Back to HomeDeployer 0x9bab69...6ece3e Deployment Block 5,098,547 Deployment Date Feb 16, 2018, 04:08 AM Code Size 8.0 KB Gas at Deploy 2,662,192
Deployed February 16, 2018 (8 years ago)Block 5,098,547
First 0xBitcoin clone, deployed 10 days after 0xBTC. Permanently bricked after 12 mints by a reward dust term and a recursive era-cap bug.
Byzantium EraVerified Source
Historical Significance
0xDOGE Token is the first EIP-918 clone deployed on Ethereum, arriving on February 16, 2018 — exactly 10 days after Infernal_toast launched the canonical 0xBitcoin contract. It is also the first proof-of-work token on Ethereum to permanently brick itself. The contract was forked directly from 0xBitcoin but the deployer made five source-level changes, and two of them combined into a fatal bug:
- The mining reward formula was rewritten from
50 * 10^decimals / 2^erato100000 * 10^decimals / 2^era + 10000— adding a +10,000 wei "dust" term that compounds over halvings. - The era cap recurrence in
_startNewMiningEpoch()was changed frommaxSupplyForEra = _totalSupply - _totalSupply / 2^(era+1)to a recursive form:maxSupplyForEra = maxSupplyForEra - maxSupplyForEra / 2^(era+1)— using a newly-inserted state variable namedgcmpoefas the intermediate. Because the constructor calls_startNewMiningEpoch()13 times withrewardEra=0, the era-0 cap decays from 10^18 down to 122,070,312,500,000 before the first mint.
Mining proceeded normally for 12 mints. On mint #13, the running total tokensMinted exceeded the now-decayed maxSupplyForEra, the assert(tokensMinted <= maxSupplyForEra) tripped, and the contract has been frozen at 1,200,000,000,120,000 wei (12 mints × the constant era-0 reward) since February 2018. No further mints are possible. The contract is one of the earliest examples of a non-trivial smart-contract bricking on Ethereum mainnet — and the first to do so through a reward-formula bug.
Context
Deployed February 16, 2018 at block 5,098,547 by 0x9bab691bf10adce7c88fe86a801d5a807f6ece3e. The 9 trillion total supply (9e20 wei × 1e8 decimals) was a Dogecoin nod — Dogecoin's own supply is uncapped but the deployer chose a literal trillions figure for the symbol. The reward dust (+10000) appears intentional — possibly an attempt to keep something claimable after the canonical halvings would have driven era reward to 0 — but the interaction with the recursive era-cap formula was not modeled. The era cap halves against itself rather than against the total supply, so each constructor-invoked era transition compounds the shrinkage geometrically.
Source recovery was performed in May 2026 from the on-chain runtime bytecode. The renamed state variable gcmpoef (selector 0xe1018016) does not appear in any public 4-byte database — it was recovered by parallel keccak256 preimage brute force over the [a-z_]^7 alphabet (~750 million attempts at ~16 MH/s on a 10-core M-series machine, wall time ~50 seconds). The preimage is unique within that alphabet for the selector. All other source changes (the +10000 dust, the recursive era cap, the 6x block-time target in difficulty re-adjustment, the removed getMintDigest function) were recovered by source-level diff against the canonical 0xBitcoinToken source.
Key Facts
Deployment Transaction: 0x78aa89977b89660c...d8e384b863f77278
Source Verified
Soliditysourcify_partial_match
Compiler: 0.4.18+
Sourcify partial match (chain 1, address 0x0d8bB998900AbDB60D7414145e1c542C2CF4e7A9). Recompiled with solc 0.4.18+commit.9cf6e910, optimizer off, runs 200 (Byzantium). Runtime bytecode is byte-identical to the on-chain runtime except for the 32-byte bzzr0 swarm hash in the solc metadata trailer (29 total bytes of diff, all inside the metadata block). Stripped runtime SHA-256: c90a78f1595d0221c4dfb3a4bda8bc3ccd0eaab94e8b86463f33248c5ee63b66. The renamed state variable `gcmpoef` (selector 0xe1018016) was recovered via keccak256 preimage brute force over [a-z_]^7.
Historian Categories
Token
Heuristic Analysis
The following characteristics were detected through bytecode analysis and may not be accurate.
Detected Type: Token
Byzantium Era
First Metropolis hard fork. Added zk-SNARK precompiles, REVERT opcode, and staticcall.
Block span: 4,370,000 — 7,279,999
October 16, 2017 — February 28, 2019
Bytecode Overview
Opcodes8,176
Unique Opcodes242
Jump Instructions343
Storage Operations128
Verified Source Available
This contract has verified source code.
View Verification ProofShow source code (Solidity)
// Submitted by EthereumHistory (ethereumhistory.com)
//
// Contract: 0xDOGE Token (0xDOGE) at 0x0d8bB998900AbDB60D7414145e1c542C2CF4e7A9
// Deployed: 2018-02-16 (block 5098547) by 0x9bab691bf10adce7c88fe86a801d5a807f6ece3e
// Bricked: contract permanently dead at era-0 cap; era-cap formula is recursive
// and reward/cap are misaligned, so mint #13 trips assert(tokensMinted <= maxSupplyForEra).
// See pow-miner/0xdoge-crack-notes.md.
//
// Source: derived from canonical 0xBitcoin source by
// - changing name/symbol/totalSupply constants in the constructor;
// - replacing the reward formula in getMiningReward() (+ "10000 wei" dust);
// - replacing the maxSupplyForEra recurrence in _startNewMiningEpoch() with the
// recursive form (and adding a public scratch variable at slot 15, named "gcmpoef");
// - changing the diff-readjustment block-time target from "* 60" to "* 6";
// - removing the getMintDigest() helper.
//
// Slot-15 scratch variable was named `gcmpoef` (random 7-char string; selector
// 0xe1018016). Recovered via parallel keccak256 preimage brute force over
// [a-z_]^7 (~750M attempts).
//
// Recompiled runtime (8176 bytes) matches on-chain runtime byte-for-byte except
// for the trailing 32-byte bzzr0 swarm hash inside the solc metadata trailer
// — Sourcify partial match.
pragma solidity ^0.4.18;
// ----------------------------------------------------------------------------
// '0xDOGE Token' contract
// Mineable ERC20 Token using Proof Of Work
//
// Symbol : 0xDOGE
// Name : 0xDOGE Token
// Total supply: 9,000,000,000,000.00
// Decimals : 8
//
// ----------------------------------------------------------------------------
// ----------------------------------------------------------------------------
// Safe maths
// ----------------------------------------------------------------------------
library SafeMath {
function add(uint a, uint b) internal pure returns (uint c) {
c = a + b;
require(c >= a);
}
function sub(uint a, uint b) internal pure returns (uint c) {
require(b <= a);
c = a - b;
}
function mul(uint a, uint b) internal pure returns (uint c) {
c = a * b;
require(a == 0 || c / a == b);
}
function div(uint a, uint b) internal pure returns (uint c) {
require(b > 0);
c = a / b;
}
}
library ExtendedMath {
//return the smaller of the two inputs (a or b)
function limitLessThan(uint a, uint b) internal pure returns (uint c) {
if(a > b) return b;
return a;
}
}
// ----------------------------------------------------------------------------
// ERC Token Standard #20 Interface
// https://github.com/ethereum/EIPs/blob/master/EIPS/eip-20-token-standard.md
// ----------------------------------------------------------------------------
contract ERC20Interface {
function totalSupply() public constant returns (uint);
function balanceOf(address tokenOwner) public constant returns (uint balance);
function allowance(address tokenOwner, address spender) public constant returns (uint remaining);
function transfer(address to, uint tokens) public returns (bool success);
function approve(address spender, uint tokens) public returns (bool success);
function transferFrom(address from, address to, uint tokens) public returns (bool success);
event Transfer(address indexed from, address indexed to, uint tokens);
event Approval(address indexed tokenOwner, address indexed spender, uint tokens);
}
// ----------------------------------------------------------------------------
// Contract function to receive approval and execute function in one call
//
// Borrowed from MiniMeToken
// ----------------------------------------------------------------------------
contract ApproveAndCallFallBack {
function receiveApproval(address from, uint256 tokens, address token, bytes data) public;
}
// ----------------------------------------------------------------------------
// Owned contract
// ----------------------------------------------------------------------------
contract Owned {
address public owner;
address public newOwner;
event OwnershipTransferred(address indexed _from, address indexed _to);
function Owned() public {
owner = msg.sender;
}
modifier onlyOwner {
require(msg.sender == owner);
_;
}
function transferOwnership(address _newOwner) public onlyOwner {
newOwner = _newOwner;
}
function acceptOwnership() public {
require(msg.sender == newOwner);
OwnershipTransferred(owner, newOwner);
owner = newOwner;
newOwner = address(0);
}
}
// ----------------------------------------------------------------------------
// ERC20 Token, with the addition of symbol, name and decimals and an
// initial fixed supply
// ----------------------------------------------------------------------------
contract _0xDOGEToken is ERC20Interface, Owned {
using SafeMath for uint;
using ExtendedMath for uint;
string public symbol;
string public name;
uint8 public decimals;
uint public _totalSupply;
uint public latestDifficultyPeriodStarted;
uint public epochCount;//number of 'blocks' mined
uint public _BLOCKS_PER_READJUSTMENT = 1024;
//a little number
uint public _MINIMUM_TARGET = 2**16;
//a big number is easier ; just find a solution that is smaller
//uint public _MAXIMUM_TARGET = 2**224; bitcoin uses 224
uint public _MAXIMUM_TARGET = 2**234;
uint public miningTarget;
bytes32 public challengeNumber; //generate a new one when a new reward is minted
uint public rewardEra;
uint public maxSupplyForEra;
uint public gcmpoef;
address public lastRewardTo;
uint public lastRewardAmount;
uint public lastRewardEthBlockNumber;
bool locked = false;
mapping(bytes32 => bytes32) solutionForChallenge;
uint public tokensMinted;
mapping(address => uint) balances;
mapping(address => mapping(address => uint)) allowed;
event Mint(address indexed from, uint reward_amount, uint epochCount, bytes32 newChallengeNumber);
// ------------------------------------------------------------------------
// Constructor
// ------------------------------------------------------------------------
function _0xDOGEToken() public onlyOwner{
symbol = "0xDOGE";
name = "0xDOGE Token";
decimals = 8;
_totalSupply = 9000000000000 * 10**uint(decimals);
if(locked) revert();
locked = true;
tokensMinted = 0;
rewardEra = 0;
maxSupplyForEra = _totalSupply.div(2);
miningTarget = _MAXIMUM_TARGET;
latestDifficultyPeriodStarted = block.number;
_startNewMiningEpoch();
//The owner gets nothing! You must mine this ERC20 token
//balances[owner] = _totalSupply;
//Transfer(address(0), owner, _totalSupply);
}
function mint(uint256 nonce, bytes32 challenge_digest) public returns (bool success) {
//the PoW must contain work that includes a recent ethereum block hash (challenge number) and the msg.sender's address to prevent MITM attacks
bytes32 digest = keccak256(challengeNumber, msg.sender, nonce );
//the challenge digest must match the expected
if (digest != challenge_digest) revert();
//the digest must be smaller than the target
if(uint256(digest) > miningTarget) revert();
//only allow one reward for each challenge
bytes32 solution = solutionForChallenge[challengeNumber];
solutionForChallenge[challengeNumber] = digest;
if(solution != 0x0) revert(); //prevent the same answer from awarding twice
uint reward_amount = getMiningReward();
balances[msg.sender] = balances[msg.sender].add(reward_amount);
tokensMinted = tokensMinted.add(reward_amount);
//Cannot mint more tokens than there are
assert(tokensMinted <= maxSupplyForEra);
//set readonly diagnostics data
lastRewardTo = msg.sender;
lastRewardAmount = reward_amount;
lastRewardEthBlockNumber = block.number;
_startNewMiningEpoch();
Mint(msg.sender, reward_amount, epochCount, challengeNumber );
return true;
}
//a new 'block' to be mined
function _startNewMiningEpoch() internal {
//if max supply for the era will be exceeded next reward round then enter the new era before that happens
//40 is the final reward era, almost all tokens minted
//once the final era is reached, more tokens will not be given out because the assert function
if( tokensMinted.add(getMiningReward()) > maxSupplyForEra && rewardEra < 39)
{
rewardEra = rewardEra + 1;
}
//set the next minted supply at which the era will change
// total supply is 2100000000000000 because of 8 decimal places
gcmpoef = maxSupplyForEra - maxSupplyForEra.div( 2**(rewardEra + 1));
maxSupplyForEra = gcmpoef;
epochCount = epochCount.add(1);
//every so often, readjust difficulty. Dont readjust when deploying
if(epochCount % _BLOCKS_PER_READJUSTMENT == 0)
{
_reAdjustDifficulty();
}
//make the latest ethereum block hash a part of the next challenge for PoW to prevent pre-mining future blocks
//do this last since this is a protection mechanism in the mint() function
challengeNumber = block.blockhash(block.number - 1);
}
//https://en.bitcoin.it/wiki/Difficulty#What_is_the_formula_for_difficulty.3F
//as of 2017 the bitcoin difficulty was up to 17 zeroes, it was only 8 in the early days
//readjust the target by 5 percent
function _reAdjustDifficulty() internal {
uint ethBlocksSinceLastDifficultyPeriod = block.number - latestDifficultyPeriodStarted;
//assume 360 ethereum blocks per hour
//we want miners to spend 10 minutes to mine each 'block', about 60 ethereum blocks = one 0xbitcoin epoch
uint epochsMined = _BLOCKS_PER_READJUSTMENT; //256
uint targetEthBlocksPerDiffPeriod = epochsMined * 6; //should be 6 times slower than ethereum
//if there were less eth blocks passed in time than expected
if( ethBlocksSinceLastDifficultyPeriod < targetEthBlocksPerDiffPeriod )
{
uint excess_block_pct = (targetEthBlocksPerDiffPeriod.mul(100)).div( ethBlocksSinceLastDifficultyPeriod );
uint excess_block_pct_extra = excess_block_pct.sub(100).limitLessThan(1000);
// If there were 5% more blocks mined than expected then this is 5. If there were 100% more blocks mined than expected then this is 100.
//make it harder
miningTarget = miningTarget.sub(miningTarget.div(2000).mul(excess_block_pct_extra)); //by up to 50 %
}else{
uint shortage_block_pct = (ethBlocksSinceLastDifficultyPeriod.mul(100)).div( targetEthBlocksPerDiffPeriod );
uint shortage_block_pct_extra = shortage_block_pct.sub(100).limitLessThan(1000); //always between 0 and 1000
//make it easier
miningTarget = miningTarget.add(miningTarget.div(2000).mul(shortage_block_pct_extra)); //by up to 50 %
}
latestDifficultyPeriodStarted = block.number;
if(miningTarget < _MINIMUM_TARGET) //very difficult
{
miningTarget = _MINIMUM_TARGET;
}
if(miningTarget > _MAXIMUM_TARGET) //very easy
{
miningTarget = _MAXIMUM_TARGET;
}
}
//this is a recent ethereum block hash, used to prevent pre-mining future blocks
function getChallengeNumber() public constant returns (bytes32) {
return challengeNumber;
}
//the number of zeroes the digest of the PoW solution requires. Auto adjusts
function getMiningDifficulty() public constant returns (uint) {
return _MAXIMUM_TARGET.div(miningTarget);
}
function getMiningTarget() public constant returns (uint) {
return miningTarget;
}
//21m coins total
//reward begins at 50 and is cut in half every reward era (as tokens are mined)
function getMiningReward() public constant returns (uint) {
//once we get half way thru the coins, only get 25 per block
//every reward era, the reward amount halves.
return (100000 * 10**uint(decimals) ).div( 2**rewardEra ) + 10000 ;
}
//help debug mining software
function checkMintSolution(uint256 nonce, bytes32 challenge_digest, bytes32 challenge_number, uint testTarget) public view returns (bool success) {
bytes32 digest = keccak256(challenge_number,msg.sender,nonce);
if(uint256(digest) > testTarget) revert();
return (digest == challenge_digest);
}
// ------------------------------------------------------------------------
// Total supply
// ------------------------------------------------------------------------
function totalSupply() public constant returns (uint) {
return _totalSupply - balances[address(0)];
}
// ------------------------------------------------------------------------
// Get the token balance for account `tokenOwner`
// ------------------------------------------------------------------------
function balanceOf(address tokenOwner) public constant returns (uint balance) {
return balances[tokenOwner];
}
// ------------------------------------------------------------------------
// Transfer the balance from token owner's account to `to` account
// - Owner's account must have sufficient balance to transfer
// - 0 value transfers are allowed
// ------------------------------------------------------------------------
function transfer(address to, uint tokens) public returns (bool success) {
balances[msg.sender] = balances[msg.sender].sub(tokens);
balances[to] = balances[to].add(tokens);
Transfer(msg.sender, to, tokens);
return true;
}
// ------------------------------------------------------------------------
// Token owner can approve for `spender` to transferFrom(...) `tokens`
// from the token owner's account
//
// https://github.com/ethereum/EIPs/blob/master/EIPS/eip-20-token-standard.md
// recommends that there are no checks for the approval double-spend attack
// as this should be implemented in user interfaces
// ------------------------------------------------------------------------
function approve(address spender, uint tokens) public returns (bool success) {
allowed[msg.sender][spender] = tokens;
Approval(msg.sender, spender, tokens);
return true;
}
// ------------------------------------------------------------------------
// Transfer `tokens` from the `from` account to the `to` account
//
// The calling account must already have sufficient tokens approve(...)-d
// for spending from the `from` account and
// - From account must have sufficient balance to transfer
// - Spender must have sufficient allowance to transfer
// - 0 value transfers are allowed
// ------------------------------------------------------------------------
function transferFrom(address from, address to, uint tokens) public returns (bool success) {
balances[from] = balances[from].sub(tokens);
allowed[from][msg.sender] = allowed[from][msg.sender].sub(tokens);
balances[to] = balances[to].add(tokens);
Transfer(from, to, tokens);
return true;
}
// ------------------------------------------------------------------------
// Returns the amount of tokens approved by the owner that can be
// transferred to the spender's account
// ------------------------------------------------------------------------
function allowance(address tokenOwner, address spender) public constant returns (uint remaining) {
return allowed[tokenOwner][spender];
}
// ------------------------------------------------------------------------
// Token owner can approve for `spender` to transferFrom(...) `tokens`
// from the token owner's account. The `spender` contract function
// `receiveApproval(...)` is then executed
// ------------------------------------------------------------------------
function approveAndCall(address spender, uint tokens, bytes data) public returns (bool success) {
allowed[msg.sender][spender] = tokens;
Approval(msg.sender, spender, tokens);
ApproveAndCallFallBack(spender).receiveApproval(msg.sender, tokens, this, data);
return true;
}
// ------------------------------------------------------------------------
// Don't accept ETH
// ------------------------------------------------------------------------
function () public payable {
revert();
}
// ------------------------------------------------------------------------
// Owner can transfer out any accidentally sent ERC20 tokens
// ------------------------------------------------------------------------
function transferAnyERC20Token(address tokenAddress, uint tokens) public onlyOwner returns (bool success) {
return ERC20Interface(tokenAddress).transfer(owner, tokens);
}
}