• Breaking News

    Sunday, September 29, 2019

    Ethereum Week in Ethereum News for September 29, 2019

    Ethereum Week in Ethereum News for September 29, 2019


    Week in Ethereum News for September 29, 2019

    Posted: 29 Sep 2019 02:01 PM PDT

    Is there any way to block random airdrops to my wallet?

    Posted: 29 Sep 2019 06:57 PM PDT

    Explanation: I don't like receiving random junk tokens that I'm potentially having to pay tax on. Is there any way to let only 'whitelisted' addresses send me stuff? Or to squirrel my coins away to an address that can't be harvested by airdroppers? Any thoughts would be very welcome!

    submitted by /u/PetrosiliusVonZwacke
    [link] [comments]

    [Vulnerability Disclosure] [FairWin] Front-running in the currently most used Ethereum contract

    Posted: 28 Sep 2019 11:29 PM PDT

    Funds are at risk (well primarily funds are at risks because it's a Ponzi, but here, funds are triple at risk ^^).

    What is FairWin?

    FairWin is a Ponzi scheme using this contract. It is currently the most used contract of Ethereum (33% of TX, highest amount of daily active users and ETH volume).

    Users can make money in two ways:

    • "Invest" money in the scheme which will give a daily "dividend".
    • Give invitation codes to other people. People you invite and people invited by people you invite (and so on...) putting money give you a reward.

    Users lose money in one way (assuming the smart contract works as promised):

    • The contract runs out of funds. Since people are paid dividend and bonus, the amount of money which will be paid exceeds the user deposits. It currently only works because new people are putting more money in it. It is unsustainable and there will inevitably be a point where the contract won't be able to pay participants. People still in the scheme at this moment will lose all their money.

    It has a middle-low level of honesty (for the Ponzi world). If you read the fine prints:

    Players can withdraw eth as long as there is eth in the contract.

    If the contract balance is 0, the restart mechanism will be automatically started. When restart, all accounts will be returned to 0, but the node relationship remains unchanged, and a new round of games will be started.

    You can understand it will stop to work at some point reading those. However, most communication material is lauding the project (with a very bad English, see their website video) and does not mention that when it will stop, people will lose all their money. Communication materials even brag about "capital security" (video on the home page popup).

    The team also seems to be fake, using fake pictures and claiming their smart contract developer has 9 years of blockchain experience, that they have people from US (while their English level is terrible) and so on.

    Operator can steal the money

    Contrary to what Fairwin claims,

    FairWin will not use and can not use any player's eth.

    the operators can steal all the money from the contract. The execution of the reward, dividends and sending of awards can only be done by the operator. The operator can choose which users get rewarded. The operator can steal the funds from the contract by not executing the rewards of other users but executing the rewards of accounts they control. This way they can progressively drain the funds of the contract until the contract is empty. This would take some time and a lot of gas. Because users need to get 5 rewards before they can get their "investment" back, the operators can prevent people from withdrawing from the scheme.

    Is it made on purpose? I don't think so.

    This contract is the contract with the lowest code quality I've ever seen (and I've seen really bad contracts). There are no comments, variable names are full of typo, extra variables are used everywhere, there are entire code segments which can never be accessed, when the code encounter some some forbidden action, it does random stuff before reverting while a simple require would be needed.

    Due to Occam's razor, the simplest and most likely explanation is that it was just badly coded. However, this vulnerability could be handy to move the funds to a new contract.

    Anyone can frontrun "investments"

    When someone "invest" in the scheme, they provide an "invite code". This code can be given to other people to get rewards if they "invest" too. However, this "invite code" is also used as an way to identify the user (here and here).

    The link between the code and the user is only updated if the "invite code" has not been used before. This means if someone registered the "invite code" before you, the rewards and your money will be given to this user instead of you.

    How likely are you to use the same code has someone else? If no one attacks, not likely, but here is the catch: an attacker can see your "invite code" when your transaction is in the mempool before it gets executed and "invest" in the scheme with the same "invite code" as you. They can ensure they get included first by putting a higher gasprice. This way they will get your money and rewards. This is a frontrunning attack.

    Users (this include attackers) can withdraw their money 5 days after their "investment", provided that the contract is still solvent. For an attacker to successfully profit from the attack all those conditions must be fulfilled:

    1. The attacker transaction must be executed first. In case of multiple attackers, the attacker whose transaction get executed first will get the money of the victim and other attackers.
    2. The operator must continue to operate the scheme normally (not exit scam or censor the attacker payout).
    3. The Ponzi should still be solvent 5 days after the attack.

    Am I affected?

    Every "investor" can be affected by the team taking the money.

    Only new "investors" can be directly affected by the frontrunning issue. However, the vulnerability means that the amount of new "investors" is likely to decrease. Which increases the speed for the contract to become insolvent. Based on contribution rate, the Ponzi will become insolvent before new "investors" get their money back anyways.

    Can it be solved?

    The FairWin team can drain the contract. This would take time and gas. If they are "honest", they can then set up a new contract and continue the scheme or they can reimburse participants proportionally to what they put.

    Responsible Disclosure Rationale

    We (myself and other white hats), have disclosed the vulnerability to the FairWin team. Multiples attempts by mail and telegram (the contact mediums listed on their website) to contact them have remained without reply.

    Based on current contribution rate, the Ponzi will become insolvent in less than 5 days. Even if conditions 1. (not being front run by another attacker) and 2. (the operator should not interfere with the scheme) are likely to be fulfilled. The condition 3. (Ponzi still solvent after 5 days) is really unlikely to be fulfilled making the attack unlikely.

    Since an attacker is unlikely to benefit from the attack but people will still lose money "investing" in the scheme, disclosure of the attack is likely to decrease participation rate, thus the amount of people losing money. Disclosure of the attack can bring light on particular kind of attacks (in this case frontrunning) reducing the risks people make this mistake again. Thus, from both and harm reduction and transparency perspective, public disclosure seems appropriate.

    Clément Lesaege, Kleros CTO and auditor

    submitted by /u/clesaege
    [link] [comments]

    r/EthStaker's First AMA! Featuring Rocket Pool

    Posted: 29 Sep 2019 01:18 PM PDT

    Learning Cryptography, Part 4: Complexity Theory

    Posted: 29 Sep 2019 11:04 AM PDT

    Casper. The future.

    Posted: 29 Sep 2019 02:01 PM PDT

    How has the Ethereum 2 roadmap changed final supply estimations?

    Posted: 29 Sep 2019 02:51 PM PDT

    I've heard some speculation in various comments that elements of the Ethereum 2 roadmap have lead or could lead to a non trivial increase for the final supply of Eth (or even a permanent inflationary state with no final cap). I'm not saying that this is the case, I just want to understand what the reality of this situation is and what things will end up determining this.

    If the final quantity can be known with any degree of certainty I'd be interested to hear what those estimates are.

    submitted by /u/anm89
    [link] [comments]

    Spencer Dinwiddie Reacts to NBA Blocking his Blockchain Venture

    Posted: 29 Sep 2019 12:29 PM PDT

    Decentralization works best with free and open approach

    Posted: 29 Sep 2019 05:37 PM PDT

    People say that ProgPOW will minimize any future ASIC advantage to 1.6x max. Okay, what happens when AMAPs come into play? What then? It can do up to 8x than a GPU on ProgPOW and it is just as programmable/configurable as a GPU rig (possibly more as it can mine more than 2 coins at a time), hugely cheaper and power efficient. All that's happening here is the organic growth in POW. If people want real change, you would support the move to POS instead. Have you got your 32 ETH ready?

    submitted by /u/KoreanJesusFTW
    [link] [comments]

    What should I do with the r/eth subreddit?

    Posted: 29 Sep 2019 11:19 AM PDT

    nahmii and Liquid partner to scale on ETH and BTC with unlimited TPS

    Posted: 29 Sep 2019 04:30 PM PDT

    https://blog.liquid.com/liquid-joins-the-nahmii-foundationt

    Unlike other scaling projects, nahmii is live and ready to use today. In addition to solving the problem of throughput, nahmii also addresses issues of fee predictability, latency and finality.

    submitted by /u/wanderlustence
    [link] [comments]

    What should I do with the r/eth subreddit?

    Posted: 29 Sep 2019 02:19 PM PDT

    I'm the head moderator of r/eth and currently I'm wondering what I should do with it. What does the Ethereum community think is the best use of this sub? Should I just redirect to r/ethereum or is there a better purpose this sub could hold?

    I look at the relationship with r/btc and r/bitcoin, were they both have a very sizeable community but they are at odds with each other. I think it's cool how Ethereum doesn't really have those same problems and wide division in its community. Instead of infighting r/eth and r/ethereum could compliment eachother in some way showing how progressive we are. In the end though I'm looking for community suggestions on what I should do with r/eth so I'd love to hear what you guys think.

    submitted by /u/2BitKing
    [link] [comments]

    I need some help getting claymore

    Posted: 29 Sep 2019 11:58 AM PDT

    I was watching a video on YouTube of how to get claymore. It said to edit the start file but it said I didn't have permission, please help

    submitted by /u/GeekoSlime
    [link] [comments]

    Brownie Turns 1.0.0!

    Posted: 28 Sep 2019 09:48 PM PDT

    Recycling plastic

    Posted: 28 Sep 2019 11:46 PM PDT

    How come that there's no application offering to track the recycling of plastic? It's such a huge topic at the moment and would make a awesome adoption usecase. Do i miss something?

    submitted by /u/Miracolixe
    [link] [comments]

    When ETH fork?

    Posted: 28 Sep 2019 03:13 PM PDT

    I think i saw somewhere that ETH was supposed to be forking in October? But i can't seem to find any info now.... Is there any ETA on when the fork will happen? (the transition to POS if i am not mistaken?)

    submitted by /u/caco3boy
    [link] [comments]

    Omise Go and plasma scalability

    Posted: 28 Sep 2019 08:14 PM PDT

    Hello Ethereum community. I was on a seperate sub and got into a discussion about scalability in regards to Omise go's plasma. I'm looking for a more technical explaination to why plasma doesn't solve all scalability issues. From my understanding it's only purpose is a L2 child chain that facilitates P2P transactions with high TPS.

    submitted by /u/gibro94
    [link] [comments]

    No comments:

    Post a Comment