The cause and result of the unlimited coin bug

The standard is actually 60 days, with it being responsible to give up to 90 days for remediation prior to disclosure, and it being supportable to disclose after 45 days if the developer is unresponsive. There is no universe in which 7 days is enough time to develop a patch and deploy it responsibly, or in which 7 days is a standard disclosure timeline.

https://www.cisa.gov/coordinated-vulnerability-disclosure-process

Typically if disclosing early a responsible party discloses the details of the vulnerability along with a mitigation strategy - how users can protect themselves from those exploiting it (in this case that would be something like removing your listings and not engaging in purchases or sales until the exploit is fixed) rather than a how-to of how you too can exploit the vulnerability.

The person “disclosing” this exploit with a tutorial was in no way shape or form performing a responsible public disclosure. The timeline involved is not in any way reasonable to expect remediation. And taking a week to fix a serious vulnerability like that is well within normal standards, and not in any way indicative of negligence. Furthermore the official team has indeed taken action, showing they do not have indifference towards the issue. The OP is wrong on all counts, the person “disclosing” was wrong on all counts, and everyone who engaged in the exploit should indeed be permabanned, including especially the person who posted the tutorial on how to use it.

4 Likes

I know, that’s why I said I didn’t think he was, it’s just the first thing I thought of when I read the description was of someone who just wanted to burn everything down when they didn’t get a response. Plus EHG’s description of the timeframe is quite different. :person_shrugging:t3:

Yeah, that’s fair enough.

And yet, plenty of games release day-of hotfixes for bugs where “Boss is dropping 10000 pieces of loot, instead of 1”. It’s not unheard of for game-breaking bugs to get fixed the day they are discovered… or at least the offending mechanism deactivated until the bug can be fixed.

1 Like

Which is apparently kinda what they did?

It’s interesting to see the difference in timescales.

1 Like

Yes but we also have to take into consideration of how many reports were actually being reported and how many actually had reliable and helpful information where it can help them. It’s the same as people making assumptions that only 1 or few people knew.

There will always be bugs/cheats/hacks/etc. remaining on the low and that absolutely does not make anything okay but you can only do so much… Mitigating is better than or going in blindly and possibly cause more/bigger problems.

Is there proof somewhere of the actual whole procedure were tipped off and sent to them a week ago or whenever it started rather than just “there is an gold dupe going on”. Even if it was an obvious one and they could go by that, how many reports were actually going in for them to see that is regarding this issue and able to immediately put a patch to? There are so many reports daily that it’s like finding a paper clip in the factory.

If the report’s were coming in with the method sent to them then yes, it should’ve been handled a long time ago. If it’s just a small numbers of reports coming in with lack of information, its hard to go by that whereas if there is a extremely large amount of reports coming in with lack of information, then you would need to go detective mode until you find something that is causing all these reports.

Like you said, once the bug exploit was released public, you can’t even turned a blind eye if you wanted to. It’s literally the topic everywhere, outside of the reports. Sure, there has been reports a week ago but to what extent? It clearly became the obvious for everyone and not just a few on the 30th or whatever.

-You can’t go digging aimlessly for every report of someone claiming there is this or that.
-You can’t patch something asap when you don’t know much details and/or where to begin --You have to take into consideration how many reports are being sent daily so it would take time before it reaches that. There isn’t something that pulls out which one sent is going to be seen vs other’s besides the order it gets submitted in. Even if there was a way to filter out and alert for keyword reports, i can only imagine a lot of reports that are wrongful and assumed.

At to end it, I think it is extremely bad to keep all that gold still on the server so i’d be more on their case on how they took care of it, rather than not handling it sooner. Just my take.

1 Like

What is the actual timeframe? I’ve read anywhere from ~1 month to 1 week between initial report and ‘fix’.

Not a clue but the post above yours is a good read & EHG said they got a fix out in ~24 hours. :person_shrugging:

1 Like

Yes, as it turns out some bugs take longer to fix than others.

That’s what the press release said. But that’s not what was said by those who claimed they reported it, and then released it to the world.

Derp de derp.

The big thing to keep in mind here too is that there is a huge difference between developing and deploying a patch responsibly, and shoving out a hotfix to emergency resolve a situation. When you shove out some code to fix an emergent situation, you are typically doing so while accepting that you’re incurring “technical debt”. You moved too fast, deployed “whatever worked” instead of taking the adequate amount of time to plan, build, test, iterate, and only then roll out.

In exchange for getting it out right now, in the long run, it will actually cost you more development resources, because you’re going to have to go back and clean up the mess you’ve made. It’s not a question of if, just a question of when you’re going to discover the new problems you’ve introduced and how long it’ll take to fix them. I’ve personally made that tradeoff (sometimes it’s worth it or you have no real choice, like if some dousche made a public tutorial of a major exploit or if your whole infrastucture is already fubar’d). And I was still finding things which needed cleanup from the work done during that period no joke 18 months later.

So yeah, you can shove out a fix to a bug in less than 24 hours. That doesn’t mean that you should, or that we should celebrate them doing so. It always comes at a cost, and there is so much for them to do in this game right now, and so many things we all would love to see them working on. Cleaning up their tech debt from an emergency hotfix isn’t one of them.

It would’ve been a lot cooler if they had all the time they needed to fix it right the first time on their own schedule, rather than having their hand forced. Kudos to them for shoving out a fix quickly when they had to. But anyone who has worked in IT and / or software development knows the cost incurred by doing so.

3 Likes

Exactly, I imagine who one believes says more about oneself than what actually happened. :person_shrugging:t3:

While I don’t work in IT/software development, fudging something into a spreadsheet 'cause its quicker to do that than make a more reasoned/thoughtful change can have a similar impact as it can then make subsequent changes harder/more time consuming & make it harder to do stuff down the road.

I enjoyed your thoughts.

The only reason I did NOT choose MG when LE launched 1.0 was because I figured there would be duping/whatever issues. I have just come to expect that in any online game, this is the new norm and people get more and more creative in exploiting whatever systems there are. I have yet to play a new online game where people don’t find exploits, etc.

-I wish I felt differently. I wish I didn’t feel, even in a brand new game: “STEER CLEAR OF ANY AUCTION HOUSE/ETC” but I do. Because all this stuff keeps proving me right over and over again. I would like to be wrong about this at some point.

Yeah true but it doesnlt matter now. What matters is the economy is indeed borked now. It is basically impossible to afford the best items unless

You took part in this gold generating bug
You buy gold in a RMT

I’d like to hear what the devs plan to do to address the issue, since gold persists over Cycles, the economy will not fix itself going forward and the vast majority of gold is currently in the hands of players who broke the rules.

I fear it’ll be some horrible scheme that punishes all us legit players, such as gold tax in MG transactions.

1 Like

Apologies, I meant what they will do further to that statement since I expect a huge amount of that gold has moved on to other players, many of whom are innocent in all of this.

The claim was that it was reported a week before. We have no way to verify that, but we also don’t have a way to verify how many reports EHG received since launch (which I expect was in the high thousands), so we also don’t know when EHG actually became aware of the bug.
Even if the week they claimed isn’t exaggerated, it’s quite possible that this report was buried among a bunch of other ones and EHG didn’t have time to acknowledge it.

Either way, the one that released it doesn’t really have an excuse, since it was obvious what would happen when he did. He just wanted attention and simply decided to start a clusterf*** when he didn’t get a pat on the back from EHG.

I work in IT and what usually happens in these emergency situations is that you make a quick and dirty fix to stop the issue and immediately start working on the “proper” fix.

It’s not just trade that gets affected by things like this, though. For example, previous currency exploits in PoE also affected SSF players. As well as other exploits not directly related to currency. The difference is that when these exploits affect trade, they affect a bunch of people at once, even ones that weren’t aware of it in the first place.

They did say they’re monitoring the situation and working on stuff to fix the inflation. We’ll have to see what happens moving forward.

1 Like

What mess? What you said applies to implementing a new feature. It doesn’t really apply to fixing a bug. The feature is already implemented. You write a test that reproduces the bug. And then you modify the code to make the test pass. You shouldn’t be writing all that much code to fix a bug.

That depends on the bug. If a bug has an impact in different systems, then you may need to fix/redo multiple systems. We saw this happen with the server issues at launch.

Okay well the fix for a gold dupe exploit is literally just putting an if statement at the top of a method. There’s not much code to be written, no need to rewrite anything. The bug exists because someone forgot a guard statement, maybe used the wrong method, or the wrong data type somewhere. Either way, this is almost certainly a one line fix. There’s no need to have a SCRUM cycle over it.

1 Like

In a system as complex as a game like this, nothing gets changed without multiple tests. Not even fixing typos. Because it’s all too easy to make a mistake while programming that inadvertently breaks something else.
If this was simply putting an if statement, the fix wouldn’t have taken most of a day and would have just taken 5 minutes.

However, nothing in programming actually works like that when you have a complex system with lots of parts that interact with each other.

1 Like