Delegate Call Exploit

DelegateCall is one of the first dApps to be built on its own dAppChain (Loom Network), and it functions similarly to Steemit.

It is essentially a decentralized version of StackOverflow, and users get Karma will every upvote they receive, which pays dividends in a currently worthless DelegateCall Token, an ERC-20 token.

However, there are a few major flaws with their implementation that makes it easier to exploit than Steemit.

1. No Captcha, SMS Verification
2. Allows email aliases (adding a +something to the end of an email to generate a new "unique" email)
3. No email verification (you can create accounts under emails that don't exist or you don't own)

Basically, all this put together means it is ripe ground for bots and vote manipulation.

I wrote a quick Python script using Selenium that endlessly creates new accounts then uses them to upvote all of a user's questions and answers. My account has accumulated over 13,000 karma in an hour or two. I've never seen a user with more than 3,000, besides one other user who used my script. Here's a short video I made that shows an older version of it.

In its current state, the script can break the platform by filling the front page with spam.

By implementing multiprocessing and optimizing the time.sleep() calls, the script could grow even more wicked.

This is a part PSA, and also part warning to developers who develop social networks on the blockchain about how easy it can be to break a platform if it doesn't have sufficient safeguards against botting. For example, Steemit has a waiting period after creating an account and also required unique SMS verification for each account.

I already contacted Loom Network support, but they have been really unresponsive on my past issues with DelegateCalls Tokens disappearing, so I hope someone from Loom can find this.

Update: It has been patched by Loom Network.