Goomblegate: The full story (or: The infinite dramacoin exploit)

Yesterday morning, after a long night of goombling, I decided to have a glance at the source code for roulette, I figured maybe @McCoxmaul made a little mistake that would allow to gain an edge in my goombling. Little did I know, I was about to discover a way to get free, unlimited dramacoin.

:marseysleep: How it works

Your dramacoin is updated by checking how much dramacoin you had before, and then setting your current dramacoin to that number minus what you just spent. This would work fine, except that you can make multiple deductions at the same time using multiple threads (say your phone and pc, or two chrome tabs) . By spending twice simultaneously both threads update the value relative to the same starting balance, and since the second thread isn't aware that the balance has just been updated, it overwrites that update, meaning you just spent the same dramacoin twice.

The timing is relatively easy to pull off as python is notoriously slow so the gap between checking the balance and updating it was quite wide, so I was able to exploit this by just clicking "bet" at the same time from two devices.

@TwoLargeSnakesMating had this to say:

[It's] not a thread locking issue in particular; moreso just the way Carp got creative with using getattr/setattr on the User objects apparently doesn't create a database transaction, which should act like a mutex how you're suggesting.

Which is basically what I'm saying with some webshit lingo mixed in.

:marseysleep: end of nerd shit

As soon as I verified the bug by printing myself 30k dramacoin in roulette I told @Aevann, and then went back to the casino, Carp was gambling too and noticed something was strange. Here are some screenshots of him being r-slurred:

Jump in the discussion.

No email address required.

IlIIlIlIlIlIl they/them 2yr ago #2727964

Conclusion: next time let’s be more discreet and nobody tell the jannies

38 Context

birdenthusiast duck/ducks :marseyvampirecrusader:

Mavis Enthusiast :marseyvampirecrusader:

2yr ago #2727989

30 Context

L ong/Nose :marseylongpost:

Serial Serious Replyer :marseylongpost:

2yr ago #2727972

What will never be repaired, however, is my psyche after browsing this site's source.

The best form of security is of course, unintelligibility. Everyone knows this

29 Context

gamerchad psi/pi Psychic Omnikineticist L 2yr ago #2728022

Code obfuscation? Baby time. Verify user transactions manually using double-transaction checking chimps? Real shit.

14 Context

S sneed/sneed TOTAL SOREN ASSIMILATION 2yr ago #2728033

Minor Correction, carp fell asleep right before I discovered how to actually do it lol so he didn't actually profiteer from this

:#capysneedboat2: :#capyantischizo: :#space:

23 Context

gambling_QA get/set S 2yr ago #2728067

He didn't even know the simple phone + pc version I used?

11 Context

S sneed/sneed TOTAL SOREN ASSIMILATION gambling_QA 2yr ago #2728069

No what was ur version lol did u just click quickly?

gambling_QA get/set S 2yr ago #2728075 Edited 2yr ago

yea I made like 40k just clicking "ok" at the same time in the phone and laptop. Worked like 1 out of 3 times

12 Context

Certifiedcarpussyoperator Didnt/read :marseyindignant:

S 2yr ago #2728159

Schizocel not breaking rdrama code challenge (imposible)

8 Context

GabrielMartinelli rap/ist A little :rape:

never hurt anybody 2yr ago #2728028

Give me back my coins admin. I had 10,000 coins made from my sweat and blood before ~~the counter-revolutionary~~ GetoGeto gifted me an absurd amount of money. This is unfair and unjust taxation and as a staunch libertarian, I despise the heavy hand of the State interfering in my financial affairs.