DUO Guest Author @bulliontools with A loophole
Welcome to a DUO guest author post by @bulliontools
If you are interested in being a guest author be sure to let us know, 50% profit share on the post and 5 DUO tokens are up for grabs! Since bulliontools is a founder of DUO, all of the payout for this post will be paid to the DUO curators account. Ten percent will be powered up and the rest will be paid to DUO stakers as dividends.
More info and rules about the guest author spot here
This post is written by a guest author. The views and opinions expressed in this article are those of the author and do not necessarily reflect the views or opinions of the DUO team. The DUO team check the guest author posts with ai and plagiarism detection tools
Imagine you get a knock at the door, but like most people you don't answer. You assume it's a solicitor, so you stay quiet and wait for them to give up and leave. Out of curiosity, you check the door and nobody is there, but there's a package on your doorstep. You open the door and pick it up. You weren't expecting a package, so you look at the label. It has someone else's name on it. The address is similar to yours, but it's slightly off.
In this scenario, most would return the package since it doesn't belong to them. A small percentage of people, however, would steal the package and keep it for themselves. What if I told you something very similar to this was happening on Hive-Engine because of a loophole that needs to be fixed?
It's true! @hivedash4l ran a tattoo contest on Hive. @fonestreet won, and was asked to make some modifications to their entries after the fact. They were to be compensated in SWAP.HBD for the work. The funds were being sent to @hivedash4l by another user, who accidentally spelled the username as "hivedash4" which didn't exist until recently.
There is at least one immoral Hive user stealing people's Hive-Engine tokens: xnitro. How is this happening? I'll explain.
Normally, when you send Hive-Engine tokens from one user to another, they go through without issue unless the servers are experiencing an issue. If you slightly misspel a username when sending Hive-Engine tokens, then they don't make it where they should go. If the username you misspelled exists, that person gets them instead.
If the username you misspelled doesn't exist, then you can create that username on Hive, log into Hive-Engine and claim the tokens. Unless the person who sends them to this wrong address realizes it and creates the account, they remain in "limbo" until claimed. What xnitro does is scan for these transactions where usernames don't exist, creates the account and steals the tokens.
What many of us wouldn't exploit because it's immoral and illegal, xnitro (and likely others as well) don't hesitate to abuse. This really shouldn't be something I'm having to write about, because on any other platform a loophole like this wouldn't exist. Hive-Engine should instead return an error that a misspelled username does not exist and reject the transaction.
As you can see from xnitro's list of transactions, he does this fairly often.
It's theft because of a design flaw in Hive-Engine that shouldn't exist.
It's been brought to our attention here, so we're looking into starting a petition to have Hive-Engine fix this issue. We're also open to other ideas. We can't right every wrong, but we can certainly push to make it harder for immoral people to cheat others on Hive!
You can trade DUO with the links bellow
https://tribaldex.com/trade/DUO
https://hive-engine.com/trade/DUO
Link to the DUO white paper here
If you no longer want to be tagged in the guest author posts please just let us know and we will remove you. Thanks!
@itharagaian @wearelegion @oahb132 @borniet @servelle @juanvegetarian @sudeon @thebighigg @bulliontools @bitcoinman @crazyphantombr @dbooster @freecompliments @caspermoeller89 @trumpman @tokenpimp @enginewitty @bradleyarrow @daveks @trautenberk @melinda010100 @shiftrox @tengolotodo @ironshield @esmeesmith @davedickeyyall @youloseagain @gwajnberg @adamada @cwow2 @flemingfarm @elevator09 @imagenius.dac @thewobs94 @misterc @postapopgamer @justclickindiva @godfish @eolianpariah2 @rainbowdash4l @sylmarill @scoutroc @costanza @hiveph
!hiqvote
@dookbank, the HiQ Smart Bot has recognized your request (1/4) and will start the voting trail.
In addition, @duo-curator gets !PIZZA from @hiq.redaktion.
For further questions, check out https://hiq-hive.com or join our Discord. And don't forget to vote HiQs fucking Witness! 😻
$PIZZA slices delivered:
@hiq.smartbot(1/5) tipped @duo-curator
!BBH !hiqvote
Congratulations @duo-curator! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)
You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOP
Check out our last posts:
Man at the start of this post i was thinking "If they know the address i can't keep the package, that won't end good" then BOOM THE TRUE! This couldnt be more explícit and clean man, i was really angry about all this because even in the most simple transfer on ANY BANK OR WEBSITE if u miss a number, code or letter on the address the transaction just don't go out...
...but here on the secure of @key-defender & @hive-keychain if the user don't exist it go out to the limbo untill acc exist.
Thanks to @bulliontools for making this post!!
I'm sorry this happened to you and others.
I would hope it's an easy fix and the developers at Hive-Engine are willing to implement it.
!BBH
!DUO
!ALIVE
!PIMP
You just got DUO from @bulliontools.
They have 1/1 DUO calls left.
Learn all about DUO here.
Hi,
It is one of the known hackers.
The group was blacklisted 3 years ago.
You can browse the blacklist here:
https://hivewatchers.io/blacklist-search
Oh! Well is good to know u guys already know about, thanks for the reply. 💪🏻⚡
!DOOK !LUV !ALIVE
If you need the whole list in txt file, please let me know. 97 accounts.
You just got DOOKed!
@fonestreet thinks your content is the shit.
They have 4/200 DOOK left to drop today.
Learn all about this shit in the toilet paper! 💩
@fonestreet! @bulliontools likes your content! so I just sent 1 BBH to your account on behalf of @bulliontools. (1/20)
(html comment removed: )
Yeah this loophole sucks and is sowhat the worse possible design on this subject and I would support any petition change it.
The alternatives I would support for chances to the blockchain
A: true blockchain => funds are gone/ lost for ever. Meaning if they are transferred to non existing account, creating the account after the account received funds would burn any tokens.
B: transaction is rejected and bounces back.
Ideally option B, but I would understand A aswell.
Next to changes in the chain, I feel hive-engine and any other dapp could help users that are about transfer to a non existing account with:
A: warning message
B: refuse to accept it.
Again, I would prefer B but would understand A.
!DUO
You just got DUO from @rainbowdash4l.
They have 1/2 DUO calls left.
Learn all about DUO here.
The most logic ones, now is time to apply this.
!DOOK
You just got DOOKed!
@fonestreet thinks your content is the shit.
They have 3/200 DOOK left to drop today.
Learn all about this shit in the toilet paper! 💩
Thank you for bringing this to my attention, I didn't realize this is how it worked. Seems strange that the tokens would just "float" there until an account was created to complete the transaction, the tokens really should be returned. Seems more like a design flaw than a loop-hole, although this design flaw is being EXPLOITED to collect ill-earned (stolen) gains.
I would support any petition to fix this. !DUO
You just got DUO from @ironshield.
They have 1/1 DUO calls left.
Learn all about DUO here.
sad people!
@duo-curator! @chaosmagic23 likes your content! so I just sent 1 BBH to your account on behalf of @chaosmagic23. (3/50)
(html comment removed: )