Skip to content
This repository has been archived by the owner on Jan 22, 2023. It is now read-only.

Can be robbed empty easily DO NOT RUN THIS LIVE #17

Closed
buzztiaan opened this issue Dec 24, 2014 · 20 comments
Closed

Can be robbed empty easily DO NOT RUN THIS LIVE #17

buzztiaan opened this issue Dec 24, 2014 · 20 comments

Comments

@buzztiaan
Copy link

:(

sucks big time ...

Seems the check for 'enough balance' doesnt happen early enough or well enough.
Users can tip 'all their coins' to another user a couple times before it comes back with 'but you only have -128976319827'
Then they do it back and forth and back until they have -all- the coins from the wallet.

VERY UNSECURE, DONT RUN THIS BOT LIVE!!!! VERY UNSECURE, DONT RUN THIS BOT LIVE!!!! VERY UNSECURE, DONT RUN THIS BOT LIVE!!!! VERY UNSECURE, DONT RUN THIS BOT LIVE!!!! VERY UNSECURE, DONT RUN THIS BOT LIVE!!!! VERY UNSECURE, DONT RUN THIS BOT LIVE!!!! VERY UNSECURE, DONT RUN THIS BOT LIVE!!!! VERY UNSECURE, DONT RUN THIS BOT LIVE!!!! VERY UNSECURE, DONT RUN THIS BOT LIVE!!!!
@buzztiaan buzztiaan changed the title Can be robbed empty easily Can be robbed empty easily DO NOT RUN THIS LIVE Dec 24, 2014
@buzztiaan
Copy link
Author

FYI, most bots running with this code (and its forks) have already been robbed

@dobbscoin
Copy link

Although I run a npattern fork, this exploit was valid.

[04:09] <+s17> .balance
[04:09] s17 has 561.48111106 BOB (unconfirmed: 0 BOB)
[04:09] <+s17> .tip btcbob 561
[04:09] <+s17> .tip btcbob 561
[04:09] <+s17> .tip btcbob 561
[04:10] s17 tipped btcbob 561 BOB!
[04:10] s17 tipped btcbob 561 BOB!
[04:10] s17 tipped btcbob 561 BOB!
[04:10] <+s17> lol
[04:10] <+s17> .balance
[04:10] s17 has -1121.51888894 BOB (unconfirmed: 0 BOB)
[04:10] <+s17> .tip btcbob 561
[04:10] Sorry s17, you dont have enough funds (you are 1682.51888894 BOB short)

@dobbscoin
Copy link

Haven't put it to the test myself with dummy users, but am about to play around and see what happens to confirm it for myself. Will post experiences.

@dobbscoin
Copy link

[11:14] <+BtcBob> .balance
[11:14] btcbob has 4278.92795528 BOB
[11:17] .balance
[11:17] endciv has 143.66666668 BOB
[11:17] .tip BtcBob 143.66666668
[11:17] .tip BtcBob 143.66666668
[11:17] .tip BtcBob 143.66666668
[11:17] endciv tipped BtcBob 143.66666668 BOB!
[11:17] endciv tipped BtcBob 143.66666668 BOB!
[11:17] endciv tipped BtcBob 143.66666668 BOB!
[11:17] .tip BtcBob 143.66666668
[11:17] .tip BtcBob 143.66666668
[11:17] .tip BtcBob 143.66666668
[11:17] .tip BtcBob 143.66666668
[11:17] Sorry endciv, you dont have enough funds (you are 431.00000004 BOB short)
** REPEATED A FEW TIMES
[11:18] <+BtcBob> .balance
[11:18] btcbob has 4709.92795532 BOB

So endciv had 143.66666668 BOBz, and was able to spend it two more times than he had before the balance checker kicked in and denied him. Yeap, I got two extra tips before it caught on.. from a user who tipped his full balance the first time and two that he didn't have available the other two tips.

@DarthJahus
Copy link

Reproduced:

unek-cointip-flaw

@justinvforvendetta
Copy link

at least the dogecoindark bot went offline before it was robbed.

lets think about delaying the rpc send or something. a delay somewhere should do the trick. ill be playing around.

unek added a commit that referenced this issue Dec 25, 2014
@unek
untested fix to #17
9f0d64e
@unek
Copy link
Owner

unek commented Dec 25, 2014

I have pushed an untested fix. Could someone see if it works correctly?

It should lock user's ability to tip/rain until a response from the RPC move is received.

@justinvforvendetta
Copy link

/tipbot/bin/tipbot.js:222
(locks.hasOwnProperty(from.toLowerCase() && locks[from.toLowerCase()]) return;
------------------------------------------------------------------------------------------------^^^^^^
SyntaxError: Unexpected token return
at Module._compile (module.js:439:25)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Function.Module.runMain (module.js:497:10)
at startup (node.js:119:16)
at node.js:902:3

it had a problem with return.

@mudjello
Copy link

[61004a4] works for me

<upgradeadvice> !balance
<MUETipBot> upgradeadvice has 280 MUE (unconfirmed: 0 MUE)
<upgradeadvice> !tip wtf0909 280
<upgradeadvice> !tip wtf0909 280
<upgradeadvice> !tip wtf0909 280
<upgradeadvice> !tip wtf0909 280
<MUETipBot> upgradeadvice tipped wtf0909 280 MUE! "/msg MUETipBot commands" to claim.
<upgradeadvice> !tip wtf0909 280
<MUETipBot> Sorry upgradeadvice, you dont have enough funds (you are 280 MUE short)
<MUETipBot> Sorry upgradeadvice, you dont have enough funds (you are 280 MUE short)
<upgradeadvice> !tip wtf0909 280
<MUETipBot> Sorry upgradeadvice, you dont have enough funds (you are 280 MUE short)
<upgradeadvice> !balance
<MUETipBot> upgradeadvice has 0 MUE (unconfirmed: 0 MUE)

@justinvforvendetta
Copy link

not sure why, but now the balances arent showing up for users, but the wallet still has all the coins. any ideas?

@mudjello
Copy link

Possibly add/edit prefix under rpc in your config.

@DarthJahus
Copy link

@justinvforvendetta, did you solve the problem? I see the bot is active again on #dogecoindark.

@justinvforvendetta
Copy link

yep. like @upgradeadvice mentioned, i forgot to add the prefix. thanks @unek for gettin on top of this so quickly =]

@dobbscoin
Copy link

Installed a default TipBob yesterday before bed and tried the recent exploits without issue. Tipped my full balance three times in a flurry, and it cashed me out and stopped on queue.

[21:41] <+BtcBob> !balance
[21:41] btcbob has 1690.86478909BOB
[21:41] <+BtcBob> !tip endciv 1690.86478909
[21:41] <+BtcBob> !tip endciv 1690.86478909
[21:41] <+BtcBob> !tip endciv 1690.86478909
[21:41] BtcBob tipped endciv 1690.86478909BOB!
[21:41] Sorry BtcBob, you don't have enough funds
[21:41] <+BtcBob> !balance
[21:41] btcbob has 0BOB (unconfirmed: 0BOB)

No negative balance. Seems good to go for now. Thz unek
If you'd like to try and loot TipBob - /join #dobbscoin and have at it.
Open Invite.

@unek
Copy link
Owner

unek commented Dec 31, 2014

closed with 9f0d64e & 61004a4

@unek unek closed this as completed Dec 31, 2014
@justinvforvendetta
Copy link

thanks again @unek

@justinvforvendetta
Copy link

hey @unek im coming across the strangest problem.. suddenly, for no reason, the bot is ignoring me when i try to rain.. it shows me my balance, and lets other users rain/balance as well.. any ideas?

ok it let me tip from one of my other registered names that i have in my group. but my balance is on a name it wont let me tip or rain from, just give me balance. so odd.

@gigageek
Copy link

I too have the strangest problem where I am ignored when issuing rain/tip commands, other commands work fine and other users have no problems at all.

It is so weird.

@greenbigfrog
Copy link

I also had the issue you are explaining... Just ask the Owner of the Bot to restart the bot. It worked for me...

@gigageek
Copy link

It seems to be related to when the bot is started. If I rain (with active filter enabled:3600sec) without any users active since bot come alive then bot will ignore my requests until it is reboot. Presumable cause is active tip/rain command went zombie; should have error message and cleanup.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@mudjello @buzztiaan @unek @gigageek @greenbigfrog @dobbscoin @DarthJahus @justinvforvendetta