A realmeye based marketplace

Samcw · 2017-01-12 05:19:13 UTC

A server-side trading house would take lots of effort to implement but a player-run one can be cheap using back-end tools realmeye already has.

System

Each player submits:

email and password of one mule
a set of offers with the mule carrying items to be sold

Realmeye:

match buyer and seller offers
automatically trade on their mules

Consideration:

trade done on mules because can’t login the main when player is on and less risk in case of a password leak
initially only open to red star or above to prevent players flooding the system with offers from their mules
with 50k players and at most 8 offers from each the system would support 400k offers. Seems manageable with moderate server cost
ask Deca to whitelist realmeye IP; too many logins from a single IP can be incorrectly treated as an attack

IAmShurima · 2017-01-12 05:32:06 UTC

While this is a fantastic idea, I doubt it will ever happen, just because of the absurd amount of coding that would have to be done in order to set something up like this.

Furthermore, even with limited knowledge of how muledump works, pretty much anyone can trick it into falsely displaying items. A more advanced hacker can easily forge item ids, locations, and even whole accounts. Muledump just isn’t safe enough security wise to do something like this.

I wouldn’t trust it with my items, and I don’t think other people should. At least not enough to have it trade my items for me.

Samcw · 2017-01-12 05:48:35 UTC

Muledump plays no role in the system, and trade integrity is, of course, checked by system.

The amount of coding is not absurd, probably 10 to 40 hours for realmeye dev. The trade UI is already in place, and trade code can be copied from the trader bots available on you know who hacker site. The bulk of the work is just to put them together and implement the trade match system.

IAmShurima · 2017-01-12 05:56:29 UTC

hmmm, my apologies. Indeed you did not mention mule dump.

Up until this point, there has been no reason to hack realmeye (other than the satisfaction I guess). There will be if you let people actually trade using it. This would definitely add more opportunities for duping/scamming/hacking.

Furthermore, I imagine some sort of waiver would have to be signed saying that realmeye is not responsible for your items. When things go wrong, people will look for something to blame. I don’t want it to be realmeye.

Also, it is very easy to exploit said trader bots. A lot of them run on a visual system instead of an item based system. The visual system can easily be spoofed. I have toyed around with it a bit in the past as part of a heads up display for realm that wouldn’t require a hacked client. Manifesting items on the screen to presented in the game’s actual client isn’t that hard.

Also, don’t get me wrong. I love the idea, although it would spoil some of the fun.

Samcw · 2017-01-12 06:12:04 UTC

I’m surprised that a visual based system is used in some of them. Such a system is unacceptable since it would eat up too much computing resources.

It seems that you are confused what’s being done on player and server sides. Players just submit account info of their mule and trade offers. The actual trade is done by the server. No exploit is possible unless you hack realmeye. Even in the case of such an unlikely event, you risk losing only items on one mule.

IAmShurima · 2017-01-12 06:14:47 UTC

That’s what I’m saying. Hack realmeye. Realmeye clearly had a lot of thought and design put into it. It is a well-made website. But since the website isn’t really protecting anything of value (your realm account isn’t even directly linked to your realmeye account), there would be no reason for it to currently have the level of security on that would be needed if it were going to actually be accessing mule accounts and trading in game. That would require a total, full system step-up so that people’s accounts don’t get hacked. Even if it was just a publicity stunt, the security would have to be increased.

BroooMC · 2017-01-12 06:27:33 UTC

This would take more coding than implementing a bazzar/marketplace in the game.
Also putting third party websites in charge of people’s accounts are a major no-no because of the exploit potential.

RMGnoob · 2017-01-12 09:56:27 UTC

So you’re going to store the credentials of thousands of accounts on a third party website? Why, I don’t see how this could ever go wrong!

No, managing offers is what Realmeye already does. What you’re asking it to do is manage thousands of accounts at once.

Samcw · 2017-01-13 04:24:06 UTC

I highly doubt if this would require more coding than a marketplace in the game. A native marketplace requires a new UI and new backend support to store and trade items to be sold. Further, careful design decisions are needed: how are items to be sold stored? how many offers can be accepted at a time? A poor design can be a source of abuse of vault spaces, and an imperfect implementation can be sources of exploits. Deca probably wouldn’t want to invest valuable dev times in this non-moneymaking undertaking.

A trade-by-mule system neatly bypasses all these issues by using something already in the game.

By managing offers I mean not just to store them but also to perform the actual trade. Also, while you do store thousands of account credentials at once, this is less than 3MB of data. You touch them only when a matching trade is identified. So the server cost is more accurately reflected by the number of trade offers and frequency of trades rather than the number of accounts. For tech nerds: a dynamic graph with 400k nodes can be handled easily

.[quote=“BroooMC, post:7, topic:4466”]
Also putting third party websites in charge of people’s accounts are a major no-no because of the exploit potential.
[/quote]

Yes this is a huge exploit potential, but it’s rather different from standard scenarios in this case. The credentials are your mule’s and not main’s. The risk is, in my mind, very small relative to the convenience offered by the system. Personally I really doubt if realm would be a target of non-phishing type hacks.

MrSurvivor · 2017-01-13 04:41:01 UTC

Really, if there is gonna be a Realmeye marketplace with auto-traded mules (which DECA would REALLY hate since it’s basically emphasizing mules mules mules…), you might as well pester DECA to implement it. It would work if you could automatically trade specific Realmeye mules from anywhere, anytime (such as CSGO bots), but having to go to the nexus to trade kills the point. Also, there’s bots everywhere.

IAmShurima · 2017-01-13 06:39:13 UTC

As someone who has actually built an auto-trading program for use on the actual stock market, let me tell you that just getting something to trade when you want it to trade requires quite a bit more backend work than you think. Matching it with a UI and framework (like realmeye) that was not intended for actual market transactions (similar to the way we spent weeks and weeks getting our program to mesh with an online trading website) requires extensive legwork. If you are up for the task, take a crack at it. It is just quite a bit more complex than it would appear.

So what you are saying is I can DDOS and cause DECA/Realmeye/Whomwever is backing this to lose money, just by performing high frequency trading?

I built a program awhile back that would analyze realmeye’s offer pages and indicate what items were hot to buy based on the past few days of market data. It wasn’t that hard to do. Literally all I had to do was press go and it would spit out trades that were below market value across all items and offers listed in realmeye within the past 6 hours. Even without access to automatic mule trading, I was able to manipulate the price of high value items. Anyone who developed the various trade bots you see around realm can easily do the same thing. From there, they can just take advantage of the information contained in realmeye (aka a perfect market with perfect information about market statistics, prices, and trends) and quickly manipulate prices via the ease of access trading system that you are providing. Literally the only thing holding them back now is the fact that they physically have to trade items in game, which takes time.

My point is, I think that a marketplace such as this would be extremely dangerous to the realm economy and provide too many loopholes for high frequency and automatic trade programs to take advantage of. The market cap is so small that a single auto trader can make a substantial impact on the price of a single item.

We should not be thinking about if it is possible, but rather if it should exist in the first place.

RMGnoob · 2017-01-13 07:36:12 UTC

Yes, that’s what I meant by “managing accounts”. Might not have been the best phrasing, though.

So you would build a system like this without accounting for the possibility of all accounts being used at once? Not to mention the possibility of someone trying to flood the system?

We’re still talking about thousands of accounts and potentially hundreds of thousands of items.

I don’t remember if the two SwatSec incidents were caused by phishing or something else entirely.

Thing is, you don’t know what would happen because this would be an unprecedented scenario. I don’t think there has ever been a time since RotMG’s creation when a third-party website was used to store the credentials of thousands of accounts.

That might also be directly caused by the fact that, as a player, all you would ever see is the convenient side of the system and not all the problems it causes.

From Deca’s perspective, this is a huge risk to take with very little benefit. I doubt any videogame company would be comfortable letting a third-party amateur website handle this many accounts and in-game items.

From the Realmeye devs perspective, this is 10 to 40 hours of work upfront then having to manage the whole system forever. As long as their site isn’t using any credentials whatsoever, they can rest easy, but with your system they’d have to become a lot more concerned about security, with all the additional work and stress that entails. Remember: these guys are doing this as a hobby, they’re not paid professionals.

Samcw · 2017-01-13 11:36:49 UTC

Like you said the market cap is quite small, and given the very discrete nature of the market the scope of HFT (aka arbitrage opportunity) is rather limited. You can certainly DDOS it by creating artificial trade matches but you gain nothing from it and you can already do it now by DDOS’ing realmeye website.

Excellent point. Unfortunately this is characteristic to almost all kinds of small markets where a few traders can manipulate prices (e.g. “penny stocks”). This is a real concern but hopefully wouldn’t impact most players who usually trade on low-value items since this segment of the market should be quite liquid.

No reasonable implementation would access all accounts at once. I would imagine a single-thread or multi-thread algorithm for finding trade matches and another single-thread or multi-thread algorithm for performing trades.

With a max of 8 trades per account you can’t really flood the market without having too many red star accounts.

True, but as a user do you care about how much you lose or how much an attacker gains?

(Unofficial) sources mentioned that a social media account of a Kabam employee was compromised in a phishing-type attack.

I don’t know if this would be too much of a burden for them. I appreciate their efforts behind realmeye. I’m just throwing an idea and it is totally up to them to decide if they want to do it or not. I’m fine with it if they dislike the idea or decide that maintaining such a system takes too much effort.

RMGnoob · 2017-01-13 12:39:12 UTC

So running a script that makes about 50k trade bots function is the easiest thing in the world, but running a script that would 2-star all classes on thousands of accounts is impossible?

When you start gaining experience on how the internet works, you realize that preventing attacks isn’t necessarily about how big you are, but also about how big of a target you make yourself out to be.

And centralizing the credentials of 50,000 accounts on one amateur website while publicly announcing the fact definitely fits the definition of “painting a huge target on your face”.

Samcw · 2017-01-13 13:14:53 UTC

What you really said is that this is a high-value exploit target, which I did acknowledge. Still at the individual level only your mule is exposed to the risk. I think we can agree on this.

Making 50k trade bots is extremely easy with existing tools, but getting 2-star on all classes requires roughly 15 min * 14 = 3.5 hours. With multiboxing you can make ~10 red stars in 3.5 hours on a single computer. So yes you can make hundreds of red stars in a matter of days. It’s a real concern and I just hope that only a handful of players would be extreme enough to endure the burden of making and managing this many accounts should a marketplace, in game or not, be implemented.

RMGnoob · 2017-01-13 13:27:01 UTC

The entire point of a system like this is to allow people to play on their main while the trading is being done in the background, without them having to go everywhere advertising their wares, negotiating with everybody and dodging scammers.

So if you’re not going to use it to trade rare and valuable items, then what are you going to use it for? Rainbows? You could easily trade those yourself.

Not to mention that, if you use these trading bots to sell rainbows, that’d mean you’d still need to regularly come on your main or another mule to give the trading bot more rainbows to sell (and maybe retrieve whatever the trading bot gained). At this point, why even bother with a trading bot? It’s just making the whole thing more complex and potentially exposing you to getting 8 of your items stolen.

IAmShurima · 2017-01-13 16:52:11 UTC

It appears that I have overlooked a very fundamental portion of your concept. 8 trades per person, I would assume at any given time. This would almost be inconveniently small. I have at any one time upwards of 50-100 offers posted. Furthermore, I average an execution of 200 trades a daily when I sit down and merch. 8 trade offers would be a drop in the bucket and provide me with little use.

This.

Samcw · 2017-01-13 22:15:25 UTC

As of now trading rainbows in USW3 take ~1 min in peak hours and anywhere between 1 and 10 minutes in non-peak hours. With an automated system you avoid those wait times and can trade even when not online. (you also avoid the 2 minute TP cooldown if you trade on your main in USW3)

8 offers suffice for most players; the system does not and should not facilitate large-scale merching.

I think we can agree on the security concern and there is no need to bring this up again and again… (to me we’re having a discussion not a debate) It’s a real concern but with a limited loss at the individual level.

RMGnoob · 2017-01-14 00:39:47 UTC

One thing you never explained is what the bots would do outside of trading.

I guess one way you could make this work would be with more /tell mreyeball commands.

For example, /tell mreyeball /botcome would make the trade bot come to the nexus of whatever server the main account is currently on, so that the main account can retrieve whatever the bot has gained from his previous trades and give him more items to trade.

/tell mreyeball /bottrade would send the bot back into the system and leave it to happily trade with his fellow bots.

Mreyeball would /tell the main account to notify him of when the series of 8 trades has been concluded.

The bot would be automatically logged out when not engaged in either of those two activities and would only be logged in when either command is sent.

Of course, that system would still have problems, like people exploiting this to either make the trade bot system crash or overcrowd specific game servers, or the fact that you would not receive the /tell from Mreyeball when offline, during loading or on the main menu.

Nevov · 2017-01-14 02:09:58 UTC

Sorry but I can never see Deca going along with this, they already seem to only barely tolerate mules, and this would increase the numbers of mules, not to mention what they might think about account credentials being swapped.