Bitcoin Forum
February 18, 2018, 09:07:08 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Bad Code Has Lost $500M of Cryptocurrency in Under a Year  (Read 346 times)
AGD
Legendary
*
Offline Offline

Activity: 1484
Merit: 1007


HODLER SINCE 2013


View Profile
February 13, 2018, 01:05:18 PM
 #1

https://topbitcoin.lv/bad-code-lost-500-million-cryptocurrency-year/

Quote
Cryptocurrency can be lost in a variety of ways, from hacking to forgotten passwords and failed flash drives. But in dollar terms, one of the biggest causes of crypto losses is bad code, and it’s not usually the fault of the coin’s developers. Instead, third parties, including shoddy smart contract developers and shady exchanges, are to blame for losses that have reached half a billion dollars in the last seven months.

Last week, news.Bitcoin.com reported on the demise of Bitgrail, which contrived to lose $170 million of nano cryptocurrency. While the precise sequence of events that caused the catastrophic collapse of the exchange with the assets of thousands of customers is still being confirmed, poor code is being blamed. As reported at the time:

There are rumors that Bitgrail became insolvent following a withdrawal bug that was discovered by some users and then shared in Discord and other chat groups, causing the wallet balance to gradually diminish. One user explained: “There was a bug on Bitgrail where if you placed two orders you got double balance added to your account. You could then withdraw while the orders were up and steal the coins. You had negative balance in the end but you could just make a new account.”

Bad Code Has Lost $500 Million of Cryptocurrency in Under a Year

In the aftermath of the incident, this theory has been bolstered by allegations that a bug was indeed responsible, and not in nano’s code, but in Bitgrail’s. One source asserted: “There was a bug, on the withdraw page. But this check was only on java-script client side, you find the js which is sending the request, then you inspect element – console, and run the java-script manually, to send a request for withdrawal of a higher amount than in your balance. Bitgrail delivered this withdrawal. How many people did this? Who knows.”

There was another bug, you could request a withdrawal to your address – from another user-id, from another user-account. That would cause the other users balance to have “missing funds” or “negative balance”. Bitgrail bomber solved this bug by manually entering the “correct” numbers in his database. This is what you get for using a PHP website coded by same skill-level as CfB of IDIOTA.

Even the Best Cryptocurrencies Aren’t Immune to Poor Code

The cryptocurrency most commonly associated with catastrophic bugs is ethereum. That’s not due to its underlying code, but on account of the smart contracts that can be built on top of the ethereum framework. First there was the DAO, which led to ethereum being forked right out the gate, and then there was the Parity bug that caused 150,000 ETH to be stolen, followed by the other Parity bug that caused $168 million of ETH to be locked up.

In the past couple of weeks, ethereum bugs have surfaced once more, albeit on a smaller scale. Proof of Weak Hands (PoWH) was a joke scamcoin which turned into an actual scamcoin after a bug led to the loss of 900 ether worth $1 million that had been sent to the contract address. The developer then disappeared after receiving death threats from investors aggrieved to discover that the joke Ponzi they were buying into was even less legitimate than it had seemed.

PoWH has since spawned a new scamcoin called ethpyramid which is for “strong hands only”. To the question “Is Ethpyramid secure?” the site responds “Yes. Our dev team put a lot of time into refining and testing this contract to make sure your tokens are safe. Internal functions of the contract are not accessible to the end user.” There’s also PoWH420, “the world’s dank autonomous and self-sustaining 420 pyramid scheme”.


Even if joke coins and their joke developers are taken out of the equation, it’s evident that cryptocurrencies are only as strong as their weakest link. While altcoins such as ethereum and nano have undoubted potential, like every other crypto they’re hostage to bugs lurking in wallets, smart contracts, and exchanges. One bad line of code is all it takes.

Bitcoin is not a bubble, it's the pin!
My ignore list here: https://bitcointalk.org/index.php?topic=1652334.0 +++ GPG Public key FFBD756C24B54962E6A772EA1C680D74DB714D40 +++ http://pgp.mit.edu/pks/lookup?op=get&search=0x1C680D74DB714D40
1518988029
Hero Member
*
Offline Offline

Posts: 1518988029

View Profile Personal Message (Offline)

Ignore
1518988029
Reply with quote  #2

1518988029
Report to moderator
1518988029
Hero Member
*
Offline Offline

Posts: 1518988029

View Profile Personal Message (Offline)

Ignore
1518988029
Reply with quote  #2

1518988029
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1518988029
Hero Member
*
Offline Offline

Posts: 1518988029

View Profile Personal Message (Offline)

Ignore
1518988029
Reply with quote  #2

1518988029
Report to moderator
1518988029
Hero Member
*
Offline Offline

Posts: 1518988029

View Profile Personal Message (Offline)

Ignore
1518988029
Reply with quote  #2

1518988029
Report to moderator
Nrcewker
Copper Member
Hero Member
*****
Offline Offline

Activity: 639
Merit: 500


Geek UAV Pilot


View Profile WWW
February 13, 2018, 02:57:42 PM
 #2

i think investors should learn from this . i see mostly peoples are looking for cheap development companies but they forget they will get what they paid for ..

when you starting a exchange company for God Sake hire a professional company where educated peoples worked but they will charge you more money then a individual or freelancer developer but they can give you good work

███████████████████████████████████████████████████████
███████████████████████████████████████████████████████
███████████████████████████████████████████████
█████████████████████████████████████████████
██████████████████████████████████████████████
██████████████████████████████████████████████████████[color=
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1232
Merit: 1007


TV-TWO - Connect Your TV to the ETH Blockchain


View Profile
February 13, 2018, 06:40:03 PM
 #3

And that's reason why some cryptocurrency technology development looks very slow, testing huge technology takes time and there are many bugs which unseen at development stage. Also, it's another reason not to keep your cryptocurrency in exchange and not to participate in ICO/project which looks shady or don't have much experience.

█▀▀▀▀▀
█               ▄       ▄
█          ▄     ▄     ▄     ▄
█            ▄    ▄   ▄    ▄
█              ▀▄ ▐▌ ▐▌ ▄▀
█         ▄ ▄ ▄▄▄▀     ▀▄▄▄ ▄ ▄
█               ▄▀     ▀▄
█            ▄ ▀  ▐▌ ▐▌  ▀ ▄
█          ▄      ▀   ▀      ▀
█                ▀     ▀                █
█               ▀       ▀               █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
     ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
HeRetiK
Hero Member
*****
Offline Offline

Activity: 658
Merit: 540


the forkings will continue until morale improves


View Profile
February 13, 2018, 07:05:34 PM
Merited by suchmoon (1), AGD (1), ETFbitcoin (1), LoyceV (1), nullius (1)
 #4

Seeing how security and actual software engineering often comes as an afterthought, instead of serving as a fundamental requirement, it comes to very little surprise to be honest. I guess that's the downside of the comparably low entry level when it comes to developing crypto related software (as opposed to, say, traditional finance, military and aircraft applications).

Properly handling immutable, decentralized transactions is hard and mistakes are costly without recourse. Even moreso when it comes to smart contracts. It seems like a lot of companies and developers haven't yet fully fathomed the implications of what processing irreversible scripts and transactions really means.


I mean...

Quote
“There was a bug on Bitgrail where if you placed two orders you got double balance added to your account. You could then withdraw while the orders were up and steal the coins. You had negative balance in the end but you could just make a new account.”

What the. Actual. Fuck. That would be bad enough in traditional finance or actually any online application that handles money. But in crypto such a bug becomes fatal.



Quote
The cryptocurrency most commonly associated with catastrophic bugs is ethereum. That’s not due to its underlying code, but on account of the smart contracts that can be built on top of the ethereum framework.

Here's the next thing. Granted, if Solidity where more strict and rigorous its developer base would likely be much much smaller. Nonetheless I'd argue that such strictness would be required to allow somewhat reliable smart contracts. With Solidity it may not be a code issue, but it's definitely a design issue. I don't follow Ethereum all that much, so I might be missing parts of the big picture, but what I always ask myself is: If blockchain veterans such as the Ethereum development team is unable to design a sound smart contract platform, how can we expect blockchain rookies -- which is what most of us are, given how young crypto is -- to implement reliable smart contracts on that very same platform?

Sorry if this post comes off as ranty, I guess irresponsible code just kind of grinds my gears.

AGD
Legendary
*
Offline Offline

Activity: 1484
Merit: 1007


HODLER SINCE 2013


View Profile
February 13, 2018, 08:20:57 PM
Merited by nullius (1)
 #5

Seeing how security and actual software engineering often comes as an afterthought, instead of serving as a fundamental requirement, it comes to very little surprise to be honest. I guess that's the downside of the comparably low entry level when it comes to developing crypto related software (as opposed to, say, traditional finance, military and aircraft applications).

Properly handling immutable, decentralized transactions is hard and mistakes are costly without recourse. Even moreso when it comes to smart contracts. It seems like a lot of companies and developers haven't yet fully fathomed the implications of what processing irreversible scripts and transactions really means.


I mean...

Quote
“There was a bug on Bitgrail where if you placed two orders you got double balance added to your account. You could then withdraw while the orders were up and steal the coins. You had negative balance in the end but you could just make a new account.”

What the. Actual. Fuck. That would be bad enough in traditional finance or actually any online application that handles money. But in crypto such a bug becomes fatal.



Quote
The cryptocurrency most commonly associated with catastrophic bugs is ethereum. That’s not due to its underlying code, but on account of the smart contracts that can be built on top of the ethereum framework.

Here's the next thing. Granted, if Solidity where more strict and rigorous its developer base would likely be much much smaller. Nonetheless I'd argue that such strictness would be required to allow somewhat reliable smart contracts. With Solidity it may not be a code issue, but it's definitely a design issue. I don't follow Ethereum all that much, so I might be missing parts of the big picture, but what I always ask myself is: If blockchain veterans such as the Ethereum development team is unable to design a sound smart contract platform, how can we expect blockchain rookies -- which is what most of us are, given how young crypto is -- to implement reliable smart contracts on that very same platform?

Sorry if this post comes off as ranty, I guess irresponsible code just kind of grinds my gears.

A lot of good reasons to stick with Bitcoin, esp. Core and keep running full nodes and I also would trust smart contracts a lot more, if they would be based on the the Bitcoin blockchain than on any other shitchain.  In my opinion ALL of the > 1000 Alts are rather the result of missed financial/fame opportunities than a real technological progress.

Bitcoin is not a bubble, it's the pin!
My ignore list here: https://bitcointalk.org/index.php?topic=1652334.0 +++ GPG Public key FFBD756C24B54962E6A772EA1C680D74DB714D40 +++ http://pgp.mit.edu/pks/lookup?op=get&search=0x1C680D74DB714D40
jshark
Jr. Member
*
Offline Offline

Activity: 40
Merit: 0


View Profile
February 13, 2018, 08:48:51 PM
 #6

  In my opinion ALL of the > 1000 Alts are rather the result of missed financial/fame opportunities than a real technological progress.

Couldn't agree with this more. I get some people have had great ideas, I believe ETH is one of them, but SO many alts are just guys/teams with a get rich quick plan.
HeRetiK
Hero Member
*****
Offline Offline

Activity: 658
Merit: 540


the forkings will continue until morale improves


View Profile
February 13, 2018, 11:03:47 PM
 #7

A lot of good reasons to stick with Bitcoin, esp. Core and keep running full nodes and I also would trust smart contracts a lot more, if they would be based on the the Bitcoin blockchain than on any other shitchain.  In my opinion ALL of the > 1000 Alts are rather the result of missed financial/fame opportunities than a real technological progress.

Yeah, a lot of the stuff that I've seen happening with the alts (eg. IOTA and its self rolled crypto or that whole Parity debacle... twice) and some of the hardforks (eg. B2X's insta-death and the BCH difficulty fluctuations) during the last year made me really appreciate the way Core handles things. Sure, progress may seem slow, but it's slow for a reason. Stuff's done when it's done. You can't just move fast and hardfork things. I mean you can, obviously, but its not necessarily a development and design philosophy that I personally could get behind.

Same with turing complete smart contracts. It just seems like such. A bad. Idea. Regardless of the underlying blockchain.

Maybe with some improved tooling, rigorous testing and a solid development approach this could work, alas who has time for that when there's a marketing campaign for your upcoming ICO to be run?

I love watching the altcoin and token space, but for every good idea there's a metric shitton of wtfs going on. And those whitepapers. So much fluff, oh so much fluff. Jesus.

BenOnceAgain
Member
**
Offline Offline

Activity: 131
Merit: 14

Executive Director, BTRIC


View Profile WWW
February 13, 2018, 11:35:23 PM
Merited by Foxpup (1), AGD (1), HeRetiK (1)
 #8

Seeing how security and actual software engineering often comes as an afterthought, instead of serving as a fundamental requirement, it comes to very little surprise to be honest. I guess that's the downside of the comparably low entry level when it comes to developing crypto related software (as opposed to, say, traditional finance, military and aircraft applications).

Properly handling immutable, decentralized transactions is hard and mistakes are costly without recourse. Even moreso when it comes to smart contracts. It seems like a lot of companies and developers haven't yet fully fathomed the implications of what processing irreversible scripts and transactions really means.


I mean...

Quote
“There was a bug on Bitgrail where if you placed two orders you got double balance added to your account. You could then withdraw while the orders were up and steal the coins. You had negative balance in the end but you could just make a new account.”

What the. Actual. Fuck. That would be bad enough in traditional finance or actually any online application that handles money. But in crypto such a bug becomes fatal.



Quote
The cryptocurrency most commonly associated with catastrophic bugs is ethereum. That’s not due to its underlying code, but on account of the smart contracts that can be built on top of the ethereum framework.

Here's the next thing. Granted, if Solidity where more strict and rigorous its developer base would likely be much much smaller. Nonetheless I'd argue that such strictness would be required to allow somewhat reliable smart contracts. With Solidity it may not be a code issue, but it's definitely a design issue. I don't follow Ethereum all that much, so I might be missing parts of the big picture, but what I always ask myself is: If blockchain veterans such as the Ethereum development team is unable to design a sound smart contract platform, how can we expect blockchain rookies -- which is what most of us are, given how young crypto is -- to implement reliable smart contracts on that very same platform?

Sorry if this post comes off as ranty, I guess irresponsible code just kind of grinds my gears.

I wholeheartedly agree with you.  I couldn't believe that there was apparently a client-side JavaScript exploit on that Bitgrail exchange, where that was the only check it had to verifying an accounts balance!?!  Seriously, code that runs in someone's web browser, wtf?  That type of foolishness wouldn't make the cut for a web game, to say nothing of financial transactions of real value.

In my view, best-practices standards are needed for security and code audits.  There are many attempts at this out there, it needs to be pulled together, structured and maintained like RFC or BIP standards are, and proliferated through the field.  Especially considering we are dealing with a rapidly evolving technology, these standards need to be maintained on an ongoing basis.  I know the steps I take to lock down a server today in 2018 are different in quite a few ways than they were in 2014, for example.

My organization is going to be looking at this issue because it's a real problem that needs some coordinated focus.  We're conducting our launch fundraiser right now with an Ethereum ERC20 token, but I have real concerns with the stability of that platform moving forward.  A deep dive is in order with some consultations with the gurus before I make any long-term decision I'll live to regret on platforms.  In some ways it's a shame, the Ethereum platform does seem good "on paper", but has some real flaws that need to be met before I would place the kind of trust in it that you do to a financial institution.

If a bank lost $500M in a year, people would be in jail!  (Well, maybe not here in the U.S., but only because the banks own our government [for now]).  But who would bank with a company that was so careless with funds it has custodial control over?

I might sound ranty back, but it's only because it's so outrageous.

Best regards,
Ben

Wind_FURY
Hero Member
*****
Offline Offline

Activity: 644
Merit: 530


Crypto-Games.net: Multiple coins, multiple games


View Profile
February 14, 2018, 06:38:46 AM
 #9

Some services with less than competent developers should not be working in something that holds millions of dollars.

But other projects with supposedly "competent" developers and still have caused coins to be stolen or lacked deserves to be hanged. They have no excuse.


▄▄▄████████▄▄▄
▄██████████████████▄
▄██████████████████████▄
██████████████████████████
████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
████████████████████████████
██████████████████████████
▀██████████████████████▀
▀██████████████████▀
▀▀▀████████▀▀▀
   ███████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
███████
BTC  ◉PLAY  ◉XMR  ◉DOGE  ◉STRAT  ◉ETH  ◉GRC  ◉LTC  ◉DASH  ◉PPC
     ▄▄██████████████▄▄
  ▄██████████████████████▄        █████
▄██████████████████████████▄      █████
████ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄ ████     ▄██▀
████ █████ ██████ █████ ████    ▄██▀
████ █████ ██████ █████ ████    ██▀
████ █████ ██████ █████ ████    ██
████ ▀▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀ ████ ▄██████▄
████████████████████████████ ████████
███████▀            ▀███████ ▀██████▀
█████▀                ▀█████
▀██████████████████████████▀
  ▀▀████████████████████▀▀ 
DICE           
BLACKJACK
PLINKO       
VIDEO POKER
ROULETTE     
LOTTO             
ciro1
Sr. Member
****
Offline Offline

Activity: 415
Merit: 251


Bitcore (BTX) - Your Payment Coin


View Profile
February 14, 2018, 06:54:09 AM
 #10

Majority of the cases were properly calculated and scam. Investors would never be able to know and even if they do, not much can be done. I believe all these issues would be things of the old in crypto.

     ╔═╗ ╦ ═╦═╔══╔══╗╔══╗╔══          OFFICIAL WEBSITE | TWITTER  | FACEBOOK
==== ╠═╝╗║  ║ ║  ║  ║╠═╔╝╠══ ====    OFFICIAL F.A.Q.  | TELEGRAM | TECHCHART     
     ╚══╝╩  ╩ ╚══╚══╝╚ ╚═╚══          10 MB, segwit, BTC -> BTX, airdrops +++
HeRetiK
Hero Member
*****
Offline Offline

Activity: 658
Merit: 540


the forkings will continue until morale improves


View Profile
February 14, 2018, 11:02:35 AM
Merited by nullius (1)
 #11

I wholeheartedly agree with you.  I couldn't believe that there was apparently a client-side JavaScript exploit on that Bitgrail exchange, where that was the only check it had to verifying an accounts balance!?!  Seriously, code that runs in someone's web browser, wtf?  That type of foolishness wouldn't make the cut for a web game, to say nothing of financial transactions of real value.

It seems like both developers and investors tend to forget that they are handling real, actual money. Would you leave a suitcase full of cash in the middle of the street? Would you give your credit card data to some random stranger on the internet? That's what basically happens in crypto all the time.


In my view, best-practices standards are needed for security and code audits.  There are many attempts at this out there, it needs to be pulled together, structured and maintained like RFC or BIP standards are, and proliferated through the field.  Especially considering we are dealing with a rapidly evolving technology, these standards need to be maintained on an ongoing basis.  I know the steps I take to lock down a server today in 2018 are different in quite a few ways than they were in 2014, for example.

I absolutely agree with you. As much as I love that whole wild west, new frontier vibe that crypto is swinging, I so very much appreciate the formal approach that Bitcoin and some of the alts have taken.

To be fair, handling crypto is especially tricky. Holding what equates to actual cash on a computer system is unprecedented prior to cryptocurrencies. Even if you were handling payments there was usually some form of rollback available, should things go awry. Not so with crypto, yet it seems to be partially held to lower standards than finance which is insane.

Nonetheless we've come a long way since MtGox. It's almost as if the market has begun to realize that crypto is a billion dollar business now.


My organization is going to be looking at this issue because it's a real problem that needs some coordinated focus.  We're conducting our launch fundraiser right now with an Ethereum ERC20 token, but I have real concerns with the stability of that platform moving forward.  A deep dive is in order with some consultations with the gurus before I make any long-term decision I'll live to regret on platforms.  In some ways it's a shame, the Ethereum platform does seem good "on paper", but has some real flaws that need to be met before I would place the kind of trust in it that you do to a financial institution.

Hats off to you for critically evaluating technologies. I know this approach should be the standard, however it unfortunately isn't, which makes me all the more glad to hear that there are still organizations and companies out there that take a sane and prudent approach at blockchain techologies.


If a bank lost $500M in a year, people would be in jail!  (Well, maybe not here in the U.S., but only because the banks own our government [for now]).  But who would bank with a company that was so careless with funds it has custodial control over?

I don't think that European banks are much better in that regard.

Referring to "But who would bank with a company that was so careless with funds".... I honestly think that consumers are at least partially to blame on that matter. If people would avoid shoddy exchanges in the first place, a lot of these dramas could be avoided.


habibx
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
February 14, 2018, 11:25:23 AM
 #12


Like your statement "Bitcoin is not a bubbles it's a pin", also I would like to comment about the "Bitgrail" do they develop using Development Environment x Production... and another wired thing is how is their process of Software Testing works..?
NITCoinOfficial
Newbie
*
Offline Offline

Activity: 14
Merit: 1


View Profile
February 14, 2018, 01:10:03 PM
 #13

This industry is very fresh. You should always have double-check code reviews with your team, if not quad-check it. This is why hackathons and bug-bounty programs exist. It should never be the responsibility of one, team work is very important. Everyone is trying to quickly get into the industry and try to make money, however ethical issues should also be kept in mind. The stronger your code is, the better your reputation is, the better your product will be.
cellard
Legendary
*
Offline Offline

Activity: 924
Merit: 1027


View Profile
February 14, 2018, 03:07:22 PM
Merited by AGD (1)
 #14


I wholeheartedly agree with you.  I couldn't believe that there was apparently a client-side JavaScript exploit on that Bitgrail exchange, where that was the only check it had to verifying an accounts balance!?!  Seriously, code that runs in someone's web browser, wtf?  That type of foolishness wouldn't make the cut for a web game, to say nothing of financial transactions of real value.


This is why I have always taken extra measures when accessing anything that had to do with bitcoin, namely using a VPN or Tor so in order there is a leak, they couldn't get your IP, and also disabling javascript. I have never trusted exchanges, and I still don't to this day, specially now that they ask for a god damn selfie while holding your ID. It's a matter of time some day we are going to have a HUGE leak on a big exchange database, and everyone that gave a picture of them holding an ID will have this picture attached to their bitcoin addresses and then sold on the darkweb for extortion or some sick shit. I was never looking forward to that.. no thanks, which is why I always used fake names on Poloniex for example, and just left any exchange that forced me to give them my data (Bittrex doesn't even let you trade between altcoins anymore without full verification... fuck them!!)

Never trust anything, it's all compromised, everyone just wants to steal your bitcoin. I can't wait for atomic swap decentralized exchanges so I don't need to trust exchangers and the scammers running these while having javascript on.. ridiculous.

       ▀
   ▄▄▄   ▄▀
   ███ ▄▄▄▄  ██
       ████
    ▄  ▀▀▀▀
▄▄
      ██    ▀▀
██▄█▄▄▄████████
▄▄▄▄▄▄▄▄▀▀███▀▀▀
██████████████████
████▄▀▄▀▄▀███▀▀▀▀▀
████▄▀▄▀▄▀███ ▀
████▄▀▄▀▄▀████████
▀█████████████████
]
,CoinPayments,
█████
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████
█████
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████
█████
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████ ██
█████
nullius
Copper Member
Member
**
Offline Offline

Activity: 98
Merit: 432

@nym.zone


View Profile WWW
February 14, 2018, 06:54:58 PM
Merited by AGD (1), LoyceV (1), HeRetiK (1)
 #15

A lot of good reasons to stick with Bitcoin, esp. Core and keep running full nodes and I also would trust smart contracts a lot more, if they would be based on the the Bitcoin blockchain than on any other shitchain.

Yeah, a lot of the stuff that I've seen happening with the alts (eg. IOTA and its self rolled crypto or that whole Parity debacle... twice) and some of the hardforks (eg. B2X's insta-death and the BCH difficulty fluctuations) during the last year made me really appreciate the way Core handles things. Sure, progress may seem slow, but it's slow for a reason. Stuff's done when it's done.

On reading OP, my own first thought was of the whining in certain quarters about Core’s relatively slow pace and “it’s done when it’s done” policy.  Also directly related is persistent calumny over their cautious desire to avoid hardforking the chain, and do so only if necessary—following research of what could happen, and how to prevent “oopsies”.  I even once saw somewhere an explicit suggestion that Core should follow the amateurish wannabe cool kid Silicon Valley 2.0 motto of “move fast and break things” (!).

Whereas to the best of my knowledge, Core is the first and thus far, only open-source project wherein a tiny little bug could directly destroy liquid value equivalent to a hundred billion dollars in a microsecond.  I appreciate the “it’s done when it’s done” approach.


It seems like both developers and investors tend to forget that they are handling real, actual money. Would you leave a suitcase full of cash in the middle of the street? Would you give your credit card data to some random stranger on the internet? That's what basically happens in crypto all the time.

There is pertinent idiom, “Other People’s Money”.  I’ve mostly seen it applied by people who are critical of Bitcoin altogether, on grounds of the amount of ridiculously stupid code which idiots deploy to (mis)handle Bitcoin.  Of course, that’s like criticizing computers because most software of all kinds is trash (and so are all popular CPUs!).  Solution:  Don’t entrust your bitcoins to ridiculously stupid code, and don’t use services which do.


Quote
The cryptocurrency most commonly associated with catastrophic bugs is ethereum. That’s not due to its underlying code, but on account of the smart contracts that can be built on top of the ethereum framework.

Here's the next thing. Granted, if Solidity where more strict and rigorous its developer base would likely be much much smaller.

It’s not only a matter of Solidity.  IIUC, the exploitation of loopholes in the DAO contract (not a “hack”) applied some interesting “features” of the Ethereum VM itself.  Anyway, the whole concept of bolting a Turing-complete VM onto a blockchain is sheer lunacy.

This is why I am drooling over the concept of Simplicity (PDF) for Bitcoin.  A powerful smart-contracts DSL with formally verified properties, which is designed to support writing of formally verifiable contracts, is exactly what we need.

bob123
Sr. Member
****
Offline Offline

Activity: 476
Merit: 296



View Profile
February 14, 2018, 07:48:46 PM
Merited by DarkStar_ (2)
 #16

Quote
“There was a bug on Bitgrail where if you placed two orders you got double balance added to your account. You could then withdraw while the orders were up and steal the coins. You had negative balance in the end but you could just make a new account.”

What the. Actual. Fuck. That would be bad enough in traditional finance or actually any online application that handles money. But in crypto such a bug becomes fatal.

Not just that.
Bitgrail Shitgrail had 2 more bugs:

1) You were able to withdraw twice the amount when following this procedure:
  • Request withdrawals
  • Wait for email confirmation; Don't confirm.
  • Request a second withdrawal (same amount)
  • Wait for email confirmation; Click on the link and confirm
  • Success. You just received 2 withdrawals

2) You were able to withdraw an amount you didn't have as balance:
  • Request a withdrawal
  • Realize the check for the maximum amount happens client-side instead of server-side
  • Manipulate the javascript (yes, javascript.. WTF)
  • Profit. You just withdrew a way bigger amount, leaving your balance on Bitgrail Shitgrail at a negative amount

Those bugs don't happen by accident.
Such bugs appear when the coder has zero (really: ZERO) knowledge.

But its not like hes only unable to code properly, no.

Francesco - Shitesco - Firano claimed 17 million nano got 'hacked' and 'stolen' from his cold wallet.



To sum it up: Shitgrails owner is not just a bad coder, he seems to have zero knowledge on how to perform an exit scam properly.
The FBI already has been informed and investigations are starting. He will get what he deserves.


HeRetiK
Hero Member
*****
Offline Offline

Activity: 658
Merit: 540


the forkings will continue until morale improves


View Profile
February 14, 2018, 08:21:35 PM
 #17

This is why I am drooling over the concept of Simplicity (PDF) for Bitcoin.  A powerful smart-contracts DSL with formally verified properties, which is designed to support writing of formally verifiable contracts, is exactly what we need.

Oh yes. Solutions such as Simplicity are exactly why I give Bitcoin a better chance of survival than most of the alts. The academic work being done around Bitcoin is amazing. It might not be as flashy as the snakeoil that some of the alts are selling, but at least it has substance.


Not just that.
Bitgrail Shitgrail had 2 more bugs:

1) You were able to withdraw twice the amount when following this procedure:
  • Request withdrawals
  • Wait for email confirmation; Don't confirm.
  • Request a second withdrawal (same amount)
  • Wait for email confirmation; Click on the link and confirm
  • Success. You just received 2 withdrawals

2) You were able to withdraw an amount you didn't have as balance:
  • Request a withdrawal
  • Realize the check for the maximum amount happens client-side instead of server-side
  • Manipulate the javascript (yes, javascript.. WTF)
  • Profit. You just withdrew a way bigger amount, leaving your balance on Bitgrail Shitgrail at a negative amount

Those bugs don't happen by accident.
Such bugs appear when the coder has zero (really: ZERO) knowledge.

[...]

That reads less like bug descriptions and more like a checklist of what not to do. The second point -- not entrusting critical verification to client-side code -- is literally one of the first things that gets drummed into your head when learning web development.

nullius
Copper Member
Member
**
Offline Offline

Activity: 98
Merit: 432

@nym.zone


View Profile WWW
February 14, 2018, 08:45:00 PM
 #18

[...discussion of Bitgrail bugs...]

Those bugs don't happen by accident.
Such bugs appear when the coder has zero (really: ZERO) knowledge.

Sorry, I can’t resist—that sounds funny to me, much time as I’ve spent thinking about a different type of zero-knowledge.

I presume that if the Bitgrail devs manufactured a vacuum cleaner, it wouldn’t suck.


This is why I am drooling over the concept of Simplicity (PDF) for Bitcoin.  A powerful smart-contracts DSL with formally verified properties, which is designed to support writing of formally verifiable contracts, is exactly what we need.

Oh yes. Solutions such as Simplicity are exactly why I give Bitcoin a better chance of survival than most of the alts. The academic work being done around Bitcoin is amazing. It might not be as flashy as the snakeoil that some of the alts are selling, but at least it has substance.

“Snakeoil” is a good word for many most the numeric vast majority of the alts.  As for “flashy”, I’d say that plenty of the current and potential future features in Bitcoin (and Lightning!) are exactly that.  However, unlike snakeoil, they take longer to develop than the fifteen-minute attention span of the average social media reader; also, they’re not being hyped promoted by armies of social media sockpuppet shills and, in this forum, signature-spammers.

Developing good ideas takes time.  Developing them into reliable implementations takes more time.  Patience is a forgotten virtue, and was never known at all to the peculiar brand of technical incompetents who enjoy tossing about Other People’s Money.

LoyceV
Legendary
*
Offline Offline

Activity: 1036
Merit: 1193


Howdy


View Profile
February 16, 2018, 03:33:48 PM
Merited by Foxpup (1), AGD (1), nullius (1)
 #19

Just my 2 Satoshis: I've disliked Ethereum ever since their one Unique Selling Point ("code is law" for smart contracts) got thrown out of the window after The DAO failed so hard they had to abandon their core principles and hardfork to get their money back. It proved that smart contracts are worthless if you don't understand them, which makes them worthless for almost everybody. In the case of The DAO, even the developers didn't understand the code, the only person who understood it was called "the attacker". Ironic!

I never expected Ethereum to go up in value this much after this fiasco. In my opinion, it would have been only logical to abandon the failed project. Many people didn't seem to care, and losing $500M within a year proves that once again.
Ethereum is now mainly used for ICO Token sales, which are almost exclusively very shady money grabbers. But greed wins from common sense over and over again.

Seeing how security and actual software engineering often comes as an afterthought, instead of serving as a fundamental requirement
Well said! PR is everything, create a token, a website, and a story, and people throw tens of millions of dollars at you!
Only a very small share of all cryptocurrencies put development first. Then again, it makes sense for the majority to only join crypto for quick cash. I'm really curious what will be the next phase in money grabbing, now that we've seen shitcoins, Token sales and hard forks.

nullius
Copper Member
Member
**
Offline Offline

Activity: 98
Merit: 432

@nym.zone


View Profile WWW
February 16, 2018, 04:10:08 PM
Merited by pebwindkraft (3)
 #20

This needs to be in a stickied FAQ somewhere:

Just my 2 Satoshis: I've disliked Ethereum ever since their one Unique Selling Point ("code is law" for smart contracts) got thrown out of the window after The DAO failed so hard they had to abandon their core principles and hardfork to get their money back. It proved that smart contracts are worthless if you don't understand them, which makes them worthless for almost everybody. In the case of The DAO, even the developers didn't understand the code, the only person who understood it was called "the attacker". Ironic!

In the abstract, what the so-called “attacker” did was no different than a smart lawyer finding a gaping loophole in a contract.  It was fully authorized use of a computer network in the exact manner which the network was declared to be intended.  Per the legally binding terms of the DAO:  “The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413.  Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.”

Following those terms was not an “attack”.  It most certainly was not a “theft”!  It was only the fully foreseeable result of declaring that “code is law”, and then writing low-quality code-law with unknown, unverifiable properties.  If you dare do that because you want a flashy media event with bucketloads of investor money suddenly pouring in, then prepare yourself for your doom by meditating on the cosmic (and comic) inevitable consequences:


This is why I am so enamoured with the Bitcoin Simplicity concept, which I linked to above.  It is serious research with the goal of producing mathematically provable contracts.  We need advanced smart contracts which have no code-loopholes, just as verifiably as “2+2=4” has no loopholes.  For in Bitcoin, code truly is law.  In Bitcoin, there shall never be the disgusting sham of a so-called “irregular state change”.  In Bitcoin, there is no central authority with the ability to mandate such a thing!

(I do think that centrally managed pretenders with mathematically unverifiable “smart” contracts are fully suitable for use as toys, such as CryptoKitties.)

I'm really curious what will be the next phase in money grabbing, now that we've seen shitcoins, Token sales and hard forks.

More of the same, probably for awhile.  The people who do such things are not very creative.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!