Ethereum Week in Ethereum News for September 29, 2019 |
- Week in Ethereum News for September 29, 2019
- Is there any way to block random airdrops to my wallet?
- [Vulnerability Disclosure] [FairWin] Front-running in the currently most used Ethereum contract
- r/EthStaker's First AMA! Featuring Rocket Pool
- Learning Cryptography, Part 4: Complexity Theory
- Casper. The future.
- How has the Ethereum 2 roadmap changed final supply estimations?
- Spencer Dinwiddie Reacts to NBA Blocking his Blockchain Venture
- Decentralization works best with free and open approach
- What should I do with the r/eth subreddit?
- nahmii and Liquid partner to scale on ETH and BTC with unlimited TPS
- What should I do with the r/eth subreddit?
- I need some help getting claymore
- Brownie Turns 1.0.0!
- Recycling plastic
- When ETH fork?
- Omise Go and plasma scalability
Week in Ethereum News for September 29, 2019 Posted: 29 Sep 2019 02:01 PM PDT | ||
Is there any way to block random airdrops to my wallet? Posted: 29 Sep 2019 06:57 PM PDT Explanation: I don't like receiving random junk tokens that I'm potentially having to pay tax on. Is there any way to let only 'whitelisted' addresses send me stuff? Or to squirrel my coins away to an address that can't be harvested by airdroppers? Any thoughts would be very welcome! [link] [comments] | ||
[Vulnerability Disclosure] [FairWin] Front-running in the currently most used Ethereum contract Posted: 28 Sep 2019 11:29 PM PDT Funds are at risk (well primarily funds are at risks because it's a Ponzi, but here, funds are triple at risk ^^). What is FairWin? FairWin is a Ponzi scheme using this contract. It is currently the most used contract of Ethereum (33% of TX, highest amount of daily active users and ETH volume). Users can make money in two ways:
Users lose money in one way (assuming the smart contract works as promised):
It has a middle-low level of honesty (for the Ponzi world). If you read the fine prints:
You can understand it will stop to work at some point reading those. However, most communication material is lauding the project (with a very bad English, see their website video) and does not mention that when it will stop, people will lose all their money. Communication materials even brag about "capital security" (video on the home page popup). The team also seems to be fake, using fake pictures and claiming their smart contract developer has 9 years of blockchain experience, that they have people from US (while their English level is terrible) and so on. Operator can steal the money Contrary to what Fairwin claims,
the operators can steal all the money from the contract. The execution of the reward, dividends and sending of awards can only be done by the operator. The operator can choose which users get rewarded. The operator can steal the funds from the contract by not executing the rewards of other users but executing the rewards of accounts they control. This way they can progressively drain the funds of the contract until the contract is empty. This would take some time and a lot of gas. Because users need to get 5 rewards before they can get their "investment" back, the operators can prevent people from withdrawing from the scheme. Is it made on purpose? I don't think so. This contract is the contract with the lowest code quality I've ever seen (and I've seen really bad contracts). There are no comments, variable names are full of typo, extra variables are used everywhere, there are entire code segments which can never be accessed, when the code encounter some some forbidden action, it does random stuff before reverting while a simple require would be needed. Due to Occam's razor, the simplest and most likely explanation is that it was just badly coded. However, this vulnerability could be handy to move the funds to a new contract. Anyone can frontrun "investments" When someone "invest" in the scheme, they provide an "invite code". This code can be given to other people to get rewards if they "invest" too. However, this "invite code" is also used as an way to identify the user (here and here). The link between the code and the user is only updated if the "invite code" has not been used before. This means if someone registered the "invite code" before you, the rewards and your money will be given to this user instead of you. How likely are you to use the same code has someone else? If no one attacks, not likely, but here is the catch: an attacker can see your "invite code" when your transaction is in the mempool before it gets executed and "invest" in the scheme with the same "invite code" as you. They can ensure they get included first by putting a higher gasprice. This way they will get your money and rewards. This is a frontrunning attack. Users (this include attackers) can withdraw their money 5 days after their "investment", provided that the contract is still solvent. For an attacker to successfully profit from the attack all those conditions must be fulfilled:
Am I affected? Every "investor" can be affected by the team taking the money. Only new "investors" can be directly affected by the frontrunning issue. However, the vulnerability means that the amount of new "investors" is likely to decrease. Which increases the speed for the contract to become insolvent. Based on contribution rate, the Ponzi will become insolvent before new "investors" get their money back anyways. Can it be solved? The FairWin team can drain the contract. This would take time and gas. If they are "honest", they can then set up a new contract and continue the scheme or they can reimburse participants proportionally to what they put. Responsible Disclosure Rationale We (myself and other white hats), have disclosed the vulnerability to the FairWin team. Multiples attempts by mail and telegram (the contact mediums listed on their website) to contact them have remained without reply. Based on current contribution rate, the Ponzi will become insolvent in less than 5 days. Even if conditions 1. (not being front run by another attacker) and 2. (the operator should not interfere with the scheme) are likely to be fulfilled. The condition 3. (Ponzi still solvent after 5 days) is really unlikely to be fulfilled making the attack unlikely. Since an attacker is unlikely to benefit from the attack but people will still lose money "investing" in the scheme, disclosure of the attack is likely to decrease participation rate, thus the amount of people losing money. Disclosure of the attack can bring light on particular kind of attacks (in this case frontrunning) reducing the risks people make this mistake again. Thus, from both and harm reduction and transparency perspective, public disclosure seems appropriate. Clément Lesaege, Kleros CTO and auditor [link] [comments] | ||
r/EthStaker's First AMA! Featuring Rocket Pool Posted: 29 Sep 2019 01:18 PM PDT | ||
Learning Cryptography, Part 4: Complexity Theory Posted: 29 Sep 2019 11:04 AM PDT
| ||
Posted: 29 Sep 2019 02:01 PM PDT
| ||
How has the Ethereum 2 roadmap changed final supply estimations? Posted: 29 Sep 2019 02:51 PM PDT I've heard some speculation in various comments that elements of the Ethereum 2 roadmap have lead or could lead to a non trivial increase for the final supply of Eth (or even a permanent inflationary state with no final cap). I'm not saying that this is the case, I just want to understand what the reality of this situation is and what things will end up determining this. If the final quantity can be known with any degree of certainty I'd be interested to hear what those estimates are. [link] [comments] | ||
Spencer Dinwiddie Reacts to NBA Blocking his Blockchain Venture Posted: 29 Sep 2019 12:29 PM PDT
| ||
Decentralization works best with free and open approach Posted: 29 Sep 2019 05:37 PM PDT People say that ProgPOW will minimize any future ASIC advantage to 1.6x max. Okay, what happens when AMAPs come into play? What then? It can do up to 8x than a GPU on ProgPOW and it is just as programmable/configurable as a GPU rig (possibly more as it can mine more than 2 coins at a time), hugely cheaper and power efficient. All that's happening here is the organic growth in POW. If people want real change, you would support the move to POS instead. Have you got your 32 ETH ready? [link] [comments] | ||
What should I do with the r/eth subreddit? Posted: 29 Sep 2019 11:19 AM PDT | ||
nahmii and Liquid partner to scale on ETH and BTC with unlimited TPS Posted: 29 Sep 2019 04:30 PM PDT https://blog.liquid.com/liquid-joins-the-nahmii-foundationt Unlike other scaling projects, nahmii is live and ready to use today. In addition to solving the problem of throughput, nahmii also addresses issues of fee predictability, latency and finality. [link] [comments] | ||
What should I do with the r/eth subreddit? Posted: 29 Sep 2019 02:19 PM PDT I'm the head moderator of r/eth and currently I'm wondering what I should do with it. What does the Ethereum community think is the best use of this sub? Should I just redirect to r/ethereum or is there a better purpose this sub could hold? I look at the relationship with r/btc and r/bitcoin, were they both have a very sizeable community but they are at odds with each other. I think it's cool how Ethereum doesn't really have those same problems and wide division in its community. Instead of infighting r/eth and r/ethereum could compliment eachother in some way showing how progressive we are. In the end though I'm looking for community suggestions on what I should do with r/eth so I'd love to hear what you guys think. [link] [comments] | ||
I need some help getting claymore Posted: 29 Sep 2019 11:58 AM PDT I was watching a video on YouTube of how to get claymore. It said to edit the start file but it said I didn't have permission, please help [link] [comments] | ||
Posted: 28 Sep 2019 09:48 PM PDT
| ||
Posted: 28 Sep 2019 11:46 PM PDT How come that there's no application offering to track the recycling of plastic? It's such a huge topic at the moment and would make a awesome adoption usecase. Do i miss something? [link] [comments] | ||
Posted: 28 Sep 2019 03:13 PM PDT I think i saw somewhere that ETH was supposed to be forking in October? But i can't seem to find any info now.... Is there any ETA on when the fork will happen? (the transition to POS if i am not mistaken?) [link] [comments] | ||
Omise Go and plasma scalability Posted: 28 Sep 2019 08:14 PM PDT Hello Ethereum community. I was on a seperate sub and got into a discussion about scalability in regards to Omise go's plasma. I'm looking for a more technical explaination to why plasma doesn't solve all scalability issues. From my understanding it's only purpose is a L2 child chain that facilitates P2P transactions with high TPS. [link] [comments] |
You are subscribed to email updates from Ethereum. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
No comments:
Post a Comment