Skip to content

Shakedex Locktime Bug

Rithvik Vibhu edited this page Jul 6, 2022 · 1 revision

A flaw was discovered in Shakedex's implementation that allowed the purchase of names at a lower price than what should be possible. This was only possible for active auctions that had not released all bids. The bug was never exploited and is now fixed.

Bob Wallet users should update to v1.0.0 as soon as possible to see if their listed auctions are affected.
Shakedex-cli users should update to v0.0.18.

Details

Shakedex auctions start at a high price and gradually reduce over a period of time. This is achieved with locktimes that restrict when transactions can be included in blocks. Lower prices have larger locktimes to unlock at later points in time.

In December 2021, a bug was discovered by @pinheadmz where these locktimes were not being set correctly. This meant that even the lowest price bid could be used any time, even at the start of the auction.

The auctions “at risk” were the ones that met (all) these criteria:

  • Created with Bob Wallet v0.9.0 (or earlier) or shakedex-cli v0.0.17 (or earlier)
  • Are active (not yet canceled or sold)
  • Have not yet released all bids (not at the lowest price yet)

While it was not possible to exploit this bug in Bob Wallet or with shakedex-cli directly (there were other checks in place), they could be modified to do so. With this in mind, the shakedex.com website was taken offline and all auctions wiped from its database.

The blockchain was scanned with this script to make sure it has not been exploited. It looks for transactions that have an unenforced locktime and have been mined before that locktime. Fortunately, there have been no cases as of 127540.

Shakedex was updated to fix this bug as well as a few others. New auctions have a different file format and old files are no longer accepted. Bob Wallet users are alerted if any of their auctions are at risk and are suggested to either cancel the auction or regenerate and submit again to shakedex.com.

Once all auction bids were “released”, new versions of Bob Wallet / shakedex-cli were released, along with an updated shakedex.com that only accepts new auctions.

Huge thanks to @pinheadmz for reporting this and also contributing a fix for shakedex!

Clone this wiki locally