pull down to refresh
10 sats \ 5 replies \ @random_ 31 Jan \ parent \ on: BOUNTY: HACK ME! Steal sats from the Bitcoin Mastermind Quiz (If You Can š) bitdevs
You may also need to make sure that the admin cannot withdraw more sats than they own.
hey i think you and @Scroogey got this! I wish you all had taken longer : \
trying to lock this thing down has been a really frustrating experience but ah well. I'm learning.
I'm not sure who got this first or better. If you all want to pass me a btc address or LN address I will for sure send you both sats.
Nice work you all. I will fix the ^%$# thing and then you can try again
reply
I'm not sure who got this first or better.
@Scroogey defintely did a better job of explaining. He also identified some other critical bugs.
I was mostly gunning for the draining reward. š¤
Thanks for issuing the challenge. I had a lot of fun.
Scroogey@coinos.io
Thank you, it was fun! :)
reply
deleted my previous comment because I linked to the wrong line
On the frontend, you have a function called handleUserPayout. This function works correctly. i.e. it will check the number of times a user has been paid out and return better luck next time if the number of remaining attempts 0.
https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/js/bitc_a_light_script.js#L261
However, the function sendPaymentRequest can be simulated by the user by making the same call directly to admin-ajax.php.
There is no check on the remaining number of attempts compared to the handleUserPayout.
reply