Web: Quest System Exploit

this is awesome. thanks for the report!

⚡️ A tip worth 0.30000 ETH (64.37 USD @ $214.55/ETH) has been granted to @aneopsy for this issue from @owocki. ⚡️

Nice work @aneopsy! Your tip has automatically been deposited in the ETH address we have on file.

• $86542.76 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

Thank you, happy to contribute to this wonderful community

related https://github.com/gitcoinco/web/issues/6567

bountying this now. acceptance criteria:

1. disable referral rewards on quests
2. fix 1) When you submit a wrong response, it's return the next question.
   3.fix 2) When you fail the quest, you can replay it without waiting.

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__This issue now has a funding of 0.4 ETH (81.78 USD @ $204.44/ETH) attached to it.__

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  
  
  
  • Want to chip in? Add your own contribution here.
  
  
  • Questions? Checkout Gitcoin Help or the Gitcoin Slack
  
  
  • $89,526.84 more funded OSS Work available on the Gitcoin Issue Explorer
  
  

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__This issue now has a funding of 0.4 ETH (81.78 USD @ $204.44/ETH) attached to it.__

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  
  
  
  • Want to chip in? Add your own contribution here.
  
  
  • Questions? Checkout Gitcoin Help or the Gitcoin Slack
  
  
  • $89,608.62 more funded OSS Work available on the Gitcoin Issue Explorer
  
  

https://github.com/gitcoinco/web/issues/6576

heres how exactly to recreate the expliot

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__Work has been started__.

These users each claimed they can complete the work by 4 weeks from now.
Please review their action plans below:

1) vporton has been approved to start work.

I can do it. Seems not hard. Please accept me.

Learn more on the Gitcoin Issue Details page.

I don't understand what of the following two is considered as a solution to Sybil attack:

• Refresh the leaderboard more frequently, maybe a realtime leaderboard.
• Disable referals for quests.

Also:

• "for the end of the round" - for the end of a quest, you mean?

Could you direct me where to read how to create a new Kudo for my local GitCoin installation?

Who can explain to me how I can recreate @aneopsy 's exploit from his first bullet point? What tools do you need? How can you reverse engineer the data like this? I would like to know more about this.

@sizzthehedgehog
using gitcoin public api is just enough (yep not really public but can get it by inspecting network on chrome dev tool)
something like this
https://gitcoin.co/quests/74/learn-about-keycard
get your csrftoken, and sessionid, prepare your answer as @aneopsy post above also and make a POST request.

Is there a good tutorial available? I am not familiar with how to get all this stuff and how to use the dev tool.

I got this bounty. Excuse me, again: Explain please:

• What is a "round"?

@sizzthehedgehog

There is no tutorial for that, just use the internal API and chrome dev tool is enough.
like @dotrungkien said, create a POST request with the _csrftoken_ and _sessionid_ as cookie and you are good to go.

@vporton

Refresh the leaderboard more frequently, maybe a realtime leaderboard.
Disable referals for quests.

Is not the solution for the sybil attack, it's a suggestion to improve the Quests System

What is a "round"?

A round is a tournament of 4 months on the Quest system.

What to fix:

1) When you submit a wrong response, it's return the next question.
Just a condition to check, if the response is false, don't send the next question in the response's request

2) When you fail the quest, you can replay it without waiting.
You can see here a simple method to recreate this bug: #6576
The main problem is that only the "font-end" check if the quest is frozen and the "back-end" should check too, so just add a condition to check if the quest is frozen. So don't accept a response if the quest is frozen.

3) Disable referral rewards on quests.
aka comment the code

So awesome! Great find!

On Tue, May 5, 2020 at 4:57 AM AneoPsy notifications@github.com wrote:

@sizzthehedgehog https://github.com/sizzthehedgehog

There is no tutorial for that, just use the internal API and chrome dev
tool is enough.
like @dotrungkien https://github.com/dotrungkien said, create a POST
request with the csrftoken and sessionid as cookie and you are good
to go.
@vporton https://github.com/vporton

Refresh the leaderboard more frequently, maybe a realtime leaderboard.
Disable referals for quests.

Is not the solution for the sybil attack, it's a suggestion to improve the
Quests System

What is a "round"?

A round is a tournament of 4 months on the Quest system.
What to fix:

1) When you submit a wrong response, it's return the next question.
Just a condition to check, if the response is false, don't send the next
question in the response's request

2) When you fail the quest, you can replay it without waiting.
You can see here a simple method to recreate this bug: #6576
https://github.com/gitcoinco/web/issues/6576
The main problem is that only the "font-end" check if the quest is frozen
and the "back-end" should check too, so just add a condition to check if
the quest is frozen. So don't accept a response if the quest is frozen.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/gitcoinco/web/issues/6542#issuecomment-624011372, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/ACHL57BEDMAA34MHKNPPOELRP75JXANCNFSM4MXCH2JA
.

>

Logan Bek
LinkedIn http://www.linkedin.com/in/loganbek
Github https://github.com/loganbek
Come work for the open internet w/ Gitcoin
https://gitcoin.co/townsquare/?cb=ref:e727
[email protected]

Should the "pause" be between any two tests or only between two invocations of _the same_ test?

How big this pause should be?

What should be done with referrals for quests?

1. Just don't award the referrals.

2. Also don't display the referral link.

@vporton

only between two invocations of the same quest
This pause depend of the frozen time/skimming time of each quest, I don't know where you can find it, but the front end show it on every quest, so it should be available on the quest object.

_What should be done with referrals for quests?_
The goal is to not reward a user if someone else win a quest through a referral link.
Actually, if a user registered with your referral link win a quest, you win some points, so you have to temporary disable this.

Actually, if a user registered with your referral link win a quest, you win some points, so you have to temporary disable this.

@aneopsy Why "temporary"?

@vporton

Because actually it's possible to make sybil attack, but it should be resolved in a few months and maybe we will reactivate the referral system for the quests.
So it should be more useful to have the possibility to turn on/off the referral system instead of delete it.
Also the mission propose by @owocki is to

disable referral rewards on quests

not delete it.

I solved this issue fully in https://github.com/gitcoinco/web/pull/6591

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__Work for 0.4 ETH (85.1 USD @ $212.74/ETH) has been submitted by__:

1. @vporton

@owocki please take a look at the submitted work:

• PR by @vporton

• Learn more on the Gitcoin Issue Details page
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $126,138.19 more funded OSS Work available on the Gitcoin Issue Explorer

@sebastiantf Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• [x] reminder (3 days)
• [ ] escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

@sebastiantf Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• [x] reminder (3 days)
• [ ] escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

Not sure @gitcoinbot

@sebastiantf Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• [x] reminder (3 days)
• [ ] escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

@sebastiantf due to inactivity, we have escalated this issue to Gitcoin's moderation team. Let us know if you believe this has been done in error!

• [x] reminder (3 days)
• [x] escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__Workers have applied to start work__.

These users each claimed they can complete the work by 2 months, 1 week ago.
Please review their action plans below:

1) jorropo has applied to start work _(Funders only: approve worker | reject worker)_.

Solving the part 1 is really easy, the part 2 might be harder (since it would probably be needed to store the time somewhere in the DB). For the part 3 I don't know how it would be possible to fix this without an identity verification system.

I'm up to solve part 1 (only send the next question if the answer was right).
And part 2 (store the last try end time in a database and wait for X amount of time to allows restart).

Learn more on the Gitcoin Issue Details page.

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__Work has been started__.

These users each claimed they can complete the work by 2 months, 1 week ago.
Please review their action plans below:

1) jorropo has been approved to start work.

Solving the part 1 is really easy, the part 2 might be harder (since it would probably be needed to store the time somewhere in the DB). For the part 3 I don't know how it would be possible to fix this without an identity verification system.

I'm up to solve part 1 (only send the next question if the answer was right).
And part 2 (store the last try end time in a database and wait for X amount of time to allows restart).

Learn more on the Gitcoin Issue Details page.

@jorropo Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• [x] reminder (3 days)
• [ ] escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

@jorropo Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• [x] reminder (3 days)
• [ ] escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

I'm not at home right now and I have a very bad intermitary connection, I have for about 7h just to download the repo (with a depth 1) (but I don't have 7h of internet time available). sorry, you will have to find someone else.

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__This Bounty has been completed.__

Additional Tips for this Bounty:

• owocki tipped 0.3000 ETH worth 119.49 USD to aneopsy.

• Learn more on the Gitcoin Issue Details page
• Questions? Checkout Gitcoin Help or the Gitcoin Chat
• $473,976.75 more funded OSS Work available on the Gitcoin Issue Explorer