Demystifying Burner Wallet Hacks
ETHDenver was totally š„š„š„
TL;DR: There really wasnāt a hack, just a couple misunderstandings and frontend wizardry. Contracts are fine. Wallet is fine. Vendors got paid. Hackers were fed. Weāll need to learn more about DNS within local events and not leave the POS system laying around on the bar!
For the past few months, we have been working to make the Burner Wallet a fun and easy way to drive adoption into this exciting technology. From Prague where it started to the weekly events where we user tested the localcoin and popup POS system. We wanted to find a very low friction way for people to be onboarded into and make payments with crypto.
Fast forward to this past weekend: ETHDenver was a huge success and the Burner Wallet (xdai.io in the form of buffiDai.io) enabled participants to purchase 4405 meals at food trucks using crypto with very little friction: no app download and no seed phrases! Hungry developers were fed and trucks were paid!
Iāll cover all this in a later post but first I wanted to do a post mortem on some misconceptions about Burner hacksā¦ šæ
We want to continue doing more experiments like buffiDai because it helps us improve our code and security in real-world settings. Please reach out to me on Twitter/Telegram at @austingriffith if there is anything we can make better. We have a long list already! š
With that in mind, we worked really hard to try to make the Burner Wallet as awesome and as secure as possible. We even had auditors improve the security of our smart contracts and check that the xDai/BuffiDai code did what it was intended to do. At the time of writing this article, there is over $700 xDai in the smart contract that can be withdrawn only by those who deposit. If you can figure out how to drain that, please do. Itāll come out of my pocket to replace it and it will be well worth it if you can tell me how you did it. š
Without further ado, here are some things that happened that may have seemed like hacksā¦
Visualization Hack
Weāll start with the hack from the title image. This one comes from our new friends at Splunk. They created this amazing visualization at the MakerDAO afterparty:
Turns out those boys hack as fast as I do. They whipped this thing together in the minutes leading up to the event. With quick hacking comes some missing edge cases. They were including some fields in the search that shouldnāt have been there and the donation numbers looked hyper-inflated. The token is fine and we will get the correct amount donated.
The Faucet Hack
As I mentioned before, we spent a lot of time working out the kinks of the UX leading up to ETHDenver. We had six events, one each week, that we called Cypherpunk Speakeasies to emulate the same user flow but at a smaller scale where we could observe and iterate.
One thing we noticed at these events is sometimes participants would send their tokens to a new wallet. From there, the tokens would be locked because you also need xDai to use as gas. The Burner intern, Eduardo, jumped to the rescue to build a gas dropper service. Any account that has the BUFF token but no gas would get $0.02 in xDai. Sneaky dropping gas money. We thought we could get away with it and we would have if it werenāt for the guys over at Whiteblock.
At the time my buddy Zak was actually really worried and he came and found me right away. From their perspective they were minting xDai by just transferring BUFF around. After chatting with him for a while, we realized what was going on but by then, my five dollars in the faucet went to zero. š¤£
Zak and I got to talking about DNS and this is a real concern for me. They were able to enumerate the entire event network and find the switch that was handling the network for the entire conference. According to him, āit was left unattended and was lying on the ground.ā š¬
I reached out to the organizers of the event and we talked through the security. They said they had the network gear in the steward area and that was as secure it as it could be. But, in the essence of getting sh!t done it might not have been watched at all times. Trust me, we were all running around like crazy. I walked the food truck line more times than I can count and things went pretty great.
Next conference we will know to take better care of those things if we are going to operate on a web walletā¦ Iām the guy that puts private keys in local storage so I certainly canāt point fingers! š
We are really excited to have Whiteblocks helping us determine if this wallet is truly safe to be used at a conference where the network might be manipulated. More to come from those rad dudes in the form of a detailed report! (I really hope we donāt have to go through a rebuild for this to work well at conferences but we need to know for sure! š¤)
The Smash nā Grab
This one came to me from my dude Steven McKie where a friend of his, weāll call āRobinhoodā, decided to steal from the rich to give to the poor. Hereās how it went down: A bartender left the POS system laying on the bar and Robinhood just picked it up. Thanks to the fast blocktimes, low transaction fees, and smooth UX, Rob was able to move $250 in buffiDai over to his phone without detection.
From there the hilarity ensued as the large sum of cash, enough to purchase 100 beers at the event, was passed from phone to phone. All I could do was giggle at how much fun they were having and how well the wallet was working to move funds. Eventually the money made it to the UNICEF account, where it was meant to go originally. A $2866.39 Dai donation was split between UNICEF and GRACEaid!!
Conclusion
Iād like to send out a huge thanks to everyone that participated in this great experiment in crypto onboarding and user experience. The wallet worked, the buffiDai contracts were secure, and the event was fantastic. We need to be vigilant about vulnerabilities. At this moment Zak is crunching away at our stack in his controlled environment to help us harden the app before the next event!
Remember, the š„Burner Wallet is only for moving around small amounts of money. Just like cash in your pocket, it is fast and easy, but you wouldnāt go out with thousands of dollars rolled up with your car keys. The same goes for the xDai network itself; bridge in to enjoy fast and cheap transactions, but bridge out for cold storage.
Read more about the event and wallet: Burner Wallet at ETHDenver was š„
Thanks for help with editing and accuracy: Steven McKie & Zak Cole
