📯 Clovers Network Updates 📯

Billy Rennekamp
9 min readOct 5, 2019

TLDR: Lots of big updates since launch including a grant from POA, 43% gas reduction in the latest network upgrade and a post-mortem on three Clovers Network hacks 🧟

It’s been just over 6 weeks since Clovers Network launched on Ethereum Homestead during Berlin Blockchain week. In that time there have been a number of developments including 🚨 hacks 🔥 token burns thousands of Clovers registered 🍀 and thousands of dollars spent on Gas ⛽️

Here’s what’s happened by the numbers:

  • 💰 +1 New Grant (more below)
  • 🛠️ +1 Hackathon (more below)
  • 🚧 +2 Network Upgrades (first, second)
  • 🔥 +2 Token Burns (link)
  • 🐢 +2 Artworks Exhibited (more below)
  • ✨ +3 New Features (Search, Leaderboard & Gas)
  • 🚨 +3 Hacks (more below)
  • 🎙️ +4 Podcasts (1, 2, 3, 4)
  • 📉 -0.0005 Eth (~$0.08) CloverCoin price stability (link)
  • 💬 +91 members on Telegram (link)
  • 🎮 +128 members on Discord (link)
  • 🐦 +377 followers on Twitter (link)
  • 🌎 +433 Clovers holders (link)
  • 🍀+25,316 registered Clovers (link)

💰 +1 New Grant

Since the very first prototype, it was clear that Clovers Network would struggle with gas costs. An early version used ~9MM gas for on-chain verification (too large for a single block on Homestead). That’s why experiments and techniques for reducing gas costs have been a central interest to the project. Much of the progress on gas reduction has been published in order to help other projects struggling in similar ways. Stuff like custom serialization of data (link) and clever utilization of oracles (link) were early solutions. When Clovers launched we used a verifiers game similar to TruBit Protocol. Our new network upgrade utilizes trusted third-party signatures to further reduce the gas required by users to register new Clovers (more on that later). However, all of these techniques need users to already own Ether. If you’ve ever tried to on-board a “no-coiner” to a crypto project you’ll know this is a non-starter.

Methods for allowing users with no Ether at all to play Clovers has been high on our priority list for a long time. It’s a big task and we decided to focus our launch on users who already have a basic understanding of wallets in order to keep moving. Now with the support of a grant from POA Network I’m excited to announce a process for zero-ether play on Clovers Network! We’ll utilize meta-transactions and the new Arbitrary Message Bridge to reduce gas costs to zero 🥚 Keep an eye out for updates on that front and a full write up of exactly how we’ll utilize POA while remaining an Ethereum application.

🛠️ +1 Hackathon

Clovers Network participated in the EthBerlin Hackathon by running the Crypto-Economic Lab along with Austin Thomas Griffith and LeapDAO. We brought in an old Chromebook to on-board new users and a 3D printer to make copper filament coins for Clovers holders. We also continued to give out individual Clovers stickers with redeemable QR codes.

Here are some highlights:

⛽ ️Clovers Gas Station

Somehow I also found time to do a hack! The first version of Clovers used a verifiers game and trusted third-party oracle to finalize the claiming process which meant each claim actually used two transactions. The second transaction was paid by the user who made the first but had to use a static gas price. Since the network is anything but static, users were often over-paying for this second transaction when the price should have been lower. The problem is that there’s no on-chain gas price oracle that could allow the user to pay the correct amount.

The problem with on-chain gas prices, is that they need to be constantly updated and that becomes very expensive very quickly. Since Clovers Network had over 20,000 transactions in the first 5 days we decided to become our own on-chain gas oracle. That meant the price of safe-slow, average and fast gas prices as reported by ethgasstation.info would be included with each transaction and therefor updated on-chain an average of every 20 seconds! I pushed a shoddy version of the code for the hackathon but came back and did an official network upgrade afterwards. The hack is outlined here: https://devpost.com/software/clovers-gas-station

🚧 +2 Network Upgrades

The Clovers Network Gas Station was the first Network Upgrade that allowed users gas costs to accurately fluctuate with the network’s gas price. However the last few weeks have been plagued with consistently high gas prices due to an unsafe ponzi scheme called FairWin. Luckily thanks to Philippe Castonguay and others the project was exposed and gas costs have died down again (link). Subsequently, thanks to suggestions from Martin Köppelmann and other community members, a new method for verifying Clovers cheaply has been developed. This new method has reduced gas costs by 43 percent!!! Previously to register a Clover, it cost between 651,172 and 707,728 gas (~$1.12 and ~$1.22 respectively @10 Gwei). With the new updates it costs between 375,925 and 402,870 gas (~$0.65 and ~$0.69 @10 Gwei).

Where previously a confirmation transaction was needed to finalize a Clover’s registration process this new technique only needs a signature from the trusted third-party. This signature is submitted with the original Clover claim and if proven to be valid, then the Clover is minted.

This new process does compromise decentralization in favor of cost and speed. However, Clovers Network continues to provide a fully on-chain method for registering Clovers that alternatively sacrifices cost (1.6MM gas) in favor of decentralization and speed. This secondary user-flow has been further enhanced with a three step commit reveal process that prevents front-running and griefing. For more details about the contract updates in this network upgrade, check out the repository here . I’d also like to give a shout-out and thank you to user nightman for reading over the contracts and suggesting improvements 🙏

This network upgrade was performed from Osaka, days before Devcon5. If you’re going to be in town for the event stop by my talk on preventing front-running with batched bonding curves on Thursday, October 10th.

🐢 +2 Artworks Exhibited

At the same time that the EthBerlin Hackathon was running there was an art exhibition in the culture room organized by Maria Paula Fernández and Stina Gustafsson. Clovers Network grew out of my studio practice that continues today. Most recently works have taken the shape of turtle shells with Clover patterns subtracted from the sculptures. Here are the two pieces that were exhibited:

These two shells were 3D printed using terracotta and bronze filament (respectively). Since the exhibition, a gold-plated shell has also been commissioned. If you are interested in having one of your Clovers produced in this format or another please get in touch and we can discuss some options. If you’re interested in reading the artist statement take a look here.

🚨 +3 Hacks

Now for the juicy stuff 🍑. Technically there have been 3 different hacks on Clovers Network since launch, thankfully none of them put any players funds at risk and were all quickly neutralized. Here’s a rundown of what happened:

Hack #1

Clovers launched at midnight on August 20th. The contracts had been deployed but paused and the site was ready but only available on a test domain. When it was time, the contracts were enabled and the main domain was pointed towards the live site. Clovers started pouring in but something was off… none of the Clovers were getting finalized.

Days earlier, completely sleep deprived and falling asleep at three in the morning I thought to myself: “Don’t forget to update the oracle on Mainnet before launch”. Of course I forgot and at launch I realized the oracle had no Ether to finalize Clovers. I should have also remembered that the testnet oracle should NOT have been used on mainnet. As a testnet account I played fast and loose with the private keys and had included them in a commit many months prior. Of course that not’s a huge deal since testnet ether doesn’t have any value (or does it?).

You may have guessed what happened next, but this perfect storm of sleep deprivation, pressure to launch and bad op-sec resulted in me feverishly sending 1 Eth to the oracle to get things rolling. This Eth was immediately swiped from my account using an astronomical gas price. After freaking out about the fact that within 10 minutes of launch I’d lost $200 to a hacker I jumped into action replacing the oracle, funding the new account and then manually confirming all the Clovers that were still pending from the initial rush.

Hack #2

This hack was discovered by Jan Kremser, someone hacking on Clovers Network during EthBerlin. He was getting excited about making a more efficient miner and asked about mirrored Clovers. Since Clovers are generated with valid moves in the board game Othello, and since Othello has four possible staring positions, each Clover can be generated with four mirrored sets of moves. In order to prevent someone registering a single Clover four times they’re all limited to the starting position of C4.

The C4 limitation is enforced in the on-chain verification process but Jan noticed that it was not being enforced in the off-chain verification process. This meant that users who were generating Clovers manually and submitting them directly to the oracle were able to register invalid Clovers. The patch was quick to make once this vulnerability was discovered but a number of invalid Clovers had already made it through .

Luckily the only user exploiting this (Alxocity.eth) wasn’t doing so to cash in more rewards. Instead they were registering and paying to keep all the mirror versions just in order to own them. Since the results were harmless (actually good for the Clover economy) the user was allowed to keep the “illegal” Clovers. You can see some of them in the album called Invert ⇄ ⇅ and below.

Hack #3

The third and final hack was also perpetrated by Alcocity.eth and similarly took advantage of a flaw in the off-chain verification process. The javascript library (clovers-reversi) contained a bug that mistook an invalid move for a player passing their turn. This allowed any number of invalid moves to be forced through the verification process and resulted in a number of bizarre looking and completely invalid Clovers. Similarly, this exploit was not used for monetary gain, but only to buy and own these strange looking Clovers. For that reason they too were allowed to remain on the network. A bundle of them are even for sale on OpenSea.

📅 Upcoming

That’s all of the updates for now. As mentioned earlier I’ll be at devcon5 this year giving a talk on October 10th about Batched Bonding Curves, so stop by if you’re around. I’ll also be carrying around a few Clovers QR stickers so hit me up if you want one. In the coming months we’ll be working on the 🌉 POA bridge and new features like bounty hunting 🎯 and a curation market for albums 📚. If that sounds interesting to you and you’d like to get involved with Clovers Network 📢 let me know or take a look at the Contributor’s Guidelines on our Github.

Otherwise find us on:

And sign up for our 💌 newsletter to make sure you don’t miss anything.

--

--

No responses yet