published on May 11, 2026 in devlog
In this week's devlog Michi reports on a technical attack on the commodity exchanges.
Michi (molp)
What a week! While investigating a potential multi-account issue with over 10 alt-accounts on Monday afternoon, I noticed that one of the alt accounts had managed to accumulate copious amounts of slower than light fuel in one of their ships' tanks. Since this should not be possible and I had confirmed the multi-account, I deleted all of these accounts. I then went on to find the root cause. After staring at the code for a while I realized that it was possible to create almost infinite amounts of SF fuel using the mechanism that allows transferring multiple materials. I quickly patched the issue and called it a day, since it was already getting late.
Shortly after I left the office I got pinged on Discord about suspicious activity on the Antares SF market. A player was buying and selling enormous amounts of fuel. I suspected that this was another alt-account which created the SF fuel before I patched the issue, but the respective company was just a few minutes old, so there was no way they could have obtained that amount of fuel. So, back to the office, I quickly deleted the account to prevent further abuse. I also started looking into other potential exploits, but wasn't able to find anything.
On Tuesday I didn't have too much time, due to some private appointments. That didn't stop the attacker though and I deleted another account. In the evening I sat down again to find the second exploit. Unfortunately I wasn't able to find it in time. In the early morning hours, while I was not yet in the office, another attack occurred. The attacker not only attacked the SF market, but also used the money to empty other commodity exchange books as well. After deleting that account I kept a close eye on company creations to prevent further damage, while I went through the event stream in the database of the previous attack trying to figure out the exact attack vector. After a while I struck gold and managed to replicate the attack. I won't go into the technical details, but it involved ship flights, which is why it took me a while to find and also why new companies without any PRO status, contracts, LM ads or anything like that were able to use the exploit.
After patching the second exploit we haven't had a similar attack since.
So what is the damage? The biggest outcome is that the SF market maker has created roughly 10 billion AIC during the attacks.
Not all of that has been added to the economy though: Since we deleted the accounts their funds left the game with them. The increase in money supply is visible, but not as dramatic as we anticipated:
As always, we'd love to hear what you think: join us on Discord or the forums!
Happy trading!