Skip to content

Instantly share code, notes, and snippets.

@icook
Created July 14, 2018 02:57
Show Gist options
  • Save icook/ba82a8c616ba2f0872d9f5a479aaaaac to your computer and use it in GitHub Desktop.
Save icook/ba82a8c616ba2f0872d9f5a479aaaaac to your computer and use it in GitHub Desktop.

This is a brief account of my experience reporting a critical bug in Amoveo on 7/8/2018.

Background

My name is Isaac Cook and I've been a developer in the cryptocurrency space since 2014. I've been developing web applications since 2003. I co-authored the open source SimpleCoin mining pool software and ran an auto-exchanging multi-pool for a few years, and then more recently designed/built/operate https://qtrade.io, a new exchange platform. I have a degree in Computer Science from University of Kansas.

Discovery

The qTrade platform will be supporting VEO in the near future, and as such I've been working to integrate our exchange software with Amoveo. We have a security requirement that transaction signing happens in a separate cluster from the rest of the site, and to support this with Amoveo we've developed a custom signing solution that creates raw Amoveo transactions. In the process of testing our software we created a transaction with a negative amount, which then caused an integer underflow on the recipients account balance. This underflow could be exploited to create large amounts of VEO.

Disclosure & Bounty

Given the severity of the bug I contacted Zack and inquired about a bounty program and proper disclosure channels. After some back and forth with the details Zack was able to replicate the bug and promptly paid a bounty of 30 VEO, which was more generous than I requested. In under 24 hours after replication the bug was patched and all mining pools were notified and running the new code.

Future Bounties

In the future I intend to do further security testing of VEO. With it supported on our exchange, a security flaw in VEO exposes us to risk as well. I plan to work with Zack in the future to resolve any concerns that we find, and it is my hope that a clear bounty program be outlined similar to the Ethereum Foundation's program to help encourage and support responsible disclosure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment