DUO Guest Author @bulliontools with A loophole

Welcome to a DUO guest author post by @bulliontools

If you are interested in being a guest author be sure to let us know, 50% profit share on the post and 5 DUO tokens are up for grabs! Since bulliontools is a founder of DUO, all of the payout for this post will be paid to the DUO curators account. Ten percent will be powered up and the rest will be paid to DUO stakers as dividends.

More info and rules about the guest author spot here

This post is written by a guest author. The views and opinions expressed in this article are those of the author and do not necessarily reflect the views or opinions of the DUO team. The DUO team check the guest author posts with ai and plagiarism detection tools


Imagine you get a knock at the door, but like most people you don't answer. You assume it's a solicitor, so you stay quiet and wait for them to give up and leave. Out of curiosity, you check the door and nobody is there, but there's a package on your doorstep. You open the door and pick it up. You weren't expecting a package, so you look at the label. It has someone else's name on it. The address is similar to yours, but it's slightly off.

In this scenario, most would return the package since it doesn't belong to them. A small percentage of people, however, would steal the package and keep it for themselves. What if I told you something very similar to this was happening on Hive-Engine because of a loophole that needs to be fixed?

It's true! @hivedash4l ran a tattoo contest on Hive. @fonestreet won, and was asked to make some modifications to their entries after the fact. They were to be compensated in SWAP.HBD for the work. The funds were being sent to @hivedash4l by another user, who accidentally spelled the username as "hivedash4" which didn't exist until recently.

There is at least one immoral Hive user stealing people's Hive-Engine tokens: xnitro. How is this happening? I'll explain.

Normally, when you send Hive-Engine tokens from one user to another, they go through without issue unless the servers are experiencing an issue. If you slightly misspel a username when sending Hive-Engine tokens, then they don't make it where they should go. If the username you misspelled exists, that person gets them instead.

If the username you misspelled doesn't exist, then you can create that username on Hive, log into Hive-Engine and claim the tokens. Unless the person who sends them to this wrong address realizes it and creates the account, they remain in "limbo" until claimed. What xnitro does is scan for these transactions where usernames don't exist, creates the account and steals the tokens.

What many of us wouldn't exploit because it's immoral and illegal, xnitro (and likely others as well) don't hesitate to abuse. This really shouldn't be something I'm having to write about, because on any other platform a loophole like this wouldn't exist. Hive-Engine should instead return an error that a misspelled username does not exist and reject the transaction.

As you can see from xnitro's list of transactions, he does this fairly often.

It's theft because of a design flaw in Hive-Engine that shouldn't exist.

It's been brought to our attention here, so we're looking into starting a petition to have Hive-Engine fix this issue. We're also open to other ideas. We can't right every wrong, but we can certainly push to make it harder for immoral people to cheat others on Hive!


You can trade DUO with the links bellow
https://tribaldex.com/trade/DUO
https://hive-engine.com/trade/DUO

HOC/DUO discord link

Link to the DUO white paper here

If you no longer want to be tagged in the guest author posts please just let us know and we will remove you. Thanks!

@itharagaian @wearelegion @oahb132 @borniet @servelle @juanvegetarian @sudeon @thebighigg @bulliontools @bitcoinman @crazyphantombr @dbooster @freecompliments @caspermoeller89 @trumpman @tokenpimp @enginewitty @bradleyarrow @daveks @trautenberk @melinda010100 @shiftrox @tengolotodo @ironshield @esmeesmith @davedickeyyall @youloseagain @gwajnberg @adamada @cwow2 @flemingfarm @elevator09 @imagenius.dac @thewobs94 @misterc @postapopgamer @justclickindiva @godfish @eolianpariah2 @rainbowdash4l @sylmarill @scoutroc @costanza @hiveph



0
0
0.000
22 comments
avatar

Congratulations @duo-curator! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)

You have been a buzzy bee and published a post every day of the week.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Check out our last posts:

Hive Power Up Month Challenge - November 2024 Winners List
Hive Power Up Day - December 1st 2024
0
0
0.000
avatar

Man at the start of this post i was thinking "If they know the address i can't keep the package, that won't end good" then BOOM THE TRUE! This couldnt be more explícit and clean man, i was really angry about all this because even in the most simple transfer on ANY BANK OR WEBSITE if u miss a number, code or letter on the address the transaction just don't go out...

...but here on the secure of @key-defender & @hive-keychain if the user don't exist it go out to the limbo untill acc exist.


Thanks to @bulliontools for making this post!!

0
0
0.000
avatar

I'm sorry this happened to you and others.

I would hope it's an easy fix and the developers at Hive-Engine are willing to implement it.

!BBH
!DUO
!ALIVE
!PIMP

0
0
0.000
avatar

Hi,
It is one of the known hackers.
The group was blacklisted 3 years ago.

You can browse the blacklist here:
https://hivewatchers.io/blacklist-search

0
0
0.000
avatar

Oh! Well is good to know u guys already know about, thanks for the reply. 💪🏻⚡

!DOOK !LUV !ALIVE

0
0
0.000
avatar

If you need the whole list in txt file, please let me know. 97 accounts.

0
0
0.000
avatar

Yeah this loophole sucks and is sowhat the worse possible design on this subject and I would support any petition change it.

The alternatives I would support for chances to the blockchain

A: true blockchain => funds are gone/ lost for ever. Meaning if they are transferred to non existing account, creating the account after the account received funds would burn any tokens.
B: transaction is rejected and bounces back.

Ideally option B, but I would understand A aswell.

Next to changes in the chain, I feel hive-engine and any other dapp could help users that are about transfer to a non existing account with:

A: warning message
B: refuse to accept it.

Again, I would prefer B but would understand A.

!DUO

0
0
0.000
avatar

Unless the person who sends them to this wrong address realizes it and creates the account, they remain in "limbo" until claimed.

Thank you for bringing this to my attention, I didn't realize this is how it worked. Seems strange that the tokens would just "float" there until an account was created to complete the transaction, the tokens really should be returned. Seems more like a design flaw than a loop-hole, although this design flaw is being EXPLOITED to collect ill-earned (stolen) gains.

I would support any petition to fix this. !DUO

0
0
0.000