Forgot your password?
typodupeerror
The Almighty Buck Games

Integer Overflow Bug Leads To Diablo III Gold Duping 160

Posted by Soulskill
from the many-foreheads-were-slapped dept.
Nerval's Lobster writes "Online economies come with their own issues. Case in point is the Auction House for Diablo III, a massively multiplayer game in which players can pay for items in either in-game gold or real-world dollars. Thanks to a bug in the game's latest patch, players could generate massive amounts of virtual gold with little effort, which threatened to throw the in-game economy seriously out of whack. Diablo series publisher Blizzard took corrective steps, but the bug has already attracted a fair share of buzz on gaming and tech-news forums. 'We're still in the process of auditing Auction House and gold trade transactions,' read Blizzard's note on the Battle.net forums. 'We realize this is an inconvenience for many of our players, and we sincerely apologize for the interruption of the service. We hope to have everything back up as soon as possible.' Blizzard was unable to offer an ETA for when the Auction House would come back. 'We'll continue to provide updates in this thread as they become available.' Diablo's gold issue brings up (however tangentially) some broader issues with virtual currencies, namely the bugs and workarounds that can throw an entire micro-economy out of whack. But then again, 'real world' markets have their own software-related problems: witness Wall Street's periodic 'flash crashes' (caused, many believe, by the rise of ultra-high-speed computer trading)." It seems likely the gold duping was due to a simple integer overflow bug. A late change added to the patch allowed users to sell gold on the Real Money Auction House in stacks of 10 million rather than stacks of 1 million. On the RMAH, there exists both a cap ($250) and a floor ($0.25) for the value of auctions. With stacks of 1 million and a floor of $0.25, a seller could only enter 1 billion gold (1,000 stacks) while staying under the $250 cap. When the gold stack size increased, the value of gold dropped significantly. At $0.39 per 10 million, a user could enter values of up to 6.4 billion gold at a time. Unfortunately, the RMAH wasn't designed to handle gold numbers above 2^31, or 2,147,483,648 gold. Creating the auction wouldn't remove enough gold, but canceling it would return the full amount.
This discussion has been archived. No new comments can be posted.

Integer Overflow Bug Leads To Diablo III Gold Duping

Comments Filter:
  • Limit checking (Score:5, Insightful)

    by girlintraining (1395911) on Wednesday May 08, 2013 @06:05PM (#43669547)

    And this class, is why we use explicit type casting and do sanity checks (checking limits) prior to processing. Now, if you'll look on your screens, you'll see another example of this. Here is a failed mission to Mars, caused because the wrong unit of measurement was put into the computer, a problem caused by the lack of the human brain's compiler to make use of any data type except 'variant' and 'object'... So, what have we learned?

  • Re:Limit checking (Score:2, Insightful)

    by solidraven (1633185) on Wednesday May 08, 2013 @06:25PM (#43669781)
    Yep, Ada and the closely related VHDL are both a success story for a very good reason. Yet a lot of people seem to hate both due to how strictly they enforce their rules. But Ada always wins when reliability is a must.
  • by Anonymous Coward on Wednesday May 08, 2013 @06:34PM (#43669899)

    It's simple really...

    They elected to buy 2 newbie programmers for the price of 1 experienced one! And the new guys will work all night! It's win-win!

  • Confused (Score:4, Insightful)

    by Murdoch5 (1563847) on Wednesday May 08, 2013 @07:03PM (#43670163)
    Why are they using a signed int for the gold amount? If the lowest gold amount is 0 then you should use an unsigned int which would double the possible value. Although in either case a simple if statement could of prevented this entire issue.
  • by fuzzyfuzzyfungus (1223518) on Wednesday May 08, 2013 @07:04PM (#43670175) Journal

    And several arrests - this is computer hacking of exploiting a known bug to your advantage.

    It will actually be interesting to see. Historically, people who come up with glitch exploits, even in multiplayer and MMORPG contexts, just get banned for some ToS reason. Blizzard's precious little 'Auction House', of course, might change that. However, I suspect that Blizzard really doesn't want to push the idea that 'in-game items are legally real value' too seriously, both because that could complicate things if players end up 'owning' them, rather than the current "Everything in this game is just intellectual property of blizzard...yadda yadda, licensed not sold,etc.", and because it would be a real blow, to the US customer base, if it were decided that Blizzard was running something closer to a very complex flavor of video poker, rather than a mere video game that you can buy some DLC for.

    Obviously Blizzard won't be happy, and the banhammer will see some use; but they might want to tread lightly.

  • Re:Bad PR? (Score:5, Insightful)

    by gl4ss (559668) on Wednesday May 08, 2013 @07:05PM (#43670183) Homepage Journal

    What could Blizzard do? Performing a roll-back would wipe all progress obtained by players for the patch day, which would result in a lot of bad PR. But leaving the economy as-is will devalue all items in the game (and Diablo III is all about getting items).

    In the end, Blizzard has not done a roll-back, but instead banned anyone who duped, and refunded anyone who spent real money. The bug was temporarily fixed by reverting the patch note which caused the entire mess.

    Why would rolling back 1 day of gameplay be such a disastrous event?

    why? because people spent actual money and made actual money?

  • Re:Limit checking (Score:5, Insightful)

    by Austerity Empowers (669817) on Wednesday May 08, 2013 @07:07PM (#43670205)

    So, what have we learned?

    Gamers gonna game, and real money auction houses are a bad idea...

  • Re:Perspective... (Score:2, Insightful)

    by Anonymous Coward on Wednesday May 08, 2013 @07:52PM (#43670605)

    because the wall street would be really out of business if someone managed to dupe shares.

    Sorry. What you call "duping shares" they call "naked short selling", and they are still very much in business.

  • Re:Confused (Score:5, Insightful)

    by c++0xFF (1758032) on Wednesday May 08, 2013 @07:52PM (#43670611)

    Integer underflow. Imagine a situation where a player has 100 gold and a bug in the code subtracts 101 gold for whatever reason. If you use a 32-bit unsigned integer, that player now has 4,294,967,295 gold. A 64-bit unsigned is even worse, of course.

    A simple if statement would catch this as well, right? But think of how often you do addition and subtraction (and everything else) throughout your code! Do you put an if around each one? Can you handle the error situation in each case? How do you ensure that you found every addition and subtraction, including future changes?

    A better solution is to make a Money class with well-defined operations, and throw an exception if you try to exceed the boundaries. Sounds easy ... but it has to be flexible enough to handle all situations (the class has to be used for all intermediate values -- it's no good to resort to an int, where problems might come back) while still being robust. ("I know, I'll use a class!" ... now you have two problems. "I know, I'll use exceptions!" ... now you have three.)

    This is not an easy problem to solve for non-trivial software, which is why bugs like this come up periodically.

  • by The_Revelation (688580) on Wednesday May 08, 2013 @08:40PM (#43670955) Homepage
    ... is that Blizzard have often touted the very reason the game carries an always connected requirement is so that they can ensure the economy works correctly and to limit exploits through 3rd party applications. It seems rather clear, however, that the 1st party application is the only one you need to exploit the system. And, as usual, the question must be asked "does this make the game more fun?".

    As I see it, this has been Blizzard's only metric for success with Diablo 3, not profitability, as we will see later. They claimed that by breaking the existing mould, they were providing a 'more fun' experience. So, the question then becomes, does the AH or RMAH make the game more fun? Interestingly, Blizzard don't appear to be packaging these components with the Playstation 3 edition. Is that because it turns out all of the changes to Diablo 3 were 'not fun', or is it because Playstation 3 users don't deserve 'as much fun', or is playing with a controller rather than a mouse and keyboard 'so much more fun' that their combination with the AH/RMAH turned into a 'fun overload' that had to be dialled back in order not to blow our puny little minds?

    It also asks another important question about the business model. Is always-on net requirements 'more fun', particularly when they don't add anything to play beyond what a direct/lan connection might provide. When you try to enumerate the pros/cons, you see something like:
    Pros: Everyone uses the latest version all the time if they want to play
    Everyone playing has to have a working key

    Cons: Internet Connection must be working to play
    Need a server farm in every retail country so that paying customers can play (well, they don't even now, and charge people in those countries more money per copy so that they can have a game that they don't have local server access play)
    Servers have to be working in order to play
    User account has to be working in order to play
    If we rolled out a dodgy patch, everyone will be broken at once
    We have to know the product life-cycle prior to release in order to cost all of our servers' TCO correctly.
    We have to keep talking to everyone to make sure the game is working to their expectations and forever hear about shortcomings

    Economically, I don't understand how game companies are able to turn a profit on a title with those kinds of restrictions and ongoing costs. As a small example, lets say one of your servers can host 200 users at a time, but the server cost $20k, thats $100 per concurrent user before you turn the thing on. Maybe it can host 2000 users at a time, sure but thats still $10 per concurrent user before you turn it on or pay any support personnel, or for space on the floor. Surely, over the life of your product, you would be operating a negative margin without some sort of subscription service. I have read other places that, while you can't place a cost on piracy, you can place a cost and a metric on product returns. Diablo 3 is one of the few games I've ever returned, it was unusable for the first week, and is still, in most parts of the world (outside the US/EU/ASIA) mostly unplayable. Despite that, the parts of the game that were modified to provide 'more fun' actually provided, for me, a fan of the Diablo franchise, 'a lot less fun'.

    So, to say that another way, by insisting on Always-Connected, Blizzard not only have to pay a bunch of additional ongoing expenses to run (apparently) necessary infrastructure, its also alienating their core user-base which must be very costly to their bottom line. I don't understand how this course of action renders any kind of net commercial advantage.
  • by Eightbitgnosis (1571875) on Wednesday May 08, 2013 @08:58PM (#43671069) Homepage
    Diablo 3 was a bad game that had a garbage economy before this event, and it's still a bad game that has a garbage economy after
  • by Anonymous Coward on Wednesday May 08, 2013 @09:39PM (#43671319)

    You couldn't handle Inferno huh?

  • by Joe_Dragon (2206452) on Thursday May 09, 2013 @09:59AM (#43674317)

    and then when the IRS drops in and says it's income then all kinds of other laws drop in.

  • Re:Limit checking (Score:4, Insightful)

    by Samantha Wright (1324923) on Thursday May 09, 2013 @12:10PM (#43675871) Homepage Journal
    If you have a coding floor, your codebase should generally not have any room for "the work of genius." It should be straight-forward, accessible, and maintainable. Sophisticated optimizations are rarely necessary, except perhaps in kernel mode (scheduling, drivers...) or graphics.

In every non-trivial program there is at least one bug.

Working...