Sort:  

Not unforeseen. These types of vulnerabilities are well-known for years, and I've personally advised people building games about them.

The developers of this game are either incompetent or knew about the vulnerability but built the game that way anyway so they themselves could "hack" it using a sock puppet. I'm making no claim as to which.

@raycoms and I talked a lot about theoretical ways to crack such randomness and how to design it in a way that is not deterministic for the witness that signs the block.

But I didn't think someone would actually do it.

But I didn't think someone would actually do it.

Upon investigation it seems that it was super easy to hack, you didn't even have to collude with a witness. Basically if you craft the right transaction it just works.

And that is really easy, so I can actually imagine a lot of people doing that. Would probably take someone 30 minutes to code it up.

I really don't pity the devs here, if they use the tx in isolation as the randgen seed then they are as incompetent as can be 🤷‍♂️ that is like hiding passwords in the client application 😂

I didn't think that someone would modify steemd to make their witness produce specially crafted blocks that alter the randgen. But seriously, transactions?

I didn't think that someone would modify steemd to make their witness produce specially crafted blocks that alter the randgen

They will if there is enough money at stake (or even if it isn't and just feel like it is worth doing for the lulz anyway) and on a global network making assumptions about what someone somewhere will be willing to do nearly always ends badly.

But I didn't think someone would actually do it.

Thanks. Now I'm speechless for the rest of the week.

I like it more like this:

The developers of this game are either incompetent or knew about the vulnerability but built the game that way anyway so they themselves could "hack" it using a sock puppet. I'm making no claim as to which.

... When provably fair isn't enough.

So a witness exploited a bug and didn't tell. What a great witness to have on the steem blockchain.
Thankfully I havn't voted for him/her as a witness otherwise it would have been revoked immediately.

He is #212, would hardly call that a witness, but a witness none the same.

Ye okay.
Still a shame tho.

Where would you draw the line? :)

Literally everyone can be a witness. All you need to do is download the and run the steemd code and vote for yourself. Your ranking will be low but you'll be a witness.

It actually turns out it had nothing to do with any witness, but doesn't really change much.

That changes nothing for me. He still exploited a bug in my opinion :D

@mys good job finding this exploit! I hope you informed the team about this so they can fix it :)

He stole 2.5k without saying anything and another user told them...
Mark even wrote that under the pics x)

He didn't "steal" anything.

So exploiting a bug isn't stealing or cheating? Oo
And he has a witness account. How is that acceptable?

Everyone has a witness account. As soon as you get a single vote (even from yourself) and wait long enough you will get to produce a block.

I dont and if I do, I have no idea how to use it :p

But I guess what you are saying is that its not hard to become a witness x)

Marky also told me he is witness nr. 212, so hardly a witness.

Bug or feature?
He did just that, what could be done.
Where is it written, that he couldn't bet in that way?

A software bug is an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.

Copied from wiki :)

Thats how I see it.
You might see it a different way :D

Busted! Get that hammer.

Love this movie

I've watched it hundreds of times.

Checkout Cooler and 21.

the best :D

So you could give it all back and tell them to fix their code, yes? :)

Back in the day ... Steemit fork 1,2,or 3, a similar "random" number algorythm was exploited such that an individual with 20-30 alt accounts managed to maintain 18-19 some of the top 20 witness rankings for weeks.

When @dan and @ned found it, they provided the individual with even more steem (than already amassed) to provide them with the explanation of the exploit. Congratulated the individual. They then forked to fix the hole.


@mys took advantage of a weakness in the code, but in this realm that is not a crime ... (it is being a dick though) however, I'll be curious to see what he does with the "winnings". This could quickly end his bid to ever be a top ranking witness.

If @mys returned all the winnings with a memo stating "fix the code - look at how smart I was to do what I did", he would win some respect in the eyes of many steemians.


Here's the link to one of the better explanations on that "hack"

https://steemit.com/steem/@arhag/how-supercomputing-was-able-to-dominate-the-mining-queue-and-how-the-bug-was-fixed

EDIT: I used strike through to correct what I remembered happening versus what really happened as explained in @arhag's post.

maintain 18-19 of the top 20 witness rankings for weeks

He only maintained ONE of the top 21 slots, the mining slot. The backup voted witness slot and the top 19 voted witness slots all functioned normally.

I also don't know if it is accurate that he was paid to disclose the exploit. As far as I know @arhag (one of the top witnesses at the time) figured it out on his own.

You are correct. I remembered the urban myth. I found @arhag's post after I'd replied. :-(

I have struck out my errors in memory.

Hey @mys, the cake taste guud?

Thank you for doing a service to the community.

Ouch! The house always wins but when it doesn’t man does it crash and burn epic for sure

In meat space, the house will "break" after loses are too high. They also have other fail safes to limit house losses JIC the game has some flaw or there's cheating.

Posted using Partiko Android

Busted, I hope it gets fixed soon

Posted using Partiko Android