Friday, June 29, 2012

The $175,000 Faction Warfare Exploit

A week ago word spread throughout the Internet that a group of Goons figured out how to manipulate the new faction warfare loyalty point mechanics to the tune of $175,000 if the earned isk and goods were converted to real currency.  While the Goons manipulated the control levels in the Amar-Minmatar war zone, I'm more interested in CCP's response to the incident.  To that end CCP Sreegs published a dev blog yesterday explaining the results of the investigation...
"Last week we manually adjusted some of the pricing as we stated in our news item. We then introduced some changes in order to prevent the disparity between actual cost and 'Average Price' in items. For the near future this should no longer be an issue but we are monitoring and we will make further changes to this system.

"The people who sought to benefit from this exploit will receive no gain from this system. Because this was essentially a system where you could print LP, even if ISK was provided as an input, it is classified as an exploit.

"Because the players made efforts to inform us about the issue their accounts will remain in good standing. We have temporarily seized all LP points and store items from them. Once we're done determining how much each person has benefitted we will remove the LP gained value in LP and items and return the ISK invested in the purchase of items to them. This essentially will set each of them back to the original point at which they began this activity. The person who reported the issue will receive the usual PLEX for Snitches reward.

"I wrote a blog on 'Responsible Disclosures' a year or so ago. In that blog I mention that telling us about something after you've used the heck out of it isn't what we consider to be responsible. We do our best to be lenient in cases such as this but we want this to serve as a notice to the community that the proper time to alert us to the issue was before actually using the system. I can understand a desire to test the limits but we don't believe two weeks of testing a bug or exploit should net a tremendous benefit in lieu of reporting it in the first place, and that is another reason why the LP activity will be reversed back to zero."
The response from Aryth, the Goon who originally posted the details of the exploit on the forums showed he thought the decision fair.
"... I was already a trillionaire before this. It's not like I am crying all the way to the poor house if CCP just unwinds me. I will remain one of the riches players in EVE. Sure, I would more like trillions, but I got many news articles, a 160 page thread or whatever, multiple blogs/news annoucements and the most hilarious graph to ever exist in the history of EVE play.

"Throw in the most ISK in kills/deaths records, and goddamn. I am pretty smug.

"But really. The true reward is to dunk on Stoffer [CCP Soundwave]. If there is one things goons love, it's trolling goons. Even Ex-goons.

"CCP gets press, we get our capital back, EVE gets another hilarious footnote in history. Everyone won here. We just won less than we woulda liked."
As is his custom after publishing dev blogs CCP Sreegs hung around and answered questions on the Eve Online forums.  Since a lot of people refuse (for very good reasons) to visit the official forums, I have extracted the best of the questions and answers from the first few hours of the thread. Having put this together, I think it reads like a press conference. Hopefully this will give some greater insight into CCP's response.  Enjoy!

Q:  What sort of metrics does CCP watch for to catch these kinds of exploits? And what sort of systems can be put in place to understand why LP is coming from nothing, similar to how tech was coming from nothing under the previous silo duplication exploit?

CCP Sreegs:  "Without getting into too much detail things as simple as watching top LP gains by player is a fairly simple one. If you look at the graph provided you really only had to look at the LP at all to see it spike. The other indicator is LP by faction. All the other factions are kinda even keep and Minmitar was like OH HI!"

Q:  Shouldn't the five players also retain LP equivalent to 2 weeks worth of 'normal' game play?  They were playing, they did let you know and they did participate in Faction Warfare.

CCP Sreegs:  "I really don't want to discuss actions against individual players any more than was detailed in the blog for informational purposes. Sorry duder."

Q:  If we do not manipulate prices but do research to take advantage of existing market values, is this still exploiting? Your blog seems to hint that it is.

CCP Sreegs:  "I'm going to pass this point around internally. I'm not really comfortable answering this Maverick-Style."

Q:  If manipulating market prices is exploiting, then there literally is no sandbox anymore.

CCP Sreegs:   "Nobody ever said anything about manipulating the market prices. What we said was that this could be done in such a way that lead to an artificial disparity (albeit one created by our own systems) between the real value of an item and the number we were calculating value based upon to magically die over and over again to gain another currency.

"That's not 'Market Manipulation' that's blowing someone up over and over again to magically get more money out of the same item.

"Nowhere has anyone said Manipulating Market Prices is exploiting. Ever. At all."

Q:  So... This means that insurance fraud is actually an exploit?  If, somehow, mineral prices hit the ground tomorrow and we start building and blowing ships for the insurance ISK, we are exploiting?

CCP Sreegs:   "As I said I won't deal in hypotheticals. That could certainly be the case but it could also not be. Are you printing money from nowhere? Is that printing being done in a tremendous volume? If either or both of those is yes then I think it's pretty fair to say we'd be pretty displeased."

Q:  Insurance fraud was anything but Hypothetical. Those exact circumstance happened and was abused on a very large scale. If it's an exploit, why no rollback?

CCP Sreegs:  "I'm discussing this exploit not any one of a number of hypothetical past or future exploits. (or non-exploits)"

Q:  The issue is the thing you've said directly applies to insurance fraud. Insurance fraud was directly a case where you blew something up and got more than the value of that item back - in isk not an alternative currency like LP.

CCP Sreegs:  "I don't disagree at all I'm just tired and really not prepared to compare one to the other. I'm still heads down in fixing this one."

Q:  Along those same lines, what about people who didn't actively manipulate the value of items, but benefited from these manipulations?

CCP Sreegs:  "As stated in the blog only the five people who actively did this repeatedly were touched."

Q:  The market creates these disparties on it's own sometimes without player help. At least active help. Is it ok to use it then? Is it ok to use it as a matter converter? Essentially this system can function like reprocessing for any item in EVE. It has dramatic implications for EVE going forward.

CCP Sreegs:  "I think it certainly has an impact on EVE as you stated, but that impact is something new. To make a statement of USING THE MARKET TO GAIN MONEY IS OVER EVE IS DYING, is a bit silly. (Not you specifically but others in this thread) This isn't a legacy problem and has no impact on how you deal with existing systems. It only impacts your interaction with FW.

"What we need to do is take a good long hard look at how to deal with items that have disparate values in what are essentially two currencies. I'm pretty sure that is the pivot point in this scenario and from that perspective I'm just Winston Wolf. I don't design these systems.

"As it stands today our stance is that buying something and purposely blowing it up to generate value in another currency is exploiting. It was clearly not our intent in creating the system for that to occur. The system was meant to encourage PVP not wanton suicidal destruction to print money.

"I guess it would somewhat logically be the same to use an example as going to the lamp shop in America, buying a lamp and smashing it, and having the Chinese manufacturer send more money than you paid for it to your account over and over and over again. It's a bit of a stretch in my opinion at least to think this would ever be acceptable.

"There's certainly a design flaw here that needs to be worked out but we have never intentionally introduced a system in EVE where buying an item and killing yourself should be a legitimate way to manufacture income. Least of all on a massive scale."

Q:  How much PLEX will the individual who reported the exploit receive?

CCP Sreegs:  "PLEX reward scales with the severity of the exploitable condition so it'll be more than one."

Q:   Is the column in the database tasked with storing a player's LP a signed 32-bit integer? I was legitimately worried that if we breached 2.1 billion LP, it would wrap around to a negative value.

CCP Sreegs:   "I'll ask internally but I'm not sure I'd tell you either way. To my knowledge we don't really give out that level of detail about our DB structure."


  1. Yeah, and I'm also worried about rolling over the 64-bit counter for ISK....

    Because one day I might have 18,446,744,073,709,551,616 ISK, right?