⇐ Back to the beginning of the blog

UBEX ICO: review, audit, security [rate: very bad]

img 5b4dc7caaa22d - UBEX ICO: review, audit, security [rate: very bad]

Despite the good business rating and rave reviews, from the technical point of view the project UBEX looks like a technical scam: the development plan is not disclosed, instead of the plan – water, release of tokens on the verge of foul, softcap – deception, technical level of the first product (smart contract) – extremely bad, fees of $7 million can not be checked.

UBEX is perhaps the most popular ICO in July 2018. It has collected a very large number of interested people, many revived reviews, videos, laudatory speeches, and positive forecasts have been ordered on the Internet. But…


The article considers a audit of the following objects of the ICO campaign at www.ubex.com, conducted by CryptoB2B on Jule 12, 2018, commissioned by a private investor:

  • methods of functioning of the Personal Cabinet about the sale of tokens
  • audit of a smart contract
  • technical component of the idea of the project (on the basis of reading White Paper).

Preliminary conclusion:

  • critically erroneous approach in the understanding of the blockchain authors
  • serious problems with smart contract
  • a complete lack of explanation in the WP, how and what the authors of the project are going to do
  • despite the steep business rating, our technical rating of the project UBEX: 0/10.

Read more:

Method of receiving money

img 5b466a4b488e0 - UBEX ICO: review, audit, security [rate: very bad]

Receiving money in ETH is carried out to a single address 0x2cc1060de78aa44e3e6a86102fac93f1de49adb2, and to receive BTC, LTC (possibly something else), personally generated wallets are used for each user. This gives at once a package of potential threats and problems.

  • Receiving money to different wallets means that no one can check, but whether the money was collected. Smart contract 0x2cc1060d ** sends money only to the beneficiary’s wallet etherscan.io/address/0xf8eed1ae306a07d8899de8dabc3783974a680830 And there is now collected 1.400 ETH ($ 600K). And on the site they have written that they collected more than $ 7 million. If they collected for a single wallet in bitcoins, too, this could be checked. And so – it is impossible to verify. Personally, I do not believe it. According to my statistics on the ICO, about 25% of the money comes on the air. And then the statistics work when the founders do not hide the collected money.
  • Immediately answer, why they do individual wallets for BTC. In order to make it easier to identify the investor. The keyword is easier. But there are options when the crypto currency is taken to a single address and there are no problems with identification, but everyone can see the fees. What is better – a little strain the lazy programmers and make a single wallet with open collections or make life easier for programmers? Of course, solve the problem.
  • In case of hacking (a hacker, a disloyal programmer, a web hosting administrator, and anyone else) can secretly substitute an algorithm for generating personal wallets, then hacking will not be detected very quickly. If there  was a single wallet, then investors themselves would start asking questions. The threat of losing money and not noticing breaking in time is the most serious justification why you can not collect money to personal wallets.
  • Paragraph (3) is repeated if the project itself loses the key phrase (mnemo code) for restoring wallets or their private keys. Dear investors, did you at least once take an interest, did the builders of the project make backup?
  • Imagine that the hacker (or programmer / project sysadmin) hacked the site for 5 minutes and returned everything back. The investor received an individual wallet of the hacker and paid there. Then I updated the page and the BTC for reception is different (true). What should an investor do in this situation? It is clear that the money can not be returned, but the point is that the investor will not even be able to prove that he is not guilty of anything! Such an investor will look like a fool with a complaint that the site made him pay wrong where necessary.

Intermediate output:

  • It’s not safe: there’s a good chance that this will not be detected quickly if it is broken.
  • The collection scheme is implemented at a simple level. Founder or programmers are not aware of how to implement fees for a single address, which indicates a slightly low technical level.
  • A crypto community would like to have a tool to find out how much money is taken, and not to believe bikes on the ICO website. Blockchain is a story where you can check everything and the verb “believe us” is not needed.

Conclusion: potentially vulnerable; cheap development; it is impossible to audit.

 

Token distribution

https://etherscan.io/token/0x6704b673c70de9bf74c8fba4b4bd748f0e2190e1 

From this page it can be seen that the company’s programmer from the wallet 0x474e028b9710bef801D3a0bA3c282e729C0e3591 received tokens at the publication of the contract, thanks to this code

contract UbexToken is DetailedERC20, StandardToken, BurnableToken, PausableToken {
  function UbexToken(  uint256 totalSupply ) DetailedERC20 ( "UBEX Token",  "UBEX",  18 ) 
  {
    totalSupply_ = totalSupply;
    balances[msg.sender] = totalSupply;
  }
}

Further, the main smart contract only distributes tokens, and only for ETH. Tokens for non-ETH will be distributed at the request of the builder, and the remainder at his own will probably promise to be burned.

  • There is a malicious profanation of the idea of ​​the blockchain. Its essence is to promise nothing to anyone. The company goes to the blockchain and explains its need for its project, but at the same time in its first (or one of the first) technical products (a smart contract) shows complete disregard for the ideology of the blockchain .
  • Tokens are distributed at will of the person.
  • There is no point in a smart contract.
  • A pawn can deceive investors, for example, by crediting some tokens more than they paid or not to burn unnecessary ones.

You think that no one will use point (4), because all honest? I have no doubt that the foundation is honest. But only until the fund (or, more precisely, the fund’s intermediary) comes to him and he says “I’m ready to invest $ 1 million in you, for which I want a double bonus from your maximum possible bonus for tokens + 30% of the money in the form of a rollback”, then the builder easily agrees to such conditions. Of course, these are assumptions, but the point is that a careless attitude towards a smart contract allows in this case the founder to remain completely unpunished and not even consider this as an infringement on the rights of all other investors.

Conclusion: a critical disregard for the ideology of the detachment; critical lack of investor rights.

 

A separate example of the poor quality of a smart contract

If you look at what commands the programmer made with etherscan.io/address/0x474e028b9710bef801d3a0ba3c282e729c0e3591 then the following

https://etherscan.io/tx/0x46984fd49af4e9b4ea3645234e494ae63767b8801d59784e3181a66e99131cc9
https://etherscan.io/tx/0xaf17a7abaeaff2e579bc5ab64e6071c49f4f4e13485ca5ee149a22279e347107
https://etherscan.io/tx/0x1e8045a3b7d53cf15258280d2929ffe7b33355701d040ef6fc20e237575cac19
https://etherscan.io/tx/0x7accd8fae97be69897454f61a49bf72c2f08ceb6b48d68707f7369737df7e2c6
https://etherscan.io/tx/0x0b10c212b23ec3c84b6e697afc92e4c161482eaa40cb771d746e9e457f18b1bc
https://etherscan.io/tx/0xc96338031e375c121afe01d200a5f2ea1403c4b8df6a19f7614e510288d5cc49
https://etherscan.io/tx/0x16f8769c119f472fc9b63464571241a7ae76d6a1aa31d648c6b56257d9b3c493
https://etherscan.io/tx/0xda9e9b28c82a60ceeb30e214881983afc341f5f2f74077e213ce0d9dfea1de6a

In each transaction, a function is called:

Function: setBonusMultiplier(uint256 bonusMultiplier_)
MethodID: 0xfd58e63a
[0]: 0000000000000000000000000000000000000000000000000000000000000460

I did not go into the logic, why it does it, but it’s obvious by the names that this is the setting of the current ICO bonus.

These requests were made at different times with pauses in a few days. This means that the programmer personally switches the bonus.

  • The author of the smart contract is a beginner programmer who did not suspect that there are arrays in Solidity and that a smart contract itself can switch bonuses on time.
  • The moment of switching the bonus is poorly regulated. Obviously ICO details promise switching, for example, strictly at 00:00, and people do not synchronously do so. Most of the queries are done around 2am, but transaction 0xaf17a7abae** is done at 4am, 2 hours after the regular action. Were there any transactions from investors at this time?
  • An investor can pay at such a time, being confident of promises, but the bonus will not be what is expected.
  • The programmer understood everything, but he was lazy.
  • Doing with your hands what the smart contract can easily do is the profanation of the idea of ​​a blockchain.

Conclusion: not a vulnerability; there is nothing critical; violation of the rights of investors; low level of skills in preparation for the ICO.

 

White Paper Review

img 5b47214997565 - UBEX ICO: review, audit, security [rate: very bad]

The chapters “Ubex: Service for Advertisers”, “Ubex: Service for Publishers” and “The Ubex Platform” – the authors of the fellows, mentioned the word blockchain all the time. The project has no relation to the blockchain and is not described in the technical part – it is approx.

Very beautiful diagram on page 31, designers – well done! True, the picture does not explain anything from a technical point of view.

img 5b467026395ab - UBEX ICO: review, audit, security [rate: very bad]

It’s a lie. The processes are not described in any detail, how exactly programmers are going to do real-time searches in the blockchain to get a response. How it works in centralized SQL is all clear. The main function of the system with a very beautiful name is simply not explained. How are they going to make a banal filter + sorting objects?

Only six months ago we in CryptoB2B.io did an audit of exactly the same project HOQU.io (there are generally dozens of the same ones), only there was less pathos (about neural networks). Thoroughly with the programmers, they discussed how they are going to do a trivial search and where there is blockchain. Of course, in the course of a couple of answers it turns out that the main page of the project site or its mobile version will absolutely definitely be forced to use SQL.

In principle, on page 32 the authors write “Consider such a node as a black box”. Just a black box. Know-How. Secret. OK.


Next comes the normal description (33 and 34 pages), as everything should work, fairy tales about DSP-1. Everything is fine, except for the following:

  • described functions do not concern the blockchain in any way
  • described exactly how it should be, and not how the authors are going to implement it

On pages 35-37, the authors of White Paper tell the reader what a neural network is. Ok, but what does this have to do with the project? And why keep a potential investor for a fool who needs to be explained? Although, judging by the large amount of fees from investors …


The very essence of the project is described in the chapter “Neural Network Model” on 38-41 pages. If you delete a picture, empty space and empty text (because of the list), you get about 1.5 pages of the essence itself, which should explain “What do they do there?”.

About half of the key text describes what are the parameters in the advertising networks, such as the arguments: the cost of the ad, the user parameters, the key settings … And what these numbers can be added. But, sorry, but then what ??

Where at least some hints, how exactly will the programmer implement the neural network? And on what will you teach it? Than does not arrange usual targeting in already existing networks? How will you retrain the network when changing the model and the set of arguments?

Perhaps I do not know how to read between the lines, but I have not found a single hint of the technical side of how the authors are going to decide something. Technical juggling of the term – I see. The answers, or rather even the slightest hints – no.

Of course, all written this personal opinion and value judgment, and the guru of neural networks on the 2-nd formulas will understand the secret meaning and, especially, about its connection with the blockchain …


Conclusion on White Paper:

  • No functions of the advertising engine in the blockchain will work, for this you need good old SQL or noSQL. This topic is simply bypassed, not even tried to highlight in the WP.
  • The very essence of the project (neural networks) is not described how to implement – it is not known what know-how – is not disclosed.
  • WP consists of declarations, as it should be. But this is obvious without the ICO.
  • Places where blockchain and neural networks are mentioned are tautologies.
  • The authors of the WP design did not fulfill their duties – there are very few diagrams / schemes (meaningless). Could write more.
  • Judging by the serious collection at the date of writing the audit, or investors did not read the WP at all and did not see that the idea of ​​the project was not disclosed, or the fees are a fraud.

Forecast. Implementing functions on normal SQL. And to otmazatsya for the responsibility to investors, the imitation of copying reports in the blockchain backdating.

Threat to the project

Judging by the WP, the project will be done on the detachment. Judging from my experience, it is impossible to make key and simplest functions (search, sorting) on ​​a blockchain , but only on traditional SQL or noSQL databases. None, even the smallest component of the system, will not do without SQL.  The project, if it will be done, will not be exactly on the blockchain , although the founders will imitate the blockchain function. Similarly, with neural networks. I praise for the attempt to develop them, but I doubt that the key engine will really use them, and not imitate.

This gives investors a reason to sue the company for breaking promises, because it is already clear that it is impossible to fulfill promises. Make a project without blockchain and raise the price of the token – yes, it is possible, I wish good luck to both the project team and investors.

 

Way out

I do not know how the project will prove the collected 7 + million dollars, it is probably impossible. But the rest of the money can be collected in a normal public mode on a platform that does not have the described shortcomings. Anything to advise you to correct in the current situation is impossible. The approach to the ICO does not stand up to any criticism and maliciously discredits the ideology of the detachment, although it collects money for its ideas. This is not the type of bug that can be fixed by changing a few lines of code or closing a vulnerability, you need to re-do everything from scratch. In the current approach, the value of the token is completely absent, so changing the platform during ICO is not a problem in which tokens will be released on an honest algorithm.

If investors believe the founder and the collected 7 + million really is, then everything is fine. On an honest word, you can also implement projects.

 

Technical rating of the UBEX project

Description of the main technical idea? None (negatively): -8.
[-10 = no, 0 = neutral, + 5 = present]

Have you discovered obvious technical lies (fraud)? Not found (positive, neutral): 3.
[-10 = found, 0 = not evaluated, + 3 = positive]

Does the main functions of the project have anything to do with the blockchain? No (negatively): -7.
[-10 = does not, 0 = has, + 10 = ecosystem]

Adequacy of the sale of tokens, protection of the interests of investors? Terribly (negatively): -10.
[-10 = violations, 0 = not evaluated, + 5 = honest ICO]

The quality of the code, errors in the smart contract? * Not found (positively): +1.
[-10 = errors found, 0 = not evaluated and / or no errors, + 5 = good quality]

The team’s openness to the audit and answers to uncomfortable questions? Did not conduct (neutral): 0.
[-10 = hostility, 0 = not conducted, + 2 = open to cooperation]

Subjectively, prize points for IT technology: for trying to develop neural networks (positively): +2.
[0 = not evaluated, + 5 = positive]

* – following the results of a quick examination of the smart contract, tk. the cryptob2b programmer has not yet looked for less obvious errors, will be done a little later and this will be an occasion to revise the assessment.

Intermediate evaluation by the formula: -8+3-7-10+1+0+2 = -19 points. Numbers less than zero or more than 10 are rounded to the range [0 … 10]. Total: “-19” is rounded to “0”.

Evaluation grades:

  • -50 … -21 = extremely bad
  • -20 .. -10 = very bad
  • -9 … +0 = bad
  • +1 … +3 = so, so
  • +4 … +9 = positive
  • +10 .. +20 = excellent
  • +21 or more = wow!

The final technical rating of cryptob2b for the sum of the indicators: 0 out of 10, the score is very bad.

⇐ Back to the beginning of the blog