Anti-gaming research grant request: "Routing"

[pilotdeveloper]

Project:

Routing

Elevator Pitch:

Through running my virtualprivatepi.com service, I believe I've found a vulnerability that allows a person to circumvent the one hotspot per network measures. This project would design a way to prevent this from happening.

Total fiat/hnt ask:

$2000 to cover the time to research and investigate.

Name and Address: Will provide via email.

Please provide your legal name and a link to the submitted issue to grants@dewi.org. This will streamline the contract process and KYC. A lack of this information will delay the contract.

Team or Project website: (optional)

Team or projects social: (optional)

Code Repos of team or key applicants:

Myself - a senior software engineering manager who's working on his Master's of Computer science in his free time.

Project Details: I will spend time to research a potential vulnerability in the project that would allow for a person to host an unlimited number of hotspots off of a single connection.

The deliverables from this will be a report that shows if the vulnerability is in fact an issue along with proposals as to how it can be fixed.

Roadmap:

Milestone + Date	Deliverable	Summary	Cost
MS1, September 21st (or three weeks)	Report on vulnerability due	Full report as to the vulnerability, the methods, and the impact will be confirmed and delivered. Work with Helium team to release immediate patches if vulnerability does exist. Estimated 20 hours of development time.	1000 USD
MS2, October 1st	HIP Delivered	HIP to fix the vulnerability long term will be delivered. Estimated 10 hours of development time.	1000 USD

Due to the nature of this grant request, all specific information will be sent via email to the DeWi alliance. It's critical to note that this is not a confirmed exploit and that at this time, I'm only 60% certain this exploit will work. The grant will fund the cost of the hardware, the time, and the effort it will take to validate the exploit and come up with solutions to resolve it.

[PaulVMo]

@pilotdeveloper Thank you for your application. Anti-gaming is definitely an area of interest to the DeWi grants program. The grant committee looks forward to receiving the details and severity of the potential vulnerability when you share it with grants@dewi.org.

A few points of feedback from my perspective to assist the committee in reviewing this application:

1. At this time, the DeWi grants program is not funding the purchase of hotspots. Please looks for alternatives such as partnering with someone with existing hardware or running the miner in dataonly/diy mode if possible.
2. While you may be joking, grants are not intended for travel or vacations of any kind.
3. The current PoC limits around multiple hotspots on the same public IP address are software-based in the blockchain code. I am curious how your research may damage or destroy a hotspot. You may want to elaborate.
4. You may also want to share some additional background on yourself to demonstrate your ability to meet the objectives outlined. For example experience with Erlang or functional languages, blockchain development, etc.

[pilotdeveloper]

To answer some of your questions:

1. I was simply explaining what the grant funds would be used for - I do have multiple hotspots available and if grant funds were approved, that would obviously compensate for lost revenue from the deployed units. (see # 3).

2. I wasn't joking - I would be spending hours of my time to research and validate these initial suspicions. If things worked out, I would use my LLC to accept the grant money and subsequently pay myself (and any additional assignees) for the time spent researching and validating. What I do from there with the funds would likely be taking her on a vacation after delivery considering I'd be taking away hours of my time with her (I do have a day job!). Nonetheless - the next grant proposal (see # 5) will be 100% strictly business.

3. The method I'm considering would involve editing configurations on the devices themselves which of course runs the risk of messing up the device temporarily. In retrospect, I do suppose a fresh install of the SD card would undo any changes, so effectively - you're correct. It would be unlikely that I'd permanently destroy or disable the device. The additional method to circumvent this would be to use fancy routing techniques with the help of Azure.

3b. Given that you're correct - this can be easily resolved with a quick dd to a new sd-card if things go south, I'll update the requested amount to $2000 to cover my time and efforts.

4. I have absolutely no experience in blockchain development or Erlang. Despite that, I'm well versed in a variety of other languages such as PHP, Java, Javascript, Golang, C++, C, Lua, and Python - all of which can be programmed using a functional style (which I do!). I also do a lot of SQL work as part of my day job (well, Kusto - a variation effectively). I am not Azure certified; however, I am AWS certified and work with Azure every single day. I have a relatively large reach of things I've done over the years. Here's a few examples of my previous projects:

https://gm.com https://chevrolet.com

-- Additional information can be found on my site: https://ajkelly.net

5. (I know you didn't have a five). This was more of a bug bounty type of thing. I'm about 60% certain I have a work around to allow people to run multiple hotspots on the same public IP; however, this isn't my strongest suit and I'd be happy to hand off my findings to someone in DeWi or the current Anti-gaming groups for them to validate (for free). I'm currently working on a significantly larger proposal (with a working proof of concept) that will accomplish the following: Improve Helium as a whole, Track hotspot coverage, Prove hotspot coverage, Demonstrate reliability, Help diagnose and solve antennas, and provide info on other impacting signals. If this one doesn't work out, that's totally fine with me - I think you guys would be significantly more interested in the one I'm currently building regardless (and also, the second proposal is significantly more aligned with my web based experiences, it's a win-win-win!)

[pilotdeveloper]

Also, to demonstrate that I do have knowledge of how this method could potentially work, I can share - https://virtualprivatepi.com. While I have not (and would never) use the method I'm discussing, I do believe it can be done and want to spend time to test it.

Additional note about virtualprivatepi.com - I am actively turning away customers who ask about gaming (because they are reaching out). I'm also tracking IP's to ensure they don't come back and buy despite being turned down.

I've also updated the initial proposal to make it much more business. :)

[PaulVMo]

Thanks for the updates and additional information. Unfortunately, using a VPN is already a known way to bypass the POC checks that limit beacon frequency. There is quite a bit of discussion on this in the Helium Discord poc channel. A solution to this would be well received. However, no funding is needed to confirm that it is an issue. If you have a specific solution to solving, that might be supportable. That said, as you noted, your time might be better spent on your other ideas.

[pilotdeveloper]

It should be made clear that I'm not talking about using a VPN to bypass the POC checks. That's not the intent of the service at all, and that's not how it's being used. The part I'm specifically talking about is the invalid configurations that one can push to use unlimited hotspots off a single VPN connection potentially.

At least with using a VPN, a person is still having a significant amount of risk (paying for monthly services) and could backfire. The solution I'm discussing may potentially allow them to run multiple devices on the same VPN (or even home connection without a VPN) by using routing and configs.

[PaulVMo]

Interesting. I'd be happy to discuss more if you think there is something there. Feel free to find my on Discord if you don't want to share in public here. I still can't imagine how this would work. The POC limiting is based on the source IP that the hotspot is communicating on as observed by other hotspots on the network. Spooking the source IP is non-trivial and would be more of a security hole in the access router, no?

[PaulVMo]

Thanks again for your interest in the DeWi Grant Program. As follow up to the previous comments about pursuing other potential ideas, I recommend closing this application until you are ready to submit a new application. If you wish to continue to pursue the potential POC issue, there may be other options available such as filing an issue in the Helium open source projects on GitHub or Helium's bug bounty program through Hackerone.