pull down to refresh
10 sats \ 15 replies \ @random_ 31 Jan \ on: BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can š) bitdevs
deleted by author
You may also need to make sure that the admin cannot withdraw more sats than they own.
reply
hey i think you and @Scroogey got this! I wish you all had taken longer : \
trying to lock this thing down has been a really frustrating experience but ah well. I'm learning.
I'm not sure who got this first or better. If you all want to pass me a btc address or LN address I will for sure send you both sats.
Nice work you all. I will fix the ^%$# thing and then you can try again
reply
Scroogey@coinos.io
Thank you, it was fun! :)
reply
Done! Thanks again for testing I appreciate it. I'm going to fix this up and then you can try again in a couple of weeks : )
Got it mate! I'll send sats today. Didn't mean to worry you with the delay. I appreciate it!
reply
reply
@random_ that LN address isn't working for me. Do you have any others or want to send an on-chain address? Lmk i appreciate your testing.
reply
reply
Sent! You are welcome. When I've revamped some of this I'll post another bounty : )
Thank you amigo! I appreciate it and will send you sats today : )
reply
deleted my previous comment because I linked to the wrong line
On the frontend, you have a function called handleUserPayout. This function works correctly. i.e. it will check the number of times a user has been paid out and return better luck next time if the number of remaining attempts 0.
https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/js/bitc_a_light_script.js#L261
However, the function sendPaymentRequest can be simulated by the user by making the same call directly to admin-ajax.php.
There is no check on the remaining number of attempts compared to the handleUserPayout.
reply