, PrimeGrid seeded Pomegranate early on. PrimeGrid paid Pomegranate 5000 GRC on 13 August 2017 (worth $161.80 at the time). Transaction here. Notice that the funds came out of S6RimEgrEar84vQpsmVAVFbGkxfJ4i2sec, which is the same address as the PrimeGrid GRC donation address. We discovered that administrator Rytis of PrimeGrid is also an administrator of Charity Engine.
PrimeGrid sent funds to Pomegranate, even though it wasn't mentioned on the donation page. A Gridcoin ops member got in touch with the PrimeGrid team who explicitly stated that the donations were for new hardware.
Although PrimeGrid is the one project that funded Pomegranate, that project received the least work done by Pomegranate.
Pomegranate did refund PrimeGrid 3800 GRC (2100 GRC on 28 August 2017 and 1700 GRC on 30 August 2017). One would expect 1200 GRC more for a full refund, and 1200 GRC was indeed sent on 23 August 2017, but not back to PrimeGrid. Instead, those GRC were sent to an address where the GRC was consequently split up, some of which went to the wallet of user Tholo, an investor in Gridcoin. Source.
We are concerned about what we have uncovered about the Pomegranate network. There has been a lot of debate behind the scenes on whether or not this information should be made public, but we feel the Gridcoin community has a right to know. Pomegranate's Slack account was given ample opportunity to comment and chose not to.
