Author

Topic: HackerGold (HKG) has a SERIOUS bug (Read 910 times)

newbie
Activity: 31
Merit: 0
April 13, 2018, 03:48:38 AM
#8
"Ether.Camp’s HKG Token Has A Bug And Needs To Be Reissued
Ether.Camp’s Hacker Gold Token (HKG) was found to have a bug in it. The bug is serious enough that the contract will need to be rewritten, and the tokens reissued.

According to Ether.Camp’s white paper, their Hacker Gold token (HKG) isn’t primarily a store of value, it acts more as a reputation marker. HKG tokens were issued during the incubation period of the Ether.Camp Hackathon competition and they allowed interested parties to buy other tokens of individual startups. However, it was just discovered that the HKG token’s contract code happens to have a bug in it.

The bug was only recently discovered by Zack Coburn, a developer whose main projects are Etherboost, a decentralized trading hub, and FirstBlood, an Ethereum eSports rewards platform. After getting in contact with Ether.Camp’s CEO & Founder Roman Mandeleil, Coburn was asked to submit a vulnerability report on GitHub, which can be viewed here (https://github.com/ether-camp/virtual-accelerator/issues/8).

The bug was found in the transferFrom() function of the HKG token contract. Exploiting this vulnerability would allow a bad actor to reset an account balance. This bug is significant enough to warrant a reissuing of HKG tokens after a fix is made. The entire vulnerability was made possible because of a minuscule snippet of code that read “=+” instead of “+=.” Vitalik Buterin himself chimed in on a reddit discussion about the bug, writing:

Quote
IMO this is a matter of language unintuitiveness; =+ should not be legal. I'll be checking Serpent and Viper for this. One way an FV checker could have prevented this though if it was standard for currencies to include an invariant that the total supply never changes.

There is need for a smart contract audit certification process to ensure audits really have been carried out, at least for all known bugs and vulnerabilities, and that the deployed code is actually the audited code. At present, it's difficult for non-devs to access the quality of a smart contracts.

In the vulnerability report, the recommended fix is to create a new HKG contract that corrects the bug, as well as restores all account balances to what they were before the bug reared its ugly head. Dapps that internally track the balances of HKG will need to be taken into account, while exchanges and token holders will also need to be notified about any new token contract. Because the flawed StandardToken code that initially created the HKG token was used to create all hack.ether.camp team tokens, those tokens are affected as well.

ETHNews reached out to Ether.Camp, but they declined to comment while work is underway to fix the flaw. We may expect to hear from them about this developing story in a few days.

Originally, Zeppelin had performed an audit of the HKG token code and found no severe security problems. This only serves to show how sneaky even the smallest bugs can be, even surviving a public code audit. Ultimately, this speaks to the importance of using proven code and performing rigorous tests when writing smart contracts.

The entire blockchain ecosystem suffers when situations like this reflect insecurities. Bugs are always going to plague computer code, but when found in such a fledgling field, they are scrutinized and can cause skepticism. To ensure the safety and reliability of any code written, it’s important to follow industry standard best practices. When Ethereum encounters a bug, investors may get nervous, but as developers continue learning from their mistakes and others’, the system as a whole becomes stronger and more resilient, leading to a more secure Ethernet ecosystem in the end.

Source: https://www.ethnews.com/ethercamps-hkg-token-has-a-bug-and-needs-to-be-reissued
sr. member
Activity: 826
Merit: 284
June 19, 2017, 05:08:52 AM
#7
when roman come back,hkg will rise to 100m

=)

But seriously?
Is the project alive?
Will the project live?

Where is Roman?
member
Activity: 206
Merit: 10
June 19, 2017, 04:19:52 AM
#6
when roman come back,hkg will rise to 100m
sr. member
Activity: 826
Merit: 284
June 19, 2017, 04:06:00 AM
#5
What's with hack.ether.camp now?

I can not enter it ...
hero member
Activity: 1876
Merit: 512
February 03, 2017, 03:37:52 AM
#4
A lot of flaws were detected in this project before the ICO and the developer seems to neglect them, I really don't understand what differentiate this project from other DAO-like projects, I just hope the bug is resolved soon
legendary
Activity: 1540
Merit: 1011
FUD Philanthropist™
February 03, 2017, 12:17:42 AM
#3
I's dip my penis into a fucking wood chipper before i test cocky "smart contract" code from kids.

..sounds like another "Scheme Coin" and not a good one.

Would be nice if this genius's asked themselves.. does my coin project fill a "NEED" or solve a Problem etc.

..on Bittrex ? The buggy code or ?
hero member
Activity: 970
Merit: 500
February 02, 2017, 10:19:36 PM
#2
legendary
Activity: 1960
Merit: 1176
@FAILCommunity
January 08, 2017, 08:51:02 AM
#1
"Ether.Camp’s HKG Token Has A Bug And Needs To Be Reissued
Ether.Camp’s Hacker Gold Token (HKG) was found to have a bug in it. The bug is serious enough that the contract will need to be rewritten, and the tokens reissued.

According to Ether.Camp’s white paper, their Hacker Gold token (HKG) isn’t primarily a store of value, it acts more as a reputation marker. HKG tokens were issued during the incubation period of the Ether.Camp Hackathon competition and they allowed interested parties to buy other tokens of individual startups. However, it was just discovered that the HKG token’s contract code happens to have a bug in it.

The bug was only recently discovered by Zack Coburn, a developer whose main projects are Etherboost, a decentralized trading hub, and FirstBlood, an Ethereum eSports rewards platform. After getting in contact with Ether.Camp’s CEO & Founder Roman Mandeleil, Coburn was asked to submit a vulnerability report on GitHub, which can be viewed here (https://github.com/ether-camp/virtual-accelerator/issues/8).

The bug was found in the transferFrom() function of the HKG token contract. Exploiting this vulnerability would allow a bad actor to reset an account balance. This bug is significant enough to warrant a reissuing of HKG tokens after a fix is made. The entire vulnerability was made possible because of a minuscule snippet of code that read “=+” instead of “+=.” Vitalik Buterin himself chimed in on a reddit discussion about the bug, writing:

Quote
IMO this is a matter of language unintuitiveness; =+ should not be legal. I'll be checking Serpent and Viper for this. One way an FV checker could have prevented this though if it was standard for currencies to include an invariant that the total supply never changes.

In the vulnerability report, the recommended fix is to create a new HKG contract that corrects the bug, as well as restores all account balances to what they were before the bug reared its ugly head. Dapps that internally track the balances of HKG will need to be taken into account, while exchanges and token holders will also need to be notified about any new token contract. Because the flawed StandardToken code that initially created the HKG token was used to create all hack.ether.camp team tokens, those tokens are affected as well.

ETHNews reached out to Ether.Camp, but they declined to comment while work is underway to fix the flaw. We may expect to hear from them about this developing story in a few days.

Originally, Zeppelin had performed an audit of the HKG token code and found no severe security problems. This only serves to show how sneaky even the smallest bugs can be, even surviving a public code audit. Ultimately, this speaks to the importance of using proven code and performing rigorous tests when writing smart contracts.

The entire blockchain ecosystem suffers when situations like this reflect insecurities. Bugs are always going to plague computer code, but when found in such a fledgling field, they are scrutinized and can cause skepticism. To ensure the safety and reliability of any code written, it’s important to follow industry standard best practices. When Ethereum encounters a bug, investors may get nervous, but as developers continue learning from their mistakes and others’, the system as a whole becomes stronger and more resilient, leading to a more secure Ethernet ecosystem in the end.

Source: https://www.ethnews.com/ethercamps-hkg-token-has-a-bug-and-needs-to-be-reissued
Jump to: