You are viewing a single comment's thread from:

RE: Who is nijeah?

in #witness-update7 years ago (edited)

There's something weird about it though. @nijeah tried 4 operations, first a -1Vest withdrawal, then a -2Vest, then -10 Billion, and finally -1 Trillion, which is way over the Vesting Fund of 391,231,329,807 Vests.

Not to shamelessly plug my stuff but, I emphasize this very detail here: https://steemit.com/steem/@jerc33/steem-blockchain-down-here-s-what-happened

Also, and not less important. No one just tries stuff like this and at these disastrous amounts (albeit negative amounts, sure) on a production environment. This is a completely irresponsible conduct for someone "just testing the system".

7 days to prepare and probably correct the error, instead of having to push all-nighters just because of the incompetence of a, presumably self-entitled "pen-tester".EDIT: The right approach would be. trying this in a testing environment, of course. But still disregarding that one, at a -1Vest withdrawal @nijeah had already all the information he/she needed to report it to @steemit directly. And by doing so, the SteemitDevs would have

I have a hard time believing this had other intents than malicious ones. Incompetence doesn't look like this.

Sort:  

Yes, I did notice the absurd increasing quantities. I understand the view that this is irresponsible, but don't know enough about coding to be able to say whether there was a better way to test this than live on-chain. Besides, the operation was started 7 days before, there should have been plenty of time to detect this anomaly and implement a fix before the blockchain froze. I'm sorry, but I expect the STEEM blockchain to be extremely robust. After 2 years of being live it should be able to handle something as basic as negative withdrawals.

That's easy, We're all humans. Every code-base, be it Google's, Microsoft's, Facebook's or wtv, has flaws like this waiting to be discovered. And some of those that have been discovered already are even dumber, like the empty password flaw on macOS, recently.

Of course, if this happened to some software I created the first thing I'd want to do after fixing it would be hide under a rock out of shame. I'm sure SteemitDevs feel the same way already.

About detecting though, that's tricky. You can't implement unit tests on problems you don't foresee. But as someone involved in pen-testing projects I have to say, the lack of communication on nijeah's part raises all kinds of red flags to me.

But, I'm of the opinion that Steemit failed miserably at one very important thing, the fact that it never organized a proper bug-bounty program like, for example EOS did, on hackerone.com . Like @isnochys said, there's even no proper testing environment and that's clearly dumb on their part. (@ned you need a testing-evn and bug-bounties on hackerone or bugcrowd or whatever. utopian doesn't count, it's a joke.)

Correction: Maybe there is a testing environment after all, according to @therealwolf