A catchy title is important, but even more important is the wealth of Steem based applications. To make progress they need Steem Power. There are several ways to gain it, but the most efficient is to use a property provided by the Steem blockchain itself - beneficiaries. I found a way to break this system at the Utopian.io. Don't worry, I reported it and it has been fixed.
Photo by Martin Dörsch on Unsplash
In case you don't know what is this beneficiaries property about, it enables developers to specify an account which receives a percentage of author rewards set by them.
When you publish a contribution on Utopian.io it automatically sets the beneficiaries account to utopian.pay and the beneficiaries weight to 25%.
However, Utopian uses Steem blockchain, so you can publish a post from a various number of interfaces or even publish it yourself.
That's what I was trying to do and I found a bug in the system which enabled me to be rewarded by the Utopian bot without a need to share the rewards with utopian.pay. If you are interested how I managed to do so, read the rest of the post ;)
Expected behavior
The Utopian API shouldn't let me to add to the Utopian database a post which doesn't have beneficiaries for utopian.pay specified.
Actual behavior
I was able to cheat Utopian API and add a post without beneficiaries.
How to reproduce
Well, it isn't possible to do so at the moment (unless you set up an old version of the Utopian API on your local machine).
But let me tell you how I did it:
- I broadcasted a post to the Steem blockchain using SteemConnect. The crucial step was to fake the Utopian behavior, so I added Utopian related information to the
json_metadata(community: utopianetc.):
{
"operations": [
[
"comment", {
"parent_author": "",
"parent_permlink": "utopian-io",
"author": "jakipatryk-dev",
"permlink": "wawrdfd-fsdffdsfds",
"body": "### Component \n Very important component! \n \n ### Proposal \n Also really important. \n \nI'm testing Utopian security against abuse so don't worry about this post.",
"title": "There should be a very important feature!",
"json_metadata": "{\"community\":\"utopian\",\"app\":\"utopian\/1.0.0\",\"format\":\"markdown\",\"repository\":{\"id\":76603770,\"name\":\"steemconnect\",\"full_name\":\"steemit\/steemconnect\",\"html_url\":\"https:\/\/github.com\/steemit\/steemconnect\",\"fork\":false,\"owner\":{\"login\":\"steemit\"}},\"pullRequests\":[],\"platform\":\"github\",\"type\":\"ideas\",\"tags\":[\"utopian-io\",\"test\",\"test2\",\"test3\",\"test4\"],\"users\":[\"jakipatryk-dev\"],\"image\":[\"https:\/\/images.unsplash.com\/photo-1515683359900-6922e4964be1?ixlib=rb-0.3.5&ixid=eyJhcHBfaWQiOjEyMDd9&s=87dd134f90a2487ec9f0d8ea633357cc&auto=format&fit=crop&w=1950&q=80\"]"
}
]
]
}
- I used PostFix3000 service made by Utopian to add this post to the Utopian database (I could directly hit the Utopian API endpoint, it doesn't matter tho).
- I had a contribution which could possibly get a high upvote but wouldn't share this reward with Utopian!
Solution
I want to thank @jestemkioskiem for the ability to test this without getting a permaban on Utopian and for all essential information. I also would like to mention @wehmoen, who solved this issue immediately after I reported it!
Posted on Utopian.io - Rewarding Open Source Contributors