Caught an exploit quickly
Our next update is going to me much more fun with a wonderful new tool available to our loyal peakmonsters users however we do need to go over this small but unfortunate even that happened this weekend.
BACKGROUND
A few weeks ago there was a change to the underlying protocol for market purchases by the Splinterlands team. It impacted the timing of when you could make an attempt to buy a card. Our team believes it had no benefit to the common player so probably not many noticed. The race to get newly listed cards is a hotly contested one with usually a half dozen accounts (bots) attempting to get nicely priced cards of which PeakMonsters is the ONE and ONLY avenue that tries to grab those cards for the every day human user. We feel like we do very well at standing up for our users and letting you indicate which cards you'd like and at what price, and then we are aggressively working to get those cards for you.
With that said, we purchase thousands if not tens of thousands of cards for our users each day via bids.
AN EXPLOIT CAUGHT QUICKLY
Over the weekend, a bad actor figured out a way to exploit bids and bots that do similar bidding systems. Because of this Splinterlands protocol timing change, they could price cards then reprice them quickly and remove some from market before an attempt to buy them was made and they would get one of the cards and that card would be repriced to equal the total value of the total full bid.
It looks something like this:
He would have gotten away with it for longer hours but he did it to one of our own team members who reported it quickly. Then within an hour there was a temporary fix that would prevent the thief from doing this exploit on any PeakMonsters BID users. After a few more hours another fix was required to further prevent a slightly different potential attack vector. Those changes took away our ability to quick bid for multiple cards in a single transaction. (At that time we could only buy 1 at a time or buy multi bcx later on safely)
TODAY'S UPDATE
As of today's Splinterland update there is a new backend tool provided by the protocol that allows us to do "all or nothing bids". Which will make it so this exploit can't happen to PeakMonsters bidders even while turning multi-bcx bids back on however is not the ideal fix to the exploit because it can still happen to other bot operators if they're not careful. Also all or nothing means some actual good bids may be lost if part of the cards are legit purchased quicker.
We are happy that our users can't be exploited but not sure if the timing change made a few weeks ago is worth living with this exploit as a possibility, considering we have not noticed the timing change to have any noticeable benefit to any normal user since no normal user can beat the bots and it would be a rare feat to mistake price your card and still be able to figure it out and then remove or reprice it in the allotted 3 blocks. But we acknowledge that perhaps it has a backend api benefit for the splinterlands team that they will continue with the timing delay.
ONLY A COUPLE PEOPLE IMPACTED
The reality is that we have only identified 3 users impacted all for relatively small amounts but some other bot operators that compete for cards seem to be much more impacted with some bots impacted for thousands of dollars. Though there is always the possibility that a bot owner would do the exploit on themselves first to test and also to throw people off their trail. So if anyone is feeling like a detective go for it.
If you were using PeakMonsters Bids and were impacted please reach out to us on our discord channel.
We will make sure you are refunded the impacted amount because you trusted in our service.
SHINE THE LIGHT
Here is the list of accounts that performed this exploit:
https://peakmonsters.com/@narutohinata69/history
https://peakmonsters.com/@jiraiyatsunade69/history
https://peakmonsters.com/@bulletracer/history
It was over the weekend and so you'd have to look back far in the history.
We of course petition them to behave better and RETURN the money to the impacted users it should not be our job to refund the money THEY stole.
There's no room in our community for such immoral and purposefully aggressive behavior.
PeakMonsters and Splinterlands links:
- PeakMonsters: https://peakmonsters.com/
- PeakD accounts: PeakMonsters | PeakMonsters blogging account
- PeakD Projects discord: https://discord.gg/QdYg3zUSCD
- Play Splinterlands: https://splinterlands.com?ref=peakmonsters
That is great that you caught it so quickly and worked to fix it and make things right!
Congrats on shutting them down. 👍
It has a great vivid future just lo and behold.😍
69?