Millennial Musings — Millennial tries to reverse engineer an NFT site to Win an NFT he probably doesn't deserve

After getting the NFT from getting back into Quidd and following the social’s of Little Mix, one of most peoples secret guilty pleasure bands, I discovered Fanaply. Fanaply is a site where you can claim NFT through doing simple tasks such as following a band on Spotify or listening to their new album more than others. They also try and charge obscene amounts of money for other ones, but let’s stay clear of that, the site might not even be around in 6 months! I see it as a little bit of fun.

I got into one challenge for “NICERIDE x Jourdan Sloane & Jay Alvarez” NFT’s. This was a multiple-stage challenge were to “Win” you needed to complete all four prior NFT challenges. Me being a non-competitive person with not much else to do, it was a non-brainer. I was winning the set. It started normally enough click here to collect an NFT, I can do that one! Find the secret link on their YouTube video, that was easy too they put it in the comments, hardly a challenge for a hide and seek champion! Next, they are ramping up the difficulty, the top 50 people to listen to Christopher Shayne on Spotify would win the NFT. This point I had clocked on as the sunk costs of completing each prior step would introduce the more profitable challenges for the artist, Lots of streams on Spotify get you more paid than a single YouTube view! But I was invested and I have my own Spotify account that I definitely do not share with anyone else. So can just leave it running on my PC, get placed on the contest and take money from a large multinational to put it into the pocket of an artist that hasn’t been able to tour due to the pandemic. Win / Win right! So, I finished 21 so that’s ¾ of the way to completing the challenge and at this point, they introduce the one challenge I did not see coming but surely should have. Act as the artists marketing agency and get people to click your personal link that takes them to the YouTube video. So as someone whose popularity managed to rank 27 with two days to go (needing to be in the top 25 to complete the set) and seeing the top two in the table with such high scores I needed to get creative.

And by getting creative I mean to bend the rules till they fit my skill set. The first clue for my plan being possible is the top two in the leader board being so far ahead, they are either very popular or they have made a script to “click the link” and getting it to register. Now is that in the rules?

The rules say anywhere you like to connect with your friends. I would like to connect to my friends using NetBeans, so that’s good enough for me and the sunk costs that I have already invested into the contest! So, let’s fire up NetBeans and make a quick java code to click the link a few times and see if it increases the count.

This was my first go at the code. Yes, you shouldn’t have a sleep in a loop and you should comment your code and make it all pretty but I was just putting this together in two minutes to see what would happen. I wanted to include some randomness to mimic people clicking after it being posted. However, it didn’t pick up all 10 of my “clicks” as my score went from 12 “clicks” to 19 “clicks”. My hypothesis was either the less than a few seconds clicks were not being counted or Fanaply saw this coming and have more error checking in place! So attempt two, I changed the x to start at 10 and go till 20, still 10 “clicks” but with more time between the clicks, will it increase our leader board score or will it just take longer to run?

So after making this change, running the code took 1 minute 13 seconds rather than 31 seconds in the previous build and resulted in… 4 clicks. So, the site is still happy for the clicks to come from the same IP and it doesn’t seem to matter the time between the clicks. If anything, quicker is better. Next attempt let’s get rid of the *x and the loop and just flood as many clicks as we can in a couple of minutes and see what happens.

Each “build” of this gets worse! You shouldn’t write code like this, It will not terminate but I want to stress test loads of “clicks” for a couple of minutes and don’t want to work out the math! I am being lazy; you don’t need to.

So, I left this running while I kept refreshing the page, I started at 23 clicks at this point, First refresh 26 clicks, Second refresh 26 clicks. Then disaster strikes my internet goes down.

On a side note, where is the Dinosaur game I need my procrastination! Back to the project in hand. After running the code for the 5 minutes before it crashed resulted in 3 clicks. So either a certain IP can only get a fixed number of clicks or the site will only accept a certain number of clicks in an hour. The second of these I felt was unlikely the two people at the top of the leader board had several hundred clicks, If it was only 14 clicks allowed in the half-hour I been fiddling with this then they could not have achieved that score. So let’s test hypothesis one, that you can only get 14 (ish) clicks from an IP. If only there was an app that allowed you to change IP that was promoted by YouTubers constantly? Oh, there is? A VPN. Why didn’t you say so? So, I started joined a UK VPN and ran the code for 28 clicks assuming that 14 would count. This took me from 26 Clicks to 37. Looks like I have unlocked the secret to this game! VPN server two took me from 37 clicks to 48, VPN three took me from 48 to 61 and VPN four took me from 61 to 71. So not quite the 14 clicks an IP I was expecting but I am now in a safe spot and know the secret if I need to defend my position in the contest.

I am assuming that there is a way to code swapping VPN servers every 10 clicks and I would assume that’s what the two people miles above the rest of us have done. From a quick google search, the VPN that I use doesn’t have an API but maybe another provider does. Then it’s just a Spotify contest of who is prepared to leave their computer running the longest. The artist still gets their clicks but the people who are playing legit (Like I was, in the beginning, can’t keep up).

My takeaways from this project, Firstly Reverse engineering is hard! You think about how the developer of the contest and the IT engineer coding it has made it work. I like to believe that they have the best intentions by putting fair limits on IP so that referring family members or mentioning it at a party (assuming post covid world) where you are all on the same IP can score but it can’t be abused. They need to take into account more humanistic behaviours, it’s extremely unlikely that two people at a party or household would click within milliseconds of one another so this could be another way to identify wrong clicks. Secondly, the NFT is booming people are flooding in and it’s a real rush to get these ideas developed and live before someone else does. If the dev had more time to test different ways to break the system, they could have stopped it before it started. Although as I am typing this the contest has not ended so the devs might be working out a way to check the leader board before awarding the NFT’s. Particularly in NFT where (I am stereotyping) but like crypto, the first adopters (at least a subsection of) will be highly tech-literate so the sites and the systems to award these NFT need to be of a higher standard.

I had fun, whether or not I get the NFT (or even if I deserve it) is yet to be seen I will add a ps to this post later and let you know!