Hey Steemit, it's been a while hasn't it? So I was recently checking out a cryptocurrency called Electroneum, which I had actually been hyped for for quite a while. So as I was mining some Electroneum when I realized something. So the Electroneum wallet (for android anyways) has a "Simulated Miner" which takes a benchmark of your CPU and pays you Electroneum based on what you would have made if you were actually mining.
Now think about this, if you are getting paid depending on how much work you could be doing, couldn't you also do the work and be paid double? This is what I call the Phantom Hash Vulnerability in Electroneum.
I actually tested this out. As I write this I am running the Electroneum Simulated Miner (or ESM for short) and the Neo Neon Miner on Android, for a pool. I am making double the Electroneum I would normally be making (besides pool luck anyways).
There is a second vulnerability I've noticed in Electroneum. Essentially, you could create a PC with a very powerful CPU, and use an Android Virtual Machine to make a ton of Electroneum, while using the Phantom Hashing Vulnerability to make double.
My solution: remove the simulated miner all together. I understand that it is going to be used to get people into Electroneum but I just don't think it's a good idea. Paying people for not working (cryptocurrency wise, I'm not getting into politics) is just not a good idea, since it's so easily exploitable. If you would still like to keep the ESM, than you should perform checks, make it so that those running the ESM are contributing to Electroneum somehow, etc.
This is what I've just noticed. If anything I've written here is wrong please feel free to correct me. If you have a way of reporting this to the Electroneum Devs please forward this article to them (with appropriate credit)