Delegate Call Exploit

in #exploit7 years ago (edited)

download.png

DelegateCall is one of the first dApps to be built on its own dAppChain (Loom Network), and it functions similarly to Steemit.

It is essentially a decentralized version of StackOverflow, and users get Karma will every upvote they receive, which pays dividends in a currently worthless DelegateCall Token, an ERC-20 token.

However, there are a few major flaws with their implementation that makes it easier to exploit than Steemit.

  1. No Captcha, SMS Verification
  2. Allows email aliases (adding a +something to the end of an email to generate a new "unique" email)
  3. No email verification (you can create accounts under emails that don't exist or you don't own)

Basically, all this put together means it is ripe ground for bots and vote manipulation.

I wrote a quick Python script using Selenium that endlessly creates new accounts then uses them to upvote all of a user's questions and answers. My account has accumulated over 13,000 karma in an hour or two. I've never seen a user with more than 3,000, besides one other user who used my script. Here's a short video I made that shows an older version of it.

In its current state, the script can break the platform by filling the front page with spam.

By implementing multiprocessing and optimizing the time.sleep() calls, the script could grow even more wicked.

This is a part PSA, and also part warning to developers who develop social networks on the blockchain about how easy it can be to break a platform if it doesn't have sufficient safeguards against botting. For example, Steemit has a waiting period after creating an account and also required unique SMS verification for each account.

I already contacted Loom Network support, but they have been really unresponsive on my past issues with DelegateCalls Tokens disappearing, so I hope someone from Loom can find this.

Update: It has been patched by Loom Network.

Sort:  

Congratulations @kachangred! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!

Congratulations @kachangred! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!