Open in app

Sign in

Write

Sign in

GameCredits Transparency Report

GAME Credits
7 min readApr 20, 2018

The following report is quite long. So we wanted to summarize the situation for those of you who don’t want to read in so much detail.

Summary: On April 5th we updated our QT client software, which provides and enforces the consensus rules for the GameCredits blockchain, from version 0.9.6 to 0.15.1.1. The update patches a vulnerability that allowed an attacker to steal GameCredits. To be clear, GameCredits products (GWallet and GShare) are secure and were unaffected by this attack. We quickly noticed the network abuse and successfully deployed the update which resolved the bug upon consensus of the miners on our network. Approximately 520 thousand GameCredits, about 0.65% of the total supply, were stolen in the attack. Since the majority of miners have upgraded to the new software to enforce the new consensus rules, your GameCredits are safe. Our team is now committed to reimbursing all users who were affected. If you haven’t updated to version 0.15.1.1 we ask that you do as soon as possible. We have learned a lot from this situation and are doing everything in our power to ensure our community members and ecosystem are secure going forward. We will continue to do everything in our power to uphold high security standards and prevent future security threats.

As a convenience, we have provided links to the binaries here for anyone that has not yet upgraded:

Source

Windows QT

Linux QT

Mac QT

For those that are interested, a detailed report can be found below.

In early April, we announced that the GameCredits network had updated from 0.9.6 to 0.15.1.1. The release not only added numerous features, but also patched a vulnerability in the GameCredits’ network that was inherited from a past update dating back to March
2015. The vulnerability allowed an abuser to add invalid transactions into the blockchain, but it was not abused until recently.

The 0.15.x release software was brought to our team by an open source contributor/community member (Samad Sajanlal) in February 2018. The GameCredits team immediately began internal code reviews and testing to ensure compatibility with the existing network and services that our company provides. By mid March 2018, we had made enough progress to put a release date on this software, April 30, 2018, which provided time for GameCredits to update internal software systems to be compatible with the public release.

Unfortunately, that date had to be expedited to April 5th due to some abuse that was observed on the GameCredits network. GameCredits tokens were stolen from various wallets. The detailed timeline of this abuse follows.

Timeline of Abuse and Theft

On March 22, 2018 we noticed the first invalid transaction added to a block that was accepted into the GameCredits blockchain. Immediately, we began investigating the cause and how to mitigate further network abuse. Since this was the first abuse ever observed, we had to determine if it was accidental or intentional.

Additional abuse was noticed March 27, 28, and 29th. The total of this theft was still quite small — around 4 GameCredits. In hindsight, it appears as if someone was testing to see if the vulnerability could be used for larger thefts.

During this time, a blockchain security researcher contacted us and let us know his findings which confirmed our suspicions of intentional abuse. The security researcher gave us one additional pointer: a direct link to the line of code in the 0.9.x release branch that was allowing this abuse to happen. At this point, we were convinced that the 0.15.x timeline needed to be expedited and we began to wrap up internal testing and get the software deployed in the network. We first wanted miners to get the release to secure the chain and stop relaying invalid blocks. Stopping the relay of invalid blocks would stop the attack from continuing, and non-mining users could continue using the blockchain without upgrading for some time.

Starting March 30th and lasting until April 2nd, we noticed an additional string of invalid transactions on the GameCredits network where the abuse was of much greater magnitude. Bittrex contacted us letting us know that they placed the GAME market into maintenance and disabled trading until a resolution was deployed. We value our relationship with all exchanges: big and small. Please reach out to us if you ever need help deploying our software.

On April 2nd, we contacted all miners that we have contact information for to provide them with the update. We had new QT clients ready in the morning and released an email to all known miners. The source code was not yet published on our Github. This first deployment failed to gain acceptance by miners within a reasonable amount of time. Only a few smaller pools such as NordicP2Pool accepted the software load and mined on it. Naturally, instead of giving up we decided to try again — this time giving our team and known miners more time to get updated.

On April 3rd, a few smaller invalid transactions occurred on the network. At the same time, we received a pull request from the open source contributor that brought us 0.15.1 back in February with the same source code we were already reviewing — we did a file compare to be sure nothing had changed. We knew that we had to provide enough time for miners to update and allow the network to operate until a good consensus of miners were running the software. We set a checkpoint block at 2005926–24 hours after we had the client software ready. Up until this block, the network would allow invalid transactions to occur — the same behavior that was already present in the network. As soon as the blockheight was reached, enforcement of transaction signatures would begin. This block was expected to occur in the afternoon of April 4th, CET time.

With this plan of action, we contacted miners again. Our goal was to get a good majority of miners on the software within the 24 hour timespan we programmed into the software — at which point signature verification would start and the thefts would stop. This time, we were successful. Mining pools including Suprnova, MiningPoolHub, Hash-to-Coins, Mining-Dutch, AcidPool, ProHashing, Poolto.be, NordicP2Pool, P2Mining, and E-Pool were among the pools that deployed our software within the given timeframe. Our developers worked closely with some of them to ensure a successful deployment. We want to give a special thank you to the admins of these pools for their prompt response to the situation. These pools helped save the GameCredits network from total destruction.

We are happy to announce that the vulnerability was resolved due to the consensus of the mining pools above. For those mining pools that have not updated, we ask you to please update your software or deal with the consequences of possible orphan blocks. Additionally, if you are a mining pool that did not receive any communication from us — reach out to us and let us know which pool you operate and the best way to reach you. We will add you to our list of mining pool contacts so that we can stay in touch.

On April 5th, after we confirmed that the blockchain was intact, the bug was resolved, and both older clients as well as newer clients were able to mine onto the chain, we released the 0.15.1.1 software to all users and exchanges. This is a required update, but users and services have until approximately June 1st to upgrade. Miners should upgrade ASAP (if they haven’t already) to protect their revenues, and exchanges should make it a priority to upgrade as well. Soft forks begin activating around June 1st, so if you’re not upgraded by then you might not be able to interact with the rest of the network. That applies to everyone!

For anyone that needs assistance upgrading, whether you are a pool operator, a user, or an exchange — reach out to us on Discord. We have core developers and community members ready to lend you a hand.

Total Damages and a Path to Recovery

During this 12 day ordeal, ~520K GAME was stolen from various wallets on the GameCredits network. The theft totals less than 0.65% of all GameCredits that will ever exist. If you were affected, GameCredits will reimburse you for the stolen coins. Send us a note with a signed message from your wallet. We will only provide a reimbursement if you can provide proof of ownership of an affected address via a cryptographically signed message. The QT client is capable of creating this message (File -> Sign Message -> Pick the affected address and write a short note including your new address). This is not a giveaway, it is a reimbursement of stolen coins back to community members and ecosystem participants that were affected by these thefts.

To bring this report to a close, we at GameCredits learned many lessons during this chaos and want to relay to our users that we are committed to never forgetting these lessons. From frequent code reviews and updates to more proactive communication with miners and exchanges, we will make sure the GameCredits blockchain remains secure and operational. We know this announcement was not entirely “good news” — but we also understand that our community desires transparency. We hope that we have delivered that transparency in a satisfactory manner with this informative announcement.

Thank You,

GameCredits Team

Blockchain
Crypto
Fintech

--

--

GAME Credits

Written by GAME Credits

303 Followers

GAME Credits is the first gaming cryptocurrency in history, launched in Feb 2014. We create decentralized tools and services for the Esports and NFT industry.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams