Without further ado, here are some things that happened that may have seemed like hacks…

Visualization Hack

We’ll start with the hack from the title image. This one comes from our new friends at Splunk. They created this amazing visualization at the MakerDAO afterparty:

Turns out those boys hack as fast as I do. They whipped this thing together in the minutes leading up to the event. With quick hacking comes some missing edge cases. They were including some fields in the search that shouldn’t have been there and the donation numbers looked hyper-inflated. The token is fine and we will get the correct amount donated.

The Faucet Hack

As I mentioned before, we spent a lot of time working out the kinks of the UX leading up to ETHDenver. We had six events, one each week, that we called Cypherpunk Speakeasies to emulate the same user flow but at a smaller scale where we could observe and iterate.

One thing we noticed at these events is sometimes participants would send their tokens to a new wallet. From there, the tokens would be locked because you also need xDai to use as gas. The Burner intern, Eduardo, jumped to the rescue to build a gas dropper service. Any account that has the BUFF token but no gas would get $0.02 in xDai. Sneaky dropping gas money. We thought we could get away with it and we would have if it weren’t for the guys over at Whiteblock.

At the time my buddy Zak was actually really worried and he came and found me right away. From their perspective they were minting xDai by just transferring BUFF around. After chatting with him for a while, we realized what was going on but by then, my five dollars in the faucet went to zero. 🤣

Zak and I got to talking about DNS and this is a real concern for me. They were able to enumerate the entire event network and find the switch that was handling the network for the entire conference. According to him, “it was left unattended and was lying on the ground.” 😬

I reached out to the organizers of the event and we talked through the security. They said they had the network gear in the steward area and that was as secure it as it could be. But, in the essence of getting sh!t done it might not have been watched at all times. Trust me, we were all running around like crazy. I walked the food truck line more times than I can count and things went pretty great.

Next conference we will know to take better care of those things if we are going to operate on a web wallet… I’m the guy that puts private keys in local storage so I certainly can’t point fingers! 😅

We are really excited to have Whiteblocks helping us determine if this wallet is truly safe to be used at a conference where the network might be manipulated. More to come from those rad dudes in the form of a detailed report! (I really hope we don’t have to go through a rebuild for this to work well at conferences but we need to know for sure! 🤞)

The Smash n’ Grab

This one came to me from my dude Steven McKie where a friend of his, we’ll call “Robinhood”, decided to steal from the rich to give to the poor. Here’s how it went down: A bartender left the POS system laying on the bar and Robinhood just picked it up. Thanks to the fast blocktimes, low transaction fees, and smooth UX, Rob was able to move $250 in buffiDai over to his phone without detection.

From there the hilarity ensued as the large sum of cash, enough to purchase 100 beers at the event, was passed from phone to phone. All I could do was giggle at how much fun they were having and how well the wallet was working to move funds. Eventually the money made it to the UNICEF account, where it was meant to go originally. A $2866.39 Dai donation was split between UNICEF and GRACEaid!!

Conclusion

I’d like to send out a huge thanks to everyone that participated in this great experiment in crypto onboarding and user experience. The wallet worked, the buffiDai contracts were secure, and the event was fantastic. We need to be vigilant about vulnerabilities. At this moment Zak is crunching away at our stack in his controlled environment to help us harden the app before the next event!

Remember, the 🔥Burner Wallet is only for moving around small amounts of money. Just like cash in your pocket, it is fast and easy, but you wouldn’t go out with thousands of dollars rolled up with your car keys. The same goes for the xDai network itself; bridge in to enjoy fast and cheap transactions, but bridge out for cold storage.