This market resolves yes if someone reports or uses a vulnerability they found in Manifold that could wreak havoc. IE, place bets for other people, dump the user database, access emails of users, etc by the end of 2023.
Related questions
🏅 Top traders
| # | Name | Total profit |
|---|---|---|
| 1 | Ṁ1,385 | |
| 2 | Ṁ251 | |
| 3 | Ṁ179 | |
| 4 | Ṁ108 | |
| 5 | Ṁ73 |
GGs, I had privately reported this one https://github.com/manifoldmarkets/manifold/commit/f86e7fcf0866e6b14532f4b5de91d7c85e8f8ec1 and was hoping to get more cheap YES shares before disclosing it to eclair4151, but I guess I was too conservative
@eclair4151 I don't think it's an endpoint that's called anywhere in the current app, but essentially you could call an API with an user and amount to give them mana. And since there was no check for negative values, you could steal mana from anyone (without any notifications on the interface too)
Based on the comment from @ian this market resolves yes. As clarified in a previous comment the security incident did not need to be actively exploited for this to resolve yes.
Thanks for playing!
@Stralor Assuming yes, I don't think Manifold (yet?) has the prestige, population, or revenue to draw that kind of attention and risk
@Stralor i don’t think that’s super relevant IMO, tons of sites smaller than Manifold have been hacked, plus this platform is open source which makes it way easier to audit to code and find bugs.
@eclair4151 There's a bit of conflict between the title and the description here, since the title says "major security incident", which would mean it has caused significant damage, which would be publicly known. But the description says it could resolve YES with only a report, which is why I'm curious about public disclosure, otherwise how would we know?
@Stralor Yes if someone reports a bug that could be used but not actually used, this market will resolve yes. It basically requires some sort of public disclosure either by manifold or the party responsible.
Whether it would be disclosed publicly would depend on whether other people are paying attention to the GIT commits, or if the person wanted to collect a bounty from this market. :
@eclair4151 A few days ago google cloud emailed us that our firebase adminsdk has been leaked in a previous commit and I spent a couple hours cycling our admin keys. Would’ve granted access to entire db and probably other cloud services
@ian thats scary stuff right there, damn. But also, should be sufficient to resolve YES for this market, imo
@firstuserhere That's an automated scanning report.
I don't think that falls under the intent of the market.
@Fedor ""if someone reports a bug that could be used but not actually used, this market will resolve yes. It basically requires some sort of public disclosure either by manifold or the party responsible.
Whether it would be disclosed publicly would depend on whether other people are paying attention to the GIT commits, or if the person wanted to collect a bounty from this market.""
from above. Idk, I think that falls under "vulnerability they found in Manifold that could wreak havoc. IE, place bets for other people, dump the user database, access emails of users, etc by the end of 2023."
@Fedor It was an automated report but the commit contained the currently valid admin keys that anyone could’ve used for full db access.
@ian Totally, it's was out there. It's embarrassing how many secrets end up in git repo's.
But I think the spirit of the market by eclair4151 means that a person has to report it, or use it.
Not an automated scanning tool basically part of the cloud environment, and the vulnerability (exposed secrets) gets fixed before anyone else reported or used it.