RubyGems Navigation menu


Back to blog posts

The Implications of Crypto Rewards on

Recently, at, we’ve encountered an unusual surge of empty packages, triggering an investigation by our team. This influx of pointless gems, referencing one of the reasonably popular packages, hinted at an attempt to manipulate the protocol. As with any potentially risky incident, we delved deeper into the motives and mechanics behind these submissions. This short article contains our investigation, the conclusions we’ve reached, and how, theoretically, individuals looking to abuse the system can distort the idea of rewarding OSS contributions. Trigger

The cryptocurrency creators claim that it came to life to enhance the sustainability of open-source software by rewarding projects based on their influence in the software ecosystem. It claims to utilize a ‘Proof of Contribution’ system, inspired by Google’s PageRank, to measure the impact of various OSS packages.

The Unintended Consequences

However, good intentions often come with challenges. At, we began noticing a strange trend: the proliferation of empty gems. These gems weren’t harmful per se but were peculiar in their consistent reference to a mildly popular OSS package.

Investigating the Anomalies

As with any deviation in the ecosystem, we began an investigation. We considered multiple scenarios:

  • A spam attack to overwhelm our system.
  • A cover for malicious activities.
  • A scheme to manipulate ranking system.

What struck us was that many of these gems were published under account with otherwise legitimate packages.

Digging deeper, we discovered that these accounts linked to a gem with over 100,000 downloads, which had its GitHub source changed after six years to include a tea.yaml file. This was a moment in our investigation that suggested the activities were aimed at exploiting the protocol rather than harming our ecosystem.

Addressing the Issue

This realization led us to tighten our gem publishing limitations and increase monitoring for non-malicious but unexpected user behaviors. During the cleanup, we had minor, temporary delays in gem index updates. We also took strict action against accounts solely created for spamming, ensuring they didn’t disrupt the community further.

Conclusion and Appeal

While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting and other platforms, as detailed by this article. At, we’ve encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report. The team takes these incidents seriously and accounts found violating terms or abusing the service will be blocked and ownership access revoked.

Maciej Mensfeld