Questions for Golem: How to Find $10M Just by Reading the Blockchain
Golem published this article and after some consideration it leaves a lot of unanswered questions. What struck me initially was that Poloniex limits the withdraw of funds based on verification levels with the highest verification level allowing a withdraw of $25,000 per day for verified accounts. On their blog they wrote “this bug could be used to empty the whole GNT account on the exchange!” but this would seem to violate the exchanges security protocols thus invalidating the transaction. This was the most obvious question I had but here are some others:
- We were told that a “Golem enthusiast and GNT holder” found this bug but to many readers of the article it doesn’t make sense why anyone would spend their time analyzing every single transaction to and from the Golem contract. Some additional context is helpful for framing the story:
What was the user looking for when the bug was found?
How was the user able to identify this as a bug?
- The article provides this link to the transaction on Etherscan but the link itself doesn’t allow the reader to retrace the same analysis and come to the same conclusions. Specifically it doesn’t appear possible to know how much GNT the transaction is for by looking at it on the Etherscan webpage. How can we know the value of GNT that this transaction was attempting to send?
- If the malformation was unintentional then one would assume it was merely a typo inputted by a Poloniex user that caused this issue. If it was a typo why would the user click on the link provided in their email to complete the withdraw since users are not merely required to input an amount and an address but also required to confirm withdraws by email?
- The article never informed readers if the Poloniex claimed to have other safeguards in place to protect users or if Poloniex stated that this bug allowed an account to circumvent withdraw limits placed on all users. Readers need to know if the exchange ever confirm that this bug would circumvent their withdraw limits.
The article by the Golem team leaves many unresolved details that call into question what caused this issue. Based on what was written the issue is not merely caused by a faulty operation on the exchange but also a malformed transaction. The article never explains the origin of this transaction which creates some confusion for those trying to understand what happened. Any further clarification would be appreciated.