Diablo III Economy Broken by an Integer Overflow Bug

Haha - I was the one who was responsible for adding the Pyreal Scarab. I remember freaking out that night when I was playing and went to Teth's vendor and saw what was happening. I called up the producer at the time at 2am and said there was a "problem".

"Oops." --Devilmouse

I remember this scenario distinctly because it happened within a month of me joining the game, and not understanding what was going on :) The bug was discovered (or at least widely known) about a day after the patch went live, and rolled back two days later. Nearly every bug that users felt were somewhat punishing led to players hitting the VNBoards asking about possible rollbacks so they could stop playing until it was done. I'm actually not sure if they've ever performed one since.

Consider this completely anecdotal, but I think that around the time this bug actually occurred, Asheron's Call and Everquest were the only two 3D MMOs that were worth mentioning. I recall the delay in rollback having something to do with Microsoft bureaucracy at the time as well -- Turbine was plagued with MS as a publisher having some sort of veto power over their business and was frequently met with resistance.

(Full disclosure: I love Turbine unconditionally for creating such memorable adventuring experiences with Asheron's Call 1 and 2)

That was the first thing which came to my mind when I read this, too. Of course, Asheron's Call didn't have an (official) real-money trading system to deal with too.

A nightmare scenario for the developers in both cases.

>Trust me, out of all the customers whose data you don't want to muss with, it's hardcore MMORPG players.

Welp, that's what happens when you have only online play on only official servers. Single player offline wouldn't be affected - cheat all you want! Online play on unofficial servers means server admins can take whatever action they want - ban offenders, leave offenders alone, or rollback - depending on what the admin and the players want.

> In this day and age, having that limit there is simply premature optimization.

You say this with certainty. Do you know of studies of real-world programs where machine-sized integers were replaced whole-sale with bignums?

Depends on the situation.

I assume this was probably a server side bug, since all the accounting would never be trusted to the client side.

If you are writing highly-performant server code, the actually memory size is extremely important. You cannot (should not) abstract away the machine specifics of the datatype if you want to write optimized code.

In some cases where the underlying datatype isn't a concern (e.g. Javascript), I agree with you. But ultimately, this isn't a failure of technology, it is a failure of the software development process.

Completely agree about big integers. I expect that the next generation of programming languages will offer a "number" type that's big integer or decimal by default, and then allow engineers to refine the type as an optimization. One trouble is the data storage layer - typical database fields are fixed size and don't naturally accommodate big integers. Thus where MMOs are concerned, using big integers will still require some deliberate effort.

Another approach is to have compile time checking of overflow or bounded numbers. There's been discussion about the utility of this on the Rust list recently and I wrote up some of my experience with languages that let you do checking: http://bluishcoder.co.nz/2013/05/07/ranged-integer-types-and...

Haskell is already doing this

> heck, I once had a data-gathering script that made a bunch of read-only calls to our system's API cause a live issue

I don't think you can just throw that out here with no story. Well...I guess you can, it just makes me sad.

Reminds me of a time a coworker at a previous job almost brought down a production server by opening a file in vi.

That file was a customer log that had grown to 100+gb in size due to an error that she was debugging. She failed to check the log size, instead assuming that it was a small file left over after that night's log rotation. When vi tried to load the file to memory, it almost crashed the box before we could kill it (we still got calls about degraded performance though).

Hmmm. I dunno.

Why wouldn't currency by handled by the type system? You could still have an overrun. But it'd be handled more appropriately.

Long ago, I wrote a budgeting / estimating tool. Costs were represented with binary coded decimals (BCDs). Not floating point numbers. Just like an accounting system.

Competing products could have weird roundoff errors. Not mine.

To be fair, I am not sure if anyone would try posting 6 billion gold onto a PTR equivalent of the RMAH or whether the RMAH is even available on the PTR, which might explain why it wasn't tested.

It's nice that they resolved that mostly in-universe. They didn't go and ban everyone, but instead changed the gameplay to compensate.

Those games (Frontier Elite and First Encounters included) had loaaads of bugs like that.

Another one in FE had you put in passenger holds, fill them with passengers, then sell the holds -- this would obviously not work as you had to evict the passengers first, however the game logic credited you with the cash anyway because the check came after the money had changed hands.

It's basically a very pretty slot machine. I played quite a bit of D2 and D3. The thrill comes from grinding for hours (and hours and hours) and finding that one item that earns you hundreds of dollars. (Yes real dollars) You can thank the the Real-Money Auction House for both destroying the game and being the one thing that keeps so many people coming back for more.

Eve was a black whole for me. Played casually for a week, then learned how to make money via trading, then I found out there is a Python API for grabbing data out of the game client, as well as some other JavaScript-APIs using the in-game Browser.

Next thing you know I was crawling all popular market hubs in Eve, storing price history of each item in mysql, and programmatic analyzing the data to find the best trade routes for profit.

Then I realized I need much more data, and prepared a small data-grabber client for other people to run, as well some cloud storage to upload it to.

I looked at the calendar and noticed 2 weeks have past and I didn't do much else, so I came to the conclusion this might not be the most productive thing to do and quit Eve :) Problem is, I can't play these games the "normal" way, when I see it got APIs etc. I just have to go all out on it - or just not play at all.

Incidentally, Eve is the source of my favorite overflow bug! By putting a ship into a region of space that reduces the range of its weapons and using various range-debuffs, players were able to decrease the range of certain weapons by enough to get the range variable to roll over. This gave them near-infinite range on weapons that were intended to be short range. Since the short range was a tradeoff for very high damage, suddenly having infinite range was game breaking. However, the people who discovered the bug were clever, and did not abuse the power enough to be detected for nearly a year.

http://massively.joystiq.com/2010/09/17/new-eve-exploit-give...

You're very wrong in that assumption. Don't get me wrong, I wasted 9 months of my life becoming completely absorbed by the game but it's so immersive that no other game can compare.

It's about hoarding, alliances, corporations, mining ops, PVP ops, big alliance battles, 0-sec space mining/pvp ops (this is the best part of the game).

I've heard Eve online called an animated space themed spreadsheet before. I tried it myself a long time ago, and I felt it was too complicated and boring.

I played enough to get a lv. 60 Monk and lv. 60 Demon Hunter. The problem with Diablo III, compared to Diablo II from 10 years ago, is that nowadays there are so many options for online games without monthly fees that there's little incentive to stick to just one.

Then I started Guild Wars 2 a few months later, and played that to death. :)

Don't let the initial Eve gameplay get to you. Join an active faction and go on some roams. Pvp is where the game shines.

Why? It's just a matter of scale. Until very recently, Romania's currency was such that most middle-class families had 8-10 digits in their bank account at any given moment, and the economy is relatively healthy.

Good items sell for hundreds of millions. The number of zeroes doesn't matter, as long as the balance between items and monetary value is stable.

I agree to some degree but MMO games in general are serious business and a special breed, especially when real currency is involved. It was most definitely against the ToS and I am sure that most of the players who participated in the exploit knew that. Also there were people who were using this bug to make real life money through the real money auction house, those people in particular can't be surprised that they were banned.

Well, when you're messing with a real-money economy, I think that's a pretty big tip-off that you'll be punished for experimenting or finding a loophole. The same thing happens with other games that deal in real money, such as the stock market.

Also, AFAIK the only parties who exploited this bug were gold-farming bots. The computers won't mind, especially since their owners probably made bank off this.

That didn't cause an exploit though. It just meant that the user couldn't get more than that amount of gold.

Although back in those days, if you had that much gold, you were controlling the economy by yourself anyways.

Very different issues. The total amount of the transaction is preserved. For this to be analogous you'd have to retain the copper after converting to gold and I'm not an expert on WoW but I don't ever recall that happening.

Use arbitrary precision integers. It's hard to imaging the performance would be noticeably impacted for storing the amount of gold someone has.

Check for them. There's no lazy way out.

Use 64 bit integers everywhere.