Prevent abuse of the dispenser

[fabrice102]

Summary

Recently, the following addresses:

• 7N5FSWXLIOZQ47PRN7SACV3Q3QF7I44VPMGUUZ3XY2B7OTDX64VCK344IE
• ERQDZN3EVBZU56YVRL7VRCDELI6FVXEWR2TY43YLNA5UWWX5YULWTSBMLA

have been abusing the dispenser on TestNet and have withdrawn more than 1M (TestNet/fake) Algos from the official dispenser and another dispenser.

Scope/Requirements

Scope for this issue:

• Increase the security/difficult level of the CAPTCHA (this is a parameter of ReCaptcha - https://developers.google.com/recaptcha/docs/settings)
  • Pro: Should make it significantly harder to abuse
  • Pro: Very easy to change
  • Con: Make it harder for honest users to get funds
• Appeal to kindness by adding a text in the page such as:

  The dispensed Algos have no monetary value and should only be used to test applications. This service is gracefully provided to enable development on the Algorand TestNet blockchain. Please do not abuse it by requesting millions of Algos.

  If you need significant TestNet stake for a legit purpose, please contact us at ...

  • Pro: Absolutely no negative impact to honest developers
  • Con: Does not prevent malicious behaviour

Out of scope (for now) To prevent such abuse, we may consider the following counter-measures:

• Decrease the amount dispensed to 50 Algos, 25 Algos, or 10 Algos.
  • Pro: Easy to change
  • Con: Some examples/tutorials may rely on using 100 Algos.
  • Con: Because of minimum balances, for complex applications on Algorand, 10 Algos might be too low.
• Limit the number of dispensed Algos per hour / per min / per day, per IP.
  • Pro: Should make it harder to abuse
  • Con: Can be relatively easily bypassed
  • Con: Can really block honest developers, especially in events where dispenser may be used a lot such as Hackathon
• Monitoring and alerting in case of increase of number of dispensing per day. And number of dispensing to the same address
• Reduce the amount of Algos on the dispensing address
  • Just a mitigation against catastrophic event. Does not prevent complete abuse.

Urgency/Relative Priority

Quite urgent to implement one countermeasure to prevent all funds of the dispenser to be leaked.

[onetechnical]

We could also add internal tracking of dispenser addresses, such that if you get transferred more than, say, 10,000 algos, you have to contact us. You would be able to just spin up multiple accounts.

Blacklisting addresses who abuse the system automatically might be a good idea too; perhaps > 1,000 algos in a single day puts you on an automatic 7 day wait / contact us list.

Probably a combination of harder captcha, reduced algo dispensed, and appeal to kindness are easy. Adding per-account or IP limits is trickier and will result in false positives and add infrastructure.

[mxmauro]

Hi guys, we are trying to solve the same issue. Despite headers can be fake, because the periodicity of the data logged in our servers, seems the abuser was using, in our case, Firefox and controlling it programmatically with an external tool like AutoIt.

reCaptcha seems too weak. No way to enforce the 3x3 grid popup and the checkbox too easy to click.

@onetechnical , we were also thinking in limiting per-ip / per-address but, in my opinion, I don't think a honest user would need too much funds that might trigger the limit or 100/1000 algos.

[egieseke]

Added appeal for kindness message. Verified that captcha is set to highest security.