Pool stealing coins to address not mining in the pool



  • Hello everyone,

    Once again I see something strange in my pool.

    My pool just got a block. This time it is confirmed in the blockchain.

    The pool have displayed then the following:

    Miners share payment sent to 17572168194578653714 amount = 22.83 (txID : 371837709586085266 )
    Miners share payment sent to 16532659085445669130 amount = 104.32 (txID : 14907019102782130478 )
    Miners share payment sent to 13906952252209182598 amount = 1559.04 (txID : 5008293498579813106 )
    Miners share payment sent to 13937467006800669796 amount = 203.05 (txID : 2060433338667922309 )
    Miners share payment sent to 10901473653708259037 amount = 31.87 (txID : 7512360765322532803 )
    Miners share payment sent to 5946038116820533174 amount = 288.80 (txID : 8137096549864403991 )
    Miners share payment sent to 10532192621865268440 amount = 23.25 (txID : 10088404798304521587 )

    However, the address with ID 17572168194578653714 (BURST-GAJL-VWKN-2XPB-H39R9) did not mined in my pool, as far I can tell from his/her history, reward assignment was never done to my pool. so Why my pool sending coins to that account??

    I hope I did not missed anything here.



  • @Jumper

    I see this hardcoded in burst-pool-payment.js file

    Line 26: var devNumericID = '17572168194578653714';

    Looks like something is hardcoded with this iD.

    And then is a function called distributeShareToPayment we have some line with that variable:

    if(!pendingPaymentList.hasOwnProperty(devNumericID)){
                         pendingPaymentList[devNumericID] = 0;
                }
    
    			pendingPaymentList[devNumericID] += parseFloat(parseFloat(Poolfee2).toFixed(2));
    

    So as far I can see, this stealing coins to this address with the following % value : var Poolfee2 = funddistribution*0.01;

    Anyone who using the pool script from @Lexicon please check your script and confirm the same.

    Can someone explain this to me?


  • admin

    In burst-pool-config.js is a setting where you can disable this payments, if you do not want to donate to dev.
    https://github.com/SOELexicon/burst-pool/blob/master/burst-pool-config.js#L16
    At least it looks like ... i do not want to judge here ... as i did not read all docs and thread, but something like this should be pointed out.



  • @luxe

    Well, I do not see line by line explanation for these settings. And it was never mentioned that the pool script will send 1 % to that address.

    This is not asking to donate. It is taking it. That is a big difference


  • admin

    @Jumper Why me? I'm not involved ... i just looked into the code.



  • @luxe oh sorry :)

    so my message was for the pool script creator,

    I have edited my post to reflect that, sorry again.

    I still feel that this discovery was really big one and nasty one.

    I hope that this will be explained.

    At the mean time I have commented these line out and I have restarted my pool.


  • admin

    @Jumper Totally agree with you ...



  • @luxe

    However, I can confirm that this line (26) was not there before the last update. I mean I started about 3 months ago, and in that one, this line was not there



  • @Jumper

    It was added 2 weeks ago.

    I am not good yet on github thingy so cannot tell who added the stealer code


  • admin



  • @luxe

    based on the name in the URL, it was the same person who did the last mod, and that is @Lexicon

    I hope he can at least explain this code.



  • yeah it was mentioned in the post on the forums. some users wanted to donate but asked if adding my address in the fee section would do the trick but they also wanted to retrieve part of the fee so i wrote in that option for them. with the option to switch it off.


  • admin

    @Jumper In the thread announcing the new code he publicly posted 12 days ago that there was an additional setting "devFee" that if enabled would send him 1% of the pools earnings.

    https://forums.burst-team.us/topic/2643/lex-pool-a-rewritten-pool-based-on-uray-source/4

    He announced it publicly - if pool operators missed it and didn't realize, I'd call it operator mistake and not theft.



  • @haitch

    Well, this should have been posted on github. Not everyone reading this forum.


  • admin

    @Jumper I sort of agree; it should be added to the Readme - but pretty much the only way people would have known about the new code is from the thread here on the forums. To the best of my knowledge there have been no posts about it elsewhere.



  • @haitch

    I have few friends that have downloaded the code from github, and they have never visited this forum.

    Anyway. Due to the fact that on the source (github) this is not mentioned, I still feel that my post was correct.

    On the other hand, now I commented that code out so I am out of here. Feel free to delete this thread if you wish and if you feel that I was wrong.


  • admin

    @Jumper I don't think you're wrong, and I'm not going to delete the thread. The situation is ambiguous - Lexicon publicly posted in the only place the software was announced about what he was doing. People who learnt about the software here should have been aware of the devfee. Could others have learnt about it from people here - sure. But they should have been advised of the feature.

    I would recommend that Lexicon document the feature to avoid future misunderstandings - but having publicly documented the feature in the the only public announcement of the pool code, I can't consider it theft.



  • @haitch Jumper has a point, There is no documentation for the pool config switches and dev fees was not announced with the new code, it was mentioned AFTER someone discovered it.


  • admin

    @rnahlawi While I agree on the lack of documentation for the pool software config, that is also true of the original Uray source Lexicon was working from. However, the devFee feature was documented in a post in the thread by Lexicon 13 days ago that the new code had this feature. It's not something that was snuck in - it was publicly documented here.



  • @haitch

    Hello haitch, I suggest to delete this thread as I think it just create some confusion. Sorry about that. I think everyone have a point there so no one is right or wrong.