Upcoming CLOAD SNS decentralization Sale

Community SNS Project Governance
,
69

Hello @cload! Glad you decided to try participating in the SNS! Don’t take attacks from 0.75h/week to heart - I believe you expect and deserve adequate feedback.

Superficial analysis of cload.one project

1. Team History (Brief)

  • In the IC ecosystem since 2023
  • Dfinity Grant: $25,000
  • cload.one Public Launch: November 6, 2023
  • CANISTER-20 (ICC) Launch: Experimental inscriptions
  • Funded: Raised 6040 ICP (Fundraising Page)
    • Stats on Funded (01/22/2024): 1,192 users, 997 MiB data
    • Current Stats: 1,535 users, 16.3 GiB data

Key Questions:

  • Were promises fulfilled regarding 100T/10T Cycles for Funded investors?
  • What was the platform’s profit over 2 years for the 5% revenue dividend?
  • Is the 50M token distribution for Early Supporters for Funded investors? Or does the list include other early backers?

2. Authentication System: Critical Vulnerabilities

2.1 Wallet Functionality

Wallet Status Issue Details
OISY :cross_mark: Failure Multiple auth errors, profile fails to initialize (no Name/User ID/Principal assigned)
Bitfinity :cross_mark: Failure Redirects to https://wallet.infinityswap.one/ (404 Not Found) with extension installed
Stoic :warning: Poor UX Every action (even navigation) requires Stoic confirmation
AstroX ME :warning: Poor UX Manual confirmation required for each canister (>30 manual confirmations, process incomplete)
NFID :warning: Functional After logout/disconnect: background requests trigger NFID re-login
Plug :white_check_mark: Functional
II :white_check_mark: Functional
Metamask :white_check_mark: Functional Via MSQ

2.2 Backend Vulnerability: Profile Cloning

Exploitation Steps:

  1. Fetch all principals via getUserListPrincipal()
  2. Collect user data via getUserInfo(principal)
  3. Select target (e.g., hypothetical popular creator “John”)
  4. Clone profile:
    createUser(
  principal=attacker_principal,
  name="John",
  sha256id=target_user['sha256id']  # Copy known creator's ID
)
  5. Publish phishing project with low price/exaggerated promises

Architectural Flaws:

  1. No uniqueness in users.name
  2. createUser() accepts arbitrary sha256id (no uniqueness)
  3. Visiting fake “John’s” profile redirects to real popular “John” (/#/userProfile?ID={sha256id})

Impact: Phishing, content impersonation of any author, reputational damage to platform/creator.

3. File Storage: Architectural Issues

3.1 Opaque Bytescale Dependency

  • Hosting: All media (JPG/PNG/GIF) uploaded to https://upcdn.io/ (Bytescale, WEB2 API storage).
  • Questions:
    • Who pays for the service? What’s the pricing plan?
    • What happens if limits are exceeded?
  • Vulnerabilities:
    • No file content/size checks. Easy frontend upload of arbitrary files. Proof: 250MB .txt file.

3.2 CryptoDisk Upload Process: Common WEB3 Storage Issue

Technical Flow:

  1. User pays upfront (e.g., $25 for 5GB)
  2. Client splits file into 2MB chunks
  3. Chunks uploaded via canister calls
  4. Post-upload verification

Failure Scenario:

  • Partial network failure during upload → funds deducted but file unrecoverable (Status: Error)
  • No resume mechanism

Observed During Testing:

  • Source file size inflation (parallel uploads/network issues)
  • Frontend bugs (e.g., broken validation for >10 files)

4. Payment System

4.1 Invalid Wallet Address Format

Provided address:
yffxi-vqaaa-aaaak-qcrnq-cai-4cb2pwa.1dfeeddd8bf79e51b6c78d9d57c6392d42c24ab2c5b68e36fd7b1344c402

Breakdown:

  • yffxi-vqaaa-aaaak-qcrnq-cai: Canister ID
  • 4cb2pwa: Unknown prefix (user ID?)
  • 1dfeed...c402: ?Subaccount?

Deposit Attempts Failed:

  1. Transfer to user Principal → Not reflected in UI
  2. Transfer to provided address → Invalid Wallet address format

4.2 Role System

Discovered Admin Users:

{"name": "Cloaddddd"}, {"name": "James"}, {"name": "CLOAD"}
  • RedeemCode: Generated by admins
  • Admin role assignable only by existing admins
  • Concern: Undocumented system.

5. Content Publishing: Security Gaps

5.1 Publication Flow

  1. Fill metadata → 2. Create project → 3. Upload files (no scanning) → 4. GoLive! → 5. Auto-post to /#/explore

5.2 Vulnerabilities

  1. No File Scanning
    • Uploaded .bat with joke-malicious content
    • No ClamAV/equivalent integration
  2. Manipulation Mechanisms:
    • Infinite Favorite clicks per project
    • Empty/untrimmed comment spam
    • Follow race conditions
  3. Multiple Frontend Visual Bugs
  4. Zero Moderation:
    • Instant publishing
    • No report/flag system

Conclusion

Current State: Project contains critical security vulnerabilities, fundamental architectural flaws, and numerous frontend bugs. Not recommended for production use.

Recommendations:

  1. Fix core functionality to acceptable quality + security audit
  2. Implement antivirus scanning for uploads
  3. Rigorous testing: user scenarios, load testing
  4. Follow best practices (e.g., idgeek)

Personal Note: Prioritize perfecting the storage/upload system - WEB3 storage must be flawless since users pay upfront. Develop a clear business model to avoid becoming a “zombie SNS project”.

Personal Note 2 For TAGGR enthusiasts:

Vote ongoing to remove Post Reporting. Recently added custom domains & federated login.

In the next episode: TAGGR DAO considering gradual governance migration on ETH.

5 Likes