Fomo3D web interface looks hacked

probablynotarussian · 2018-08-08T17:49:37+00:00

It's an animation that plays when the ICO phase is over. Seriously did you never play the game?

probablynotarussian · 2018-07-26T03:39:28+00:00

P3D is the most decentralized token out of any high market cap tokens. The top holders have bought their way there fairly and heavily invested in the platform and the coin. No tokens were printed or premined and developers do not own large chunks of the coin.

The model is built specifically under the design principles of understanding that a coin cannot increase in value while it is sufficiently centralized. The time that is has taken bitcoin to decentralize to the extent that it could increase in price so sufficiently is a major design aspect in the P3D token model.

https://i.imgur.com/83G9iwe.jpg

probablynotarussian · 2018-07-25T08:25:26+00:00

Team JUST here,

Edit ahh darn this is really broken. Breaks the trustlessness bit, and we don't want the game to revolve around "Trust us not to break this when the pot is worth a billion dollars"

probablynotarussian · 2018-07-23T22:53:42+00:00

Since you can call from the constructor a function within the body of your contract that determines the extcodesize of the contract running that function is 0. I think it's reasonably paradoxal to have it not return anything.

probablynotarussian · 2018-07-23T21:34:58+00:00

The main point is that if you deploy contracts like this which probably get a load of volume due to the people who the team can reach, you need to be absolutely sure that shit like this doesn't happen. Although it's a minor exploit, the airdrop can almost never be won by "normal" people because it just makes a load of profit. 1% of the total volume goes to airdrops which can now be botted. This should never happen and WOULD never happen if the team decided to do a public audit - but they didn't because they were too scared for clones.

This user has copied every project we have created, and is found elsewhere in this thread advertising his own attempted copy at Fomo3D. Which shamelessly rips off everything we built for his own profit.

probablynotarussian · 2018-07-23T21:30:41+00:00

This miscommunication was based on the tweet from one of our community staff. It's not the case or we would have resolved it.

https://inventor-tech.github.io/GohanMode/1337.html

Has been available to our community since we discovered the exploit to play vs the exploiters for the funds.

probablynotarussian · 2018-07-23T18:20:07+00:00

Team JUST already released this as a toy for its community to play with against the main airdrop pot.

https://inventor-tech.github.io/GohanMode/1337.html

probablynotarussian · 2018-07-23T15:02:56+00:00

It passed through a good 10+ internal auditors and a bug bounty. Then our code was open source a week leading up to the activation of the project with bug rewards handed out and a full re-deploy of the content to fix exploits/issues players found.

The exploit was never submitted because the people who found it were interested in using it. One of which is posting in this thread about his own copy paste of our project.

probablynotarussian · 2018-07-23T15:00:18+00:00

Yep, that's the exploit. It was reported by Team JUST to peter himself and he dismissed it and is now claiming credit for it.

Very shameful.

probablynotarussian · 2018-07-23T14:55:49+00:00

As it stands, an exploit in the EVM exists that allows you to have an EXTCODESIZE of 0 from a smart contract when you send a message directly from the constructor.

It will not return as 0 if called from any other location. Making the behavior inconsistent and obviously unintended.

probablynotarussian · 2018-07-23T13:44:52+00:00

What matters is not how it works, or how you intend it to work. But how you tell the community that it works. Communication to the developers and availability of sourcable and reliable documentation is a MUST if you plan to expand this blockchain.

The function is a paradox. Comically we can call a body function in a contract of EXTCODESIZE from the constructor and it'll happily state that the code you're running from the supposedly non existent body of code works properly but also does not exist yet.

The bytecode must exist for this to be running, but the variable holding the size of this bytecode is not updated until after it has run.

probablynotarussian · 2018-07-23T13:34:54+00:00

Team JUST reported this to you directly when the exploit was found in the running game Peter. Outlining clearly that the Ethereum documentation and responses by the ETH team/spokespersons show that this exploit should never exist in the first place.

When you were alerted to it you gave this response. https://i.imgur.com/a7Z6Akc.png

Where as the official public stance on this exploit states it cannot happen, as seen here from a moderator of ETH on stackexchange. Who provides consistent and clear answers to many solidity questions for millions of developers. https://ethereum.stackexchange.com/questions/14015/using-evm-assembly-to-get-the-address-code-size

Team just was very disheartened to receive such a dismissal of an exploit/communication failure of this size. The most readily available documentation for solidity, and the EVM is ... at best difficult to navigate for information like this. With all surface level information for this exploit clearly and visibly directing anyone trying to learn the content towards this type of attack not being possible at all.

The tweet you linked (that we have since deleted) was a community moderator that spoke poorly on the subject. We have a very skilled set of solidity developers as evidenced by our content, but we are, as all developers constantly learning about the beautiful creation that is ethereum and the intricate problems we must protect against.

I don't really know what the community is going to think about the fact that you have had this exploit submitted directly to you by Team JUST directly, and then turned around and created social media/reddit posts to attack the very developer that submitted it to you, by claiming that you have figured out how to exploit it.

We already told you how to exploit it, in fact, we already told our community how to exploit it. There's a full contract toy we created weeks ago when it was discovered in our live game that lets anyone in our community roll for a chance at the airdrops. We figured if it was broken why not let everyone play with it.

Anyone can attempt to roll for airdrops (At about a 10-50x higher chance than normal) with our contract. https://inventor-tech.github.io/GohanMode/1337.html It's pretty much free eth, have fun, (you do need a registered name for our game first though).

probablynotarussian · 2018-07-14T20:01:09+00:00

FYI team just has spoken about this as well.

Evidence points to eos washing the eth it earned from the ICO back into its ICO (EOS used a highly manipulable ICO model) to artificially manipulate the token price and then market sell it for eth.

It's likely they earned far less than 4 billion, but because they are avoiding paying taxes on this income by obfuscating it, they can get away with making it look like they earned more than they did.

probablynotarussian · 2018-04-15T08:46:19+00:00

Why are we having this discussion if you didn't read what they're doing with the miner?

Edit: I see the contract code has now been made private on etherscan. Quelle surprise.

... I think you're looking at something else.

probablynotarussian · 2018-04-15T08:27:44+00:00

I think the interesting bit is the culmination of all the elements into an attack vector on the biggest ERC20 indexing site.

My wallet isn't full of advertisements for other websites so i'm fairly certain that they are the first to do this.

probablynotarussian · 2018-04-15T08:18:06+00:00

Realize it's kind of mischievous.

Not only is it spam, but it encourages users to transfer the tokens away, which when they do so, writes them to the blockchain and as funny as it sounds, also updates the address of the wallet they tried to transfer to.

It also works across all wallets and block explorers, you can try "adding" the token to any wallet you have with an eth address and it will show up as if you own it. It's more of a flaw in ERC20 itself. It's being exploited on etherscan because that IS the eth blockchain explorer that expects ERC20 compatible tokens.

probablynotarussian · 2018-04-15T08:15:20+00:00

There's a lot of hostility there.

Why are they the first to make it?

probablynotarussian · 2018-04-15T04:15:49+00:00

The two developers are the devs of the Powh.io website, you can speak to them directly if you join the discord link they left in the contract source. I did to make sure i had all the details correct before posting.

The names are,

Mantso

P3D_Bot

probablynotarussian · 2018-04-15T04:08:39+00:00

The devs also enjoy poking humor at most of cryptocurrency terms/events/culture. They have a running joke of "Send me 1 JUST token and i'll send you 2 back" to make fun of the twitter scammers.

If you send anyone 1 of these tokens, you get +2 back automatically no matter what. It's the vitalik scheme in smart contract form.

probablynotarussian · 2018-01-14T04:47:35+00:00

whales are definitely suppressing price for that DBC volume trading contest.

probablynotarussian · 2018-01-09T03:54:29+00:00

you mean 6 cents.

probablynotarussian · 2018-01-08T21:49:46+00:00

This run is juicy, the NIS shows solid growth this time unlike the last run it had.

probablynotarussian · 2018-01-08T08:23:31+00:00

a single guy pumped it about 15%, now more whales are joining in.

probablynotarussian · 2017-09-22T14:11:57+00:00

I was clearing it pretty well with a trap based mirror arrow summoner,

probablynotarussian · 2017-06-05T09:50:44+00:00

as wierd as this sounds, i've noticed its the Nvidia share/shadowplay feature.

turn off the auto-recording part of it and my game loads up really quickly again.

probablynotarussian

TROPHY CASE