SHA-WING

Did you ever send anything?

👉👈

That means no ones using it.

I'm not arguing whether the pay-to-post mechanism would work, I'm questioning how you prove a post was paid for?

Like, this comment could have been free for me to make because I have special privileges. How can you prove otherwise?

Who's to say the bots will be subject to the same rules as humans? (how do you prove the post was paid for?)

And even if bots are subject to the same rules, they may still get preferential treatment by the algorithm. Or simply game the algorithm better than a human can.

There is no escape.

clicking through the links, I found this

Where's the food?

Rent seeking, GPT reskinning, InNOvAtIon

No shot.

Life is good! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . But it could be better. (made you scroll)

@Scroogey defintely did a better job of explaining. He also identified some other critical bugs.

I was mostly gunning for the draining reward. 🤑

akinshaver851@minibits.cash

Thanks for issuing the challenge. I had a lot of fun.

That's brutal.

cashuBpGFteCJodHRwczovL21pbnQubWluaWJpdHMuY2FzaC9CaXRjb2luYXVjc2F0YXSBomFpSABQBVDwSUFGYXCCo2FhEGFzeEBmNmYwZGJjM2VlN2MyY2QyMjk5YzNhYjc0NzI4NDgyYWZkOWEyYjFmY2Y4NDYyNDRmZDgwN2EyOTNjOTBkYWQ4YWNYIQM7UYIXD8agQapVduWQ3qDLj9i82xEAxpqiqGuM12W7RKNhYQJhc3hAZDkzNDU1MmUxYTAxNzc1ZTI1MGJhMmQ1YmQ3ZDY3NzYyNmVlNDEzNWM4MmNmZDU2MTA5YWJmMGQ2MjRiZGNmYWFjWCED6LnSVAnG58fwBqF6YI6RibQehWrjqwly6lS3lodiQeNhZHJTZW50IGZyb20gTWluaWJpdHM

Courtesy of @ealvar39

Good catch! Never trust the client.

deleted my previous comment because I linked to the wrong line

On the frontend, you have a function called handleUserPayout. This function works correctly. i.e. it will check the number of times a user has been paid out and return better luck next time if the number of remaining attempts 0. https://github.com/ealvar13/hd-quiz-bitcoin-rewards/blob/30817af5f53c4da9b7dce593f77e37762a0f5dbc/bitcoin-mastermind-rewards/includes/js/bitc_a_light_script.js#L261

However, the function sendPaymentRequest can be simulated by the user by making the same call directly to admin-ajax.php.

There is no check on the remaining number of attempts compared to the handleUserPayout.

You may also need to make sure that the admin cannot withdraw more sats than they own.

you're right

(for some reason the script gets cut off, replacing with a pastebin)

The nonce was the same for me as #871344