I could regularly STEAL 25% of the rewards from Utopian, but I did NOT do that
A catchy title is important, but even more important is the wealth of Steem based applications. To make progress they need Steem Power. There are several ways to gain it, but the most efficient is to use a property provided by the Steem blockchain itself - beneficiaries. I found a way to break this system at the Utopian.io. Don't worry, I reported it and it has been fixed.
Photo by Martin Dörsch on Unsplash
In case you don't know what is this beneficiaries property about, it enables developers to specify an account which receives a percentage of author rewards set by them.
When you publish a contribution on Utopian.io it automatically sets the beneficiaries account to utopian.pay and the beneficiaries weight to 25%.
However, Utopian uses Steem blockchain, so you can publish a post from a various number of interfaces or even publish it yourself.
That's what I was trying to do and I found a bug in the system which enabled me to be rewarded by the Utopian bot without a need to share the rewards with utopian.pay. If you are interested how I managed to do so, read the rest of the post ;)
Expected behavior
The Utopian API shouldn't let me to add to the Utopian database a post which doesn't have beneficiaries for utopian.pay specified.
Actual behavior
I was able to cheat Utopian API and add a post without beneficiaries.
How to reproduce
Well, it isn't possible to do so at the moment (unless you set up an old version of the Utopian API on your local machine).
But let me tell you how I did it:
- I broadcasted a post to the Steem blockchain using SteemConnect. The crucial step was to fake the Utopian behavior, so I added Utopian related information to the json_metadata(community: utopianetc.):
{
    "operations": [
        [
            "comment", {
                "parent_author": "",
                "parent_permlink": "utopian-io",
                "author": "jakipatryk-dev",
                "permlink": "wawrdfd-fsdffdsfds",
                "body": "### Component \n Very important component! \n \n ### Proposal \n Also really important. \n \nI'm testing Utopian security against abuse so don't worry about this post.",
                "title": "There should be a very important feature!",
                "json_metadata": "{\"community\":\"utopian\",\"app\":\"utopian\/1.0.0\",\"format\":\"markdown\",\"repository\":{\"id\":76603770,\"name\":\"steemconnect\",\"full_name\":\"steemit\/steemconnect\",\"html_url\":\"https:\/\/github.com\/steemit\/steemconnect\",\"fork\":false,\"owner\":{\"login\":\"steemit\"}},\"pullRequests\":[],\"platform\":\"github\",\"type\":\"ideas\",\"tags\":[\"utopian-io\",\"test\",\"test2\",\"test3\",\"test4\"],\"users\":[\"jakipatryk-dev\"],\"image\":[\"https:\/\/images.unsplash.com\/photo-1515683359900-6922e4964be1?ixlib=rb-0.3.5&ixid=eyJhcHBfaWQiOjEyMDd9&s=87dd134f90a2487ec9f0d8ea633357cc&auto=format&fit=crop&w=1950&q=80\"]"
            }
        ]
    ]
}
- I used PostFix3000 service made by Utopian to add this post to the Utopian database (I could directly hit the Utopian API endpoint, it doesn't matter tho).
- I had a contribution which could possibly get a high upvote but wouldn't share this reward with Utopian!
Solution
I want to thank @jestemkioskiem for the ability to test this without getting a permaban on Utopian and for all essential information. I also would like to mention @wehmoen, who solved this issue immediately after I reported it!
Posted on Utopian.io - Rewarding Open Source Contributors
Thank you for the contribution. It has been approved.
Thanks for finding this exploit! This is quite a big deal so I'm happy this got solved immediately.
You can contact us on Discord.
[utopian-moderator]
Hey @jestemkioskiem, I just gave you a tip for your hard work on moderation. Upvote this comment to support the utopian moderators and increase your future rewards!
This post has been upvoted and picked by Daily Picked #25! Thank you for the cool and quality content. Keep going!
Don’t forget I’m not a robot. I explore, read, upvote and share manually ☺️
Great post/fix. I figured this might be possible, but didn't get around to asking permission to try and break it. It would be great if Utopian posted bug bounties or had a category specifically for white hat disclosures.
It might be worth creating a script to see if this has been exploited in the past?
Linked commit changes seem to be commented on master branch. Is it ok?
Great job btw!
Yeah, this is generally considered a bad practise ;D
Thanks!
Lol, whoops!
Hello @jakipatryk and guests of this blog! Please read my massage only if you have an opportunity to help me out.
Last month my mother was diagnosed with lung cancer and now we are doing all in order to gather the funds needed for treatment and surgical operation. Unfortunately a major part of my cryptocurrecy stuck on HitBTC exchange and I don’t know when I will be able to withdraw them. I want to ask you to financially help me; even $20 will help my family a lot! Sorry for begging, but sadly I have no choice at the moment.
Please donate me with Steem, SBD, of Ethereum. ETH address:
0xeb2eaef6c5be069751185f325939fcdcc47d6f2f
Hey @jakipatryk I am @utopian-io. I have just upvoted you!
Achievements
Suggestions
Get Noticed!
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x
Insane skills men! A very complicated one!
More bugs to hunt!