4-26-18 UPDATE: Security Concerns about this app were heard. The app requires you to make a new account. This alleviates the main security concern. The game launched. Chinese only version. Has several hundred players the first day. Fees (0.1 BTS) (about $0.02 USD) per move. (planting a crop) remain the main concern. It is really cool to see some new innovation on the blockchain though.
It has come to my attention that in order to play the bits.farm game that you need to put in your private key. While harvesting virtual crops could be fun, this could represent a security risk. Now the term security risk –here means that a bad person could create a game with the sole purpose of stealing everyone’s login credentials and then transferring all the bitcoin into their personal account. Until some qualified security audit of the new game is done, you had better play with new account. Never share your password. At this point I do not know the true intentions behind bits.farm; and –obviously- it will be difficult to know that until it is too late. That said, I would like to simply remind you to never share your password.
On April 26, Bits.farm is launching a new game on Bitshares that could represent a significant security risk. As a decentralized exchange Bitshares has no central control point or vetting system. There is no security audit. Things instead get done informally. This appears to have a downside of attracting a lot of scams.
I have done a significant amount of research on bits.farm. I am not affiliated in anyway, although I did sign-up for free tokens. I would love to go into deep detail on every one of my research points, but that would take more time than I have. However, I will elaborate just a little.
Bit.farm is a Farmville/Farm Town style game coming to Bitshares. They have a telegram group where people signed up to get free SEED tokens on the Bitshares network. They have also airdropped tokens to all accounts with a balance of more than 1,000 BTS. The game was announced in February, if I recall, and is finally ready for release April 26. This game comes from China and two of the beta users I talked to indicated most of the documentation is in Chinese.
Apparently, if you want to play this game you had better transfer the coins to a separate account, with a couple of BTS for fees, in order to play. The game transfers the game tokens into and out of your account depending on how the crop planting and harvesting cycle goes.
While I am excited for new games, and I applaud innovation, I hate deceit and lies.
So I was watching the signup process and quickly noticed that way too many people were signing up. Currently, the telegram group has 42,200 members. There are currently around 100,000 bitshares accounts holding BTS. This would mean a 42% signup rate.
Now anyone that has experience in business or marketing should not need to read this paragraph. Bottom line. That is way too many people. For an unlaunched trial game, -a farm game to have that type of penetration is unheard of. The biggest Bitshares telegram group has 10,000 members. This means it is four times larger than the biggest bitshares group? A realistic number in my mind is from 0 to 5%. One guess I would make is 4.2%.
So instead a bot was set up to create accounts and set them up. That is a bit deceitful, although I will admit I too was suckered in with the fake signups, until I realized what was going on. I also randomly looked at about 50 of the telegram profiles. To me 9 out of 10 flunked the smell test. (They looked recently created, were not members of other groups, did not have a profile picture and in other ways just made me think they were not real.)
So we know they lied about the number of people who signed up.
I looked at their airdrop and yeah, they just basically airdropped on everyone with more than 1,000 BTS. (This was disclosed this in the forum, but also had the neat side effect of hiding the lie of the number of real people who signed up for the air drop.)
So then there is the beta. There were some people involved in the beta, but from what I was able to see in the blockchain, they did not run much of a beta. The Beta was done with a coin called SHUMAN. Go read the description of that coin… It made me scratch my head.
And given that everything in the blockchain is open to see, I was wondering how and when transactions took place? How does the game work? If they were delivering what they said, how did it happen? Well, I saw some transactions. Go look for yourself. There were some transfers. I was left with more doubt than ever.
Well it just didn’t look right. It would take me three pages to detail all of the reasons it did not look right to me. I just don’t have that type of time. Here is a couple of things I looked at though. The number of transactions, how long the transactions took place. The raw data in “said transactions.” The ability of the system to handle a large number of transactions. (Remember they are claiming 42,000 users…)
And then there is the time that you are looking to document proof of something you saw yesterday and it is suddenly gone. I know this is not convincing to others but it shows me that someone is reading what I say in public forums. What happened?, I mentioned a screen shot in a public forum. The next day I can’t find the evidence. It could be user error, or –more likely- they removed the incriminating evidence. I don’t blame them, but it would not be reassuring.
So all this left me thinking, what is was the goal?
And it hit me …this could all be an evil plan to hack the dex.
If some people use their real accounts. And the game has access to the real accounts. A bad player could create the game, let it run for a few weeks then make the game transfer all of the assets of these accounts into their own personal account. This could be –um bad- for bitshares users. It would be a way to “Hack the DEX.” Now I don’t know that “hacking” is the right term to use, but those are minor points if you suddenly find your money gone.
Basically, a BitShares virtual farming game could turn Bitshares into a Mt. Gox. This could be devastating to the Bitshares community I have investments in and love Bitshares. It could devastate Bitshares.
People need to know not to play this game in their primary BitShares account. Or in any account that has a balance of real coins.
Now I want you to see the position, I am now it. Do I spread a possible rumor? Do I spread FUD, Fear, Uncertainty and Doubt? I do not want to start malicious rumors, but I also want people to be aware of the dangers.
One of the easiest ways to figure out who is lying and who is telling the truth is to catch people in little lies. We have all seen the police detective on TV, catch a murderer, because he managed to catch the criminal in some little lie first and knew not to trust them. The same way in crypto, -which is full of scams- you catch them in a little lie, then look for more damming evidence.
I have likely spent 20 plus hours researching this. I was fascinated on how they could have so many signups, months ago I looked at it and saw the signup process was fake. I even want to admit I am pretty impressed at how slick the system was. And the lie is covered up, by airdropping SEED to all the big accounts. Yes, this could be a faking it till you make it strategy.
Knowing there is a very bad thing on the horizon, I feel like there is a moral imperative to try to warn people. I tried to warn people about Bitconnect. Of course, no one really listened. My articles, got little attention and ultimately that Ponzi scheme continued for months longer. I did almost nail the time it collapsed due to extensive research. I am good at reverse engineering business models. But still no one like to hear doom and gloom.
So it is with sadness, I throw good work into writing up warnings that will go up to wind, not be seen and ignored. So that is fine. There is not much I can do. I am throwing the warning out there.
That said if you really do want to see things for yourself, here are a few tools.
Look at
http://open-explorer.io/#/accounts/fram-distribution
http://open-explorer.io/#/accounts/1.2.830805
http://open-explorer.io/#/accounts/1.2.802838
http://open-explorer.io/#/accounts/1.2.733249
http://open-explorer.io/#/accounts/1.2.733268
These are links that will take you to test accounts, raw data transactions and open up a few rabbit holes. Follow the data stream.
http://open-explorer.io/#/accounts/1.2.830805
Sample of a test account. It has only had 93 operations. It is transfering SHUMAN. And lets not forget that transfer fees have now risen. Current transfer fees are 0.1042 BTS. Or 2.5 cents each transfer. Playing this game could get to be expensive!
The game transfers SHUMAN. What is to stop it from transferring other assets?
I really hope I am wrong, that there is no security risk. I hope someone will be able to audit the code, and prove there is no risk. I think a bits.farm game could be a big lift to the bitshares eco-system. I understand this project is being done in China, by Chinese people so there is limited English discussion and interactions in forums I was part of. However, I have learned to always be skeptical in crypto.
I did ask about these concerns in the forums. They told me to use a separate account. I fear most people will not.
While I am highly active and in discussions on English telegram and Bitshares groups, I know that language and culture can be big barriers to knowing more about their projects. In a decentralized world, it is not a realistic expectation that I know about every project. However, normally, people in the forums are more involved with the projects. If you know the people involved, you know whether to trust the project or not. This lack of interaction is not reassuring.
Estimating the systematic Risk to BitShares.
So here are a few more numbers. There are about 100,000 bitshares accounts with a total balance of 1,811,174,459 BTS. That is valued at 452 million dollars.
Each account is valued at $4,527. USD
Excluding the top 50 big accounts (Which include the exchanges and committee accounts), there are 746,656,262 total BTS at $0.25 each for a value of $1,866 USD per an account.
Now I know bits.farm airdropped to every account with more that 1,000 BTS.
Lets just assume some of the big accounts are smart enough not fall for the scam and assume a value of $1,500 per account.
How many people really signed up? I estimated this several ways. I do not want to publicaly disclose here. My results. Result A: 4.2%. Result B: 1.5%; Result C: 2.7% Result D: 2.25%.
OK. let’s just go with 2%.
If we have 2,000 accounts or people interesting in playing the bits.farm game and each account is worth $1500; that is $3,000,000 USD at risk. If 1/3 of these people input their password in an insecure site, and one day find all their BTS gone, the perpetrators could get away with $1 million dollars. Now this does not include the balances of any of the other assets such as bitUSD, open.btc. Based on market capitalizations of the top 50 coins, and even distributions for every $1 in BTS there should be about 66 cents of other assets in these account. To keep it simple, let’s just say it is another dollar.
Using my estimates, an evil hacker might get away with zero to $6,000,000 million dollars. Using claimed numbers of 42,000 users and $3,000 per account there could be a hack of $252,000,000 USD.
Whatever the number is, if it comes from your account, it would be very bad.
In business, it is said every one unhappy customer tells 10 other people. This is why customer service is important. In a case where there are 42,000 people signed up. If they were all hacked, it would be 420,000 would hear bad things about bitshares. It could sink the reputation of the entire blockchain. It is a systematic risk.
How does a decentralized community deal with systematic risk like this? I don’t fully know. It is an interesting question. It is something we need to consider.
In the real world it is done through independent audits. Companies on Wall Street get audited by the big four accounting agencies. On the web, certifications for secure domains https are issued by certain agencies. Could something similar start happening in ico’s, and projects? Yes. For now, it is still the Wild Wild West. Bank Robbers, Indians, and Scams abound. Pioneer Beware! You may have dreams of planting virtual crops across the vast block-chained prairies, only to see someone has stolen your credentials.
I hope my concerns are unwarranted. However, to me there also appears to be a moral imperative to warn people. Unfortunately, those who warn and not popular, and warnings normally fall on deaf ears. I hear that and I acknowledge that. I also do not want to slander or spread false rumors. To beat a thief you have to think like a thief. To beat a crook you have to think like a crook would think. Be vigilant.
Anyway, this got way longer than I ever intended, and it allowed you in to see parts of my thinking.
Beware and be vigilant.
Never share your log-ons.
Well it looks like the game is active, from what I see in the blockchain. I have not tried it yet. It looks like they might guide you to set up a separate account. If this is the case, fantastic! However, it looks like the fees might be ridiculous. (IE 2 cents every time you plant.)
I was thinking of bitsfarm and thought an update was in order. So the telegram room is now down to 24,000 people at one point it was 48,000 or something. I was always in doubt of the numbers someone set up bots to make it look popular. I see 149 address with "bf-" proceeding them that have a BTS balance. This is a fair bet on the real number of players. There were 881 "bf-" accounts referred. Given that you can't play the game without BTS, the real number of players is somewhere in the neighborhood. Fortunately, nothing bad happened -no hack. I feel a little bad about raising the alarm, but with the things that have happened in the crypto community in the past you can't be too sure. I think the Bits.farm people are working on a new release. In their defense, transfer fees were significantly lower when the game was in planning stages. Yes, the crazy crypto volatility makes planning real projects difficult. Even though it was a game, it was cool and neat to see what can be done. Never know when one of them will be a hit.
Most welcome to sir
Thank you sir...
You are really so beautiful sir
Thank you so sweet comment
Most welcome sir..m
Thank you my dear sir..
Thanks
Thanks
Just make a new account and play the game.
Wise advice. I hope people do that.
Here are the current distributions of the SEED. I think different amounts were airdropped to different accounts.
tl;dr open a new account.
It is exciting to have a new game launch on Bitshares. It appears that my fears were unwarranted. It also appears my fears caused them to change the way the game went prelaunch. The required everyone to set up a new account. The game is only in Chinese, there are 200 to 400 people playing. It is still obvious the orginal bitsfarm telegram number of 42,000 was a bit high. Heard someone else say that they looked at the accounts and someone resistered accounts to get over a million seed from the airdrop. That is crazy. The BTS committee could drop the transfer fee to a lower level. Maybe it could also be paid in SEED. I have considered deleting this post, but for posterities sake I think I will leave it up. It shows the uncertainty, how to research and look at things.
It is also interesting doing an analysis of how things work in a decentralized organization. Here, what was a potentially tragic outcome, was avoided by the an decentralized organization. In a real company, there would have been a risk department to do all this risk analysis. In my opinion, both BTS and bitsfarm were on trial. It came out OK. Unfortunately, this resulted in a FUD, but in an open world, in an open organization, you are going to get that. And it makes the organization stronger. I am sure it also helped getting these concerns to the developers prelaunch. The openess in the forums allowed those of us to see, think about and consider things. With less openness, less forums, or different actors, things could have turned out differently.
So sometimes it is nice to follow up on the posts. Transfer fees made the game too expensive and it has died. Every time you plant, each of the 12 fields costs $0.02 in transfer fees. This means it would cost a quarter to plant the fields. It was amusing. It was fun. It was a neat concept. It didn't take off. So about 583 full fields (sets of 12) were planted so far. I was looking at the block chain-which is open and there was a person active and hour or more of no activity and then another person planted. http://open-explorer.io/#/accounts/bitsfarm-recycle