Sharpay security update in Jul #1

Dear Sharpay Members!

Recently, we have added a new feature to reward users for completing bounty tasks within the system (filling out a profile, connecting social network accounts, and others). We understood that the new way of earning token bonuses can be used for cheating. Therefore, we have updated an algorithm for calculating bonuses for user tasks in our activity monitoring system.

More than a month after the release of bounty tasks, everything was fine and worked as it should. But on July 1, the monitoring system sent a notification that one of the users received bonuses more than the limit. We raised the system logs for this user and began to analyze them. The analysis helped us restore all user actions and find out how he could get an additional bonus.

We would like to clarify the technical feature that is embedded in the system. Users are able to create accounts in Sharpay using social networks. For example, a user can create a Sharpay account via Facebook using his laptop, and also create another account via Telegram using smartphone. Thus, the same user will have two different accounts. His will have two different token balances, and this is a very inconvenient for him to manage two different accounts.

To solve this situation in Sharpay there is a system of merging accounts. When linking a social network profile to a Sharpay account, it checks for the presence of this profile in other accounts. And if it finds an intersection, it merges them into one common account, where all social user accounts and total balance will be combined together. The algorithm for merging accounts turned out to be problematic for the bounty tasks.

Let us return to the user who found this loophole in our system.

He created a main account using email and password login. Then, he created a second account using a social network and completed several bounty tasks for earning tokens. After that, he logged into his main account and linked the same social network profile that he used for the second account. Our system detected it and merged both accounts and balances together. The second account which completed the social network task was deleted because of the merging. He removed social network bindings from his main account. As a result, he was able to complete the task again by registering a new account via social networks and earn 370 S tokens more before we could stop him. In this bug, he could keep creating accounts using social networks, merging them together and disconnecting the social networks in the main account to loop the bounty task.

At the moment, we have made changes to the algorithm for merging accounts and the bonus for completing tasks is rewarded once. If the task was performed in both accounts, then during the transfer the bonus received in the second account will be subtracted from the transferred balance.

We strive to improve our system and pay great attention to security issues and protection against abuse. We are grateful to this user for his inquisitive mind and time spent. We not only did not reset tokens “illegally” earned by him, but also in appreciation of his effort, we accrued to him an additional 1000 S tokens as a bug bounty reward.

We would like to ask all who are interested to help us in finding bugs and vulnerabilities in Sharpay. Any feedback helps us to become better and more convenient.

In Sharing We Trust! Team