The FW Exploit 2012 (or: How I learned about FOREX) | EVE Online

The FW Exploit 2012 (or: How I learned about FOREX)

2012-06-28 - Von CCP Sreegs

Dearest Factional Warriors and Interested Space Pilots,

Firstly I'd like to apologize for the delay in finalizing this investigation. We had to do a lot of chatting, calculating, checking and rechecking in order to ensure to the best of our capabilities that the resolution we are providing is one we believe to be a fair one. That simply doesn't happen overnight. I'd also like to pointedly clarify that we ARE classifying this activity as an exploit and we will explain the details below.

Here's a fairly high-level explanation of how the exploit functioned and some background. With EVE Online: Inferno we released a change to the Factional Warfare system in order to encourage and reward PVP. What the change entailed was that we essentially decided to award people with “Loyalty Points” for killing other players rather than just awarding them for activities such as missions. The amount of LP rewarded is determined by the value of what is destroyed. The number we use to determine that is the “Average Price” value of each of the items destroyed which is calculated by taking an x day rolling average of how much the item was purchased for every x days. This is handled by a scheduled database job.

This system becomes exploitable when a player is capable of dictating a disparity between the actual value of the item on the market and the average price we use to calculate LP. This is most easily accomplished using items that are virtually never traded, as one or two major purchases can change the average, but it is not a requirement that the item be rarely traded in order for manipulation to occur. The most common method of doing so is that once the price has been manipulated enough it becomes possible to generate LP by simply buying the manipulated item, killing yourself with an alt in the opposing militia, then buying another one and killing yourself with it repeating infinitely. LP in this regard functions as a separate currency which can be converted back into ISK (Interstellar Kredits - the main currency of EVE Online) at a profitable rate. This can be compared to foreign exchange manipulation.

This exploit was taken advantage of by five players. Those same five players reported the issue to us after using it themselves for about two weeks. To illustrate the impact graphically, this is a nice little picture showing LP earned thus far in 2012 CCP Stilman calls "LP Made in total ever" because he doesn't believe in life before February 2012.

Click for larger version

As you can see there is a tremendous spike for a period of about two weeks which then just goes away. That spike was caused by this particular exploit. While we applaud the ingenuity of our players we find that the methods applied here should not have been mistaken for edge game play. The edge is REALLY hard to see at times but it DOES exist and in this case we were looking at a situation where a new feature created for all of our customers was being virtually curbstomped by five of them. Because of the volumes and disparity involved we've had to take action to fix this particular system.

Last week we manually adjusted some of the pricing as we stated in our news item. We then introduced some changes in order to prevent the disparity between actual cost and "Average Price" in items. For the near future this should no longer be an issue but we are monitoring and we will make further changes to this system.

The people who sought to benefit from this exploit will receive no gain from this system. Because this was essentially a system where you could print LP, even if ISK was provided as an input, it is classified as an exploit. 

 Because the players made efforts to inform us about the issue their accounts will remain in good standing. We have temporarily seized all LP points and store items from them. Once we're done determining how much each person has benefitted we will remove the LP gained value in LP and items and return the ISK invested in the purchase of items to them. This essentially will set each of them back to the original point at which they began this activity. The person who reported the issue will receive the usual PLEX for Snitches reward.

I wrote a blog on "Responsible Disclosures" a year or so ago. In that blog I mention that telling us about something after you've used the heck out of it isn't what we consider to be responsible. We do our best to be lenient in cases such as this but we want this to serve as a notice to the community that the proper time to alert us to the issue was before actually using the system. I can understand a desire to test the limits but we don't believe two weeks of testing a bug or exploit should net a tremendous benefit in lieu of reporting it in the first place, and that is another reason why the LP activity will be reversed back to zero.

Thank you for your time and attention spacefolks!

Sreegs