DUO Guest Author @bulliontools with A loophole

duo-curator in #hive-177682 • 16 days ago

Welcome to a DUO guest author post by @bulliontools

If you are interested in being a guest author be sure to let us know, 50% profit share on the post and 5 DUO tokens are up for grabs! Since bulliontools is a founder of DUO, all of the payout for this post will be paid to the DUO curators account. Ten percent will be powered up and the rest will be paid to DUO stakers as dividends.

More info and rules about the guest author spot here

_{This post is written by a guest author. The views and opinions expressed in this article are those of the author and do not necessarily reflect the views or opinions of the DUO team. The DUO team check the guest author posts with ai and plagiarism detection tools}

Imagine you get a knock at the door, but like most people you don't answer. You assume it's a solicitor, so you stay quiet and wait for them to give up and leave. Out of curiosity, you check the door and nobody is there, but there's a package on your doorstep. You open the door and pick it up. You weren't expecting a package, so you look at the label. It has someone else's name on it. The address is similar to yours, but it's slightly off.

In this scenario, most would return the package since it doesn't belong to them. A small percentage of people, however, would steal the package and keep it for themselves. What if I told you something very similar to this was happening on Hive-Engine because of a loophole that needs to be fixed?

It's true! @hivedash4l ran a tattoo contest on Hive. @fonestreet won, and was asked to make some modifications to their entries after the fact. They were to be compensated in SWAP.HBD for the work. The funds were being sent to @hivedash4l by another user, who accidentally spelled the username as "hivedash4" which didn't exist until recently.

There is at least one immoral Hive user stealing people's Hive-Engine tokens: xnitro. How is this happening? I'll explain.

Normally, when you send Hive-Engine tokens from one user to another, they go through without issue unless the servers are experiencing an issue. If you slightly misspel a username when sending Hive-Engine tokens, then they don't make it where they should go. If the username you misspelled exists, that person gets them instead.

If the username you misspelled doesn't exist, then you can create that username on Hive, log into Hive-Engine and claim the tokens. Unless the person who sends them to this wrong address realizes it and creates the account, they remain in "limbo" until claimed. What xnitro does is scan for these transactions where usernames don't exist, creates the account and steals the tokens.

What many of us wouldn't exploit because it's immoral and illegal, xnitro (and likely others as well) don't hesitate to abuse. This really shouldn't be something I'm having to write about, because on any other platform a loophole like this wouldn't exist. Hive-Engine should instead return an error that a misspelled username does not exist and reject the transaction.

As you can see from xnitro's list of transactions, he does this fairly often.

It's theft because of a design flaw in Hive-Engine that shouldn't exist.

It's been brought to our attention here, so we're looking into starting a petition to have Hive-Engine fix this issue. We're also open to other ideas. We can't right every wrong, but we can certainly push to make it harder for immoral people to cheat others on Hive!

You can trade DUO with the links bellow
https://tribaldex.com/trade/DUO
https://hive-engine.com/trade/DUO

HOC/DUO discord link

Link to the DUO white paper here

If you no longer want to be tagged in the guest author posts please just let us know and we will remove you. Thanks!

@itharagaian @wearelegion @oahb132 @borniet @servelle @juanvegetarian @sudeon @thebighigg @bulliontools @bitcoinman @crazyphantombr @dbooster @freecompliments @caspermoeller89 @trumpman @tokenpimp @enginewitty @bradleyarrow @daveks @trautenberk @melinda010100 @shiftrox @tengolotodo @ironshield @esmeesmith @davedickeyyall @youloseagain @gwajnberg @adamada @cwow2 @flemingfarm @elevator09 @imagenius.dac @thewobs94 @misterc @postapopgamer @justclickindiva @godfish @eolianpariah2 @rainbowdash4l @sylmarill @scoutroc @costanza @hiveph

#ecency #pimp #hoc #duo #pob #hive-engine #waiv #slothbuzz #cent

16 days ago in #hive-177682 by duo-curator

4.17 VYB

Sort:

Trending

[-]

dookbank 16 days ago

!hiqvote

0.00 VYB

2 votes

[-]

chaosmagic23 16 days ago

!BBH !hiqvote

0.04 VYB

4 votes

[-]

bbhbot 15 days ago

@duo-curator! @chaosmagic23 likes your content! so I just sent 1 BBH to your account on behalf of @chaosmagic23. _(3/50)

(html comment removed: )

0.00 VYB

[-]

amiegeoffrey 16 days ago

0.05 VYB

2 votes

[-]

hiq.smartbot 16 days ago

@dookbank, the HiQ Smart Bot has recognized your request (1/4) and will start the voting trail.

In addition, @duo-curator gets !PIZZA from @hiq.redaktion.

_{For further questions, check out https://hiq-hive.com or join our Discord. And don't forget to vote HiQs fucking Witness! 😻}

0.00 VYB

[-]

pizzabot 16 days ago

PIZZA!

$PIZZA slices delivered:
@hiq.smartbot_(1/5) tipped @duo-curator

0.00 VYB

[-]

hivebuzz 16 days ago

Congratulations @duo-curator! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)

You have been a buzzy bee and published a post every day of the week.

_{You can view your badges on your board and compare yourself to others in the Ranking}
_{If you no longer want to receive notifications, reply to this comment with the word STOP}

Check out our last posts:

	Hive Power Up Month Challenge - November 2024 Winners List
	Hive Power Up Day - December 1st 2024

0.00 VYB

[-]

rainbowdash4l 16 days ago

Yeah this loophole sucks and is sowhat the worse possible design on this subject and I would support any petition change it.

The alternatives I would support for chances to the blockchain

A: true blockchain => funds are gone/ lost for ever. Meaning if they are transferred to non existing account, creating the account after the account received funds would burn any tokens.
B: transaction is rejected and bounces back.

Ideally option B, but I would understand A aswell.

Next to changes in the chain, I feel hive-engine and any other dapp could help users that are about transfer to a non existing account with:

A: warning message
B: refuse to accept it.

Again, I would prefer B but would understand A.

!DUO

0.15 VYB

3 votes

[-]

fonestreet 15 days ago

The most logic ones, now is time to apply this.

!DOOK

0.06 VYB

1 vote

[-]

dookbot 10 days ago

^{You just got DOOKed!}
^{@fonestreet thinks your content is the shit.}
^{They have 3/200 DOOK left to drop today.}

^{Learn all about this shit in the toilet paper! 💩}

0.00 VYB

[-]

duo-tip 16 days ago

^{You just got DUO from @rainbowdash4l.}
^{They have 1/2 DUO calls left.}

^{Learn all about DUO here.}

0.00 VYB

[-]

fonestreet 16 days ago

Man at the start of this post i was thinking "If they know the address i can't keep the package, that won't end good" then BOOM THE TRUE! This couldnt be more explícit and clean man, i was really angry about all this because even in the most simple transfer on ANY BANK OR WEBSITE if u miss a number, code or letter on the address the transaction just don't go out...

...but here on the secure of @key-defender & @hive-keychain if the user don't exist it go out to the limbo untill acc exist.

The people on the @hivewatchers @ecency @threespeak @neoxian and the whole dev team should know and maybe do something about this limbo transfers.

Thanks to @bulliontools for making this post!!

0.07 VYB

2 votes

[-]

bbhbot 15 days ago

@fonestreet! @bulliontools likes your content! so I just sent 1 BBH to your account on behalf of @bulliontools. _(1/20)

(html comment removed: )

0.00 VYB

[-]

bulliontools 16 days ago

I'm sorry this happened to you and others.

I would hope it's an easy fix and the developers at Hive-Engine are willing to implement it.

!BBH
!DUO
!ALIVE
!PIMP

0.05 VYB

1 vote

[-]

duo-tip 16 days ago

^{You just got DUO from @bulliontools.}
^{They have 1/1 DUO calls left.}

^{Learn all about DUO here.}

0.00 VYB

[-]

hivewatchers 15 days ago

Hi,
It is one of the known hackers.
The group was blacklisted 3 years ago.

You can browse the blacklist here:
https://hivewatchers.io/blacklist-search

0.00 VYB

13 votes

[-]

fonestreet 15 days ago

Oh! Well is good to know u guys already know about, thanks for the reply. 💪🏻⚡

!DOOK !LUV !ALIVE

0.06 VYB

2 votes

[-]

hivewatchers 15 days ago

If you need the whole list in txt file, please let me know. 97 accounts.

0.00 VYB

16 votes

[-]

dookbot 9 days ago

^{You just got DOOKed!}
^{@fonestreet thinks your content is the shit.}
^{They have 4/200 DOOK left to drop today.}

^{Learn all about this shit in the toilet paper! 💩}

0.00 VYB

[-]

ironshield 15 days ago

Unless the person who sends them to this wrong address realizes it and creates the account, they remain in "limbo" until claimed.

Thank you for bringing this to my attention, I didn't realize this is how it worked. Seems strange that the tokens would just "float" there until an account was created to complete the transaction, the tokens really should be returned. Seems more like a design flaw than a loop-hole, although this design flaw is being EXPLOITED to collect ill-earned (stolen) gains.

I would support any petition to fix this. !DUO

0.07 VYB

2 votes

[-]

duo-tip 15 days ago

^{You just got DUO from @ironshield.}
^{They have 1/1 DUO calls left.}

^{Learn all about DUO here.}

0.00 VYB

[-]

crazyphantombr 15 days ago

sad people!

0.05 VYB

2 votes