EssentialsX

EssentialsX

Bukkit Plugins
2M Downloads

Feature to prevent a money dupe

Ibesh opened this issue ยท 5 comments

commented

Information

Full output of /ess version:
image

<!-- Run the command in your console, and copy and paste the whole output here -->

Server log: https://gist.github.com/Ibesh/670ac0882bca605c0d97da1b941345aa
The latest log itself was too big to upload, so I put the important part instead.

EssentialsX config: https://gist.github.com/Ibesh/d724ac2bc7c27ac5b4db552c9063be04

Details

I have just been informed of a money exploit concerning ChestShop. I'll try to describe it as detailed as possible.

Step 1 - Required Plugins:

  • EssentialsX
  • Vault
  • ChestShop

Step 2 - Step-by-step dupe reconstruction:

  1. You need 2 accounts, lets call these accounts Alex and Steve.

  2. You need Alex to make a ChestShop: E.g.
    image

  3. Place Stone in the ChestShop and make sure Steve has a balance of exactly $0.

  4. Now Alex needs to pay Steve: 99999.999999999999 so "/pay Steve 99999.999999999999"

  5. Now the system thinks Steve has $100k to be a Stone. But Steve does not have that.

  6. When Steve buys the stone, $100k gets send to Alex. But since Alex does not have a $100k no money gets withdrawn. Now Steve can infinitly sell Stone without spending a single dollar. This make Alex a Billionair in no-time.

I hope this was clear enough :)

Video: https://youtu.be/3eqmwjxnjHc

Note: I have already messaged the owner of ChestShop, but he said it was on EssentialsX its side to fix it.

commented

Response of the ChestShop plugin owner;
image

commented

We pushed a fix for this months ago (#2135), and ChestShop updated at the same time to properly respect Vault responses.

Please fill out the template properly. Start up your server then as soon as you reach "Done", post the entire latest.log file.

commented

@Ibesh The version of EssentialsX you are using is severely out of date. Try updating first, and see if the issue persists.

commented

I am unable to reproduce this bug following your steps and using the latest versions of EssentialsX and ChestShop.

[01:29:14 INFO]: Server version: 1.12.2-R0.1-SNAPSHOT git-Paper-1594 (MC: 1.12.2)
[01:29:14 INFO]: EssentialsX version: 2.17.1.13
[01:29:14 INFO]: LuckPerms version: 4.4.1
[01:29:14 INFO]: Vault version: 1.7.2-b107
[01:29:14 INFO]: ChestShop version: 3.9.3-1.12 (build 14)

Like @pop4959 said above, please update your EssentialsX version and see if the issue persists, as this bug has very likely already been fixed.

commented

Yes it was fixed :) I am sorry for the late response! I totally forgot.

  • ๐Ÿ‘2