Posts

Why was LeoFinance Down For So Long? + miner attack vector

avatar of @edicted
25
edicted
@edicted
·
·
0 views
·
4 min read

Scotbot crashed!

Dafuk is Scotbot?

Scotbot is the technology/server that was invented to run SteemEngine. When Steem was attacked and we were forced to create Hive, HiveEngine was born. Scotbot now runs both these services.

Rumor has it Scotbot ate shit yesterday because no one renewed the domain name "steem-engine.com". Hilarious right? Don't even care enough about Steem to renew the domain. Har har.

Yeah well, Scotbot crashing not only wrecks SteemEngine but HiveEngine as well. It's a classic case of centralization. It's cheaper for the Scotbot server to run both networks, but that gain comes at the loss of the obvious vulnerability vector we witnessed yesterday.

It also shouldn't have taken that long to fix, but apparently they refused to work on Sunday? Day of rest and all that. Not very professional if you ask me but that's what you get when dealing wish such small-scale operations.

So why does this affect LeoFinance.io?

Unfortunately, LEO is also a fully centralized tiny community, so building everything from scratch is somewhat out of the question at the moment. LEO servers connect to the Scotbot server and rely on it for a lot of information. A failure of Scotbot to communicate with LEO means leofinance.io will not operate correctly.

Math.random()

Even more concerning than all these dependences are the way that HiveEngine coins are "mined" using the mining tokens. I recently found out that this process actually is "random". Up until now I just assumed that miners generated a known set of pre-determined inflation. In reality, miners have a chance to "mine" coins just like real POW mining.

Why is this bad?

Because real mining actually is random and these fake miners are not. Scotbot is generating random numbers (probably in some super basic-bitch way like JavaScript's Math.random() function) to determine who wins which rewards.

The reason I assumed it did not work this way is because this is the stupidest fucking idea ever ever. Scotbot is closed-source, so we already don't know how things happen behind the scenes. Absolutely nothing stops admins from accessing that server, modifying the random number generator, and gifting themselves free tokens. Worst of all, this kind of cheating would go completely undetected and unchecked.

Theoretically, Scotbot admins could create any HiveEngine token out of thin air and gift it to themselves, but this kind of cheating is blatant and detectible. Meanwhile, virtual mining needlessly adds an absolutely devastating attack vector to the protocol that has no reason to exist. The only reason why it should exist this way is to make it possible to cheat, and perhaps to make it look a tiny bit more similar to actual POW mining (pointless).

If HiveEngine miners simply generated a pre-determined amount of inflation, this attack vector would not exist.

With actual POW mining, the networks know for a fact that no one can cheat. The only way to win is for mining equipment to find the winning lotto ticket hash that has the correct number of leading zeros. Imagine trying to roll a die twenty times in a row and have it roll the same number every time. It's exactly like that, except provable on a worldwide scale.

Meanwhile, Scotbot generates all these random numbers locally, and no one knows how they are generated. Super shady shit that should not exist and has no reason to exist.

Breakaway

Not to worry. The chance that this kind of cheating is actually going on is low. I wish I wasn't such a scrub and I had some nodes of my own running to see who owns which miners and the distribution of inflation... because in all likelihood the statics are probably well within acceptable limits. Maybe someone more important can attest to that.

Regardless, it's happenstances like this that slowly force LEOfinance to break away from the system in which it was created and forge its own path. Scotbot is simply a bootstrap solution until we come up with something better. That was the whole point, after all... get something up and running until we can swap over to SMTs and get these tokens validated by actual witnesses.

Until then we just have to continue the grind and hope for the best. This Scotbot crash is a pretty big setback, as it rudely points out how dependent we are on centralized services. As far as development is concerned, there are always important priority decisions to be made.

Priorities!

Do we continue pushing forward with outward facing development, trying to attract new users and investors, or do we take a step back and clean up the mess we've made behind us? There are arguments to be made on both sides, but when Scotbot crashes and everyone realizes LeoFinance.IO can crash for 24 hours with zero recourse... obviously that is not acceptable and pushes up the timetables to become more independent, away from Scotbot.

Apparently last night @themarkymark figured out some kind of solution to get his STEM token back up and running and was looking to get LEO up and running as well. Perhaps he'll be sharing with the class in the near future.

Posted Using LeoFinance Beta