db.asyncQuery("UPDATE `accounts` SET `coins` = `coins` + " .. amount .. " WHERE `id` = " .. accountId)
if player:canRemoveCoins(amount) == false then
return addPlayerEvent(sendStoreError, 350, player, GameStore.StoreErrors.STORE_ERROR_TRANSFER, "You don't have enough funds to transfer these coins.")
end
player:removeCoinsBalance(amount)
if you sayIt's not a bug.
Minute 1:20, you started to execute +25 points every 100ms for infinite (continously), instead of only once.
So after 1h your one char will have 900k points and second one -89975 (tibia will show 0).
Your bad.
otxWhat sources are you using?
If this goes through the server, it does not seem to be verifying a players balance before transferring the points.
What happens when you relog?
if not player:canRemoveCoins(amount) then
return addPlayerEvent(sendStoreError, 250, player, GameStore.StoreErrors.STORE_ERROR_NETWORK, "We couldn't remove coins from your account, try again later.")
end
function parseTransferCoins(player, msg)
local reciver = msg:getString()
local amount = msg:getU32()
if reciver:lower() == player:getName():lower() then
return addPlayerEvent(sendStoreError, 350, player, GameStore.StoreErrors.STORE_ERROR_TRANSFER, "You can't transfer coins to yourself.")
end
local resultId = db.storeQuery("SELECT `account_id` FROM `players` WHERE `name` = " .. db.escapeString(reciver:lower()) .. "")
if not resultId then
return addPlayerEvent(sendStoreError, 350, player, GameStore.StoreErrors.STORE_ERROR_TRANSFER, "We couldn't find that player.")
end
local accountId = result.getDataInt(resultId, "account_id")
if accountId == player:getAccountId() then
return addPlayerEvent(sendStoreError, 350, player, GameStore.StoreErrors.STORE_ERROR_TRANSFER, "You cannot transfer coin to a character in the same account.")
end
if not player:canRemoveCoins(amount) then
return addPlayerEvent(sendStoreError, 250, player, GameStore.StoreErrors.STORE_ERROR_NETWORK, "We couldn't remove coins from your account, try again later.")
end
db.asyncQuery("UPDATE `accounts` SET `coins` = `coins` + " .. amount .. " WHERE `id` = " .. accountId)
player:removeCoinsBalance(amount)
addPlayerEvent(sendStorePurchaseSuccessful, 550, player, "You have transfered " .. amount .. " coins to " .. reciver .. " successfully")
-- Adding history for both reciver/sender
GameStore.insertHistory(accountId, GameStore.HistoryTypes.HISTORY_TYPE_NONE, player:getName() .. " transfered you this amount.", amount)
GameStore.insertHistory(player:getAccountId(), GameStore.HistoryTypes.HISTORY_TYPE_NONE, "You transfered this amount to " .. reciver, -1 * amount) -- negative
end
db.asyncQuery("UPDATE `accounts` SET `coins` = `coins` + " .. amount .. " WHERE `id` = " .. accountId)
if player:canRemoveCoins(amount) == false then
return addPlayerEvent(sendStoreError, 350, player, GameStore.StoreErrors.STORE_ERROR_TRANSFER, "You don't have enough funds to transfer these coins.")
end
player:removeCoinsBalance(amount)
It seems to be a bug, the Lua function that adds the coins does not verify that the user can send the coins before doing so. He is not bad. You on the other hand seems to be some sort of script for profit guy, who failed to realize what was happening. Ignorance may be bliss, but try not to be rude about it.It's not a bug.
Minute 1:20, you started to execute +25 points every 100ms for infinite (continously), instead of only once.
So after 1h your one char will have 900k points and second one -89975 (tibia will show 0).
Your bad.
It seems to be a bug, the Lua function that adds the coins does not verify that the user can send the coins before doing so. He is not bad. You on the other hand seems to be some sort of script for profit guy, who failed to realize what was happening. Ignorance may be bliss, but try not to be rude about it.
Checked it again. Hmm. It looks like player can exploit client to transfer points for infinity and there's no server side code what will verify it.
Does this hole can be used to send more malicious data to server?