Don’t trust Sugarbeet by Beetworld.
You should not trust unaudited code, you should not trust closed source (hidden) code, especially when such people are unaccountable and anonymous. Giving your coins to an exchange is bad, Not Your Keys Not Your Coins — but at least there is legal recourse, however bad and expensive that is.
Sugarbeet is unaudited, private closed source code. You will deposit your coins in their wallet and it will then be ‘staked’.
If you want to withdraw your coins, that makes an API call to api.sugarbeet.world which then initiates an onchain transaction. That server is an EC2 instance in AWS UK. The withdrawal appears lightning fast for one reason — it’s a local database of some sort on their server and an API call is enough to update the balance. The actual withdrawal is onchain and therefore takes the 15 seconds you’d expect for the tx to be confirmed.
You don’t know if that code is good or bad, you don’t know if it’s honest. You don’t know how the keys are stored (are they on the EC2 instance? Are they in KMS? What if this machine is hacked?). Is there redundancy? No (you know this because it maps to a hostname and not a front-end router). How do you know these gentlefolk pay their AWS bill on time? What if they get sick and go to the hospital and forget to pay their AWS bill? Bullocks, sorry, your money is locked in their private address.
You want to know what else you don’t know? Are they agents of the state (The FBI is known to control many mixxers). There is a lot of trust that goes into you using Sugarbeet, a lot of trust, and that trust goes directly to people you don’t know, who are anonymous. It’s easily worth arguing that they should be anonymous, privacy protocols are not in vogue with our local authorities. But do you know how easy it is for the FBI to suppoena AWS and get all logs related to the above EC2 instance? If the DPRK decided to use Sugarbeet instead of TornadoCash do you know how easy it would be for the FBI to get everything? They might even have your IP logs mapped to your PLS address. You don’t know. Who’s on the billing account in AWS?
If you choose to ignore all of the above, you trust this team with your hard earned long HODL’d crypto — I want to burst your bubble of my recent experience with their platform where I lost money. I suspect it’s a bug in their protocol as opposed to a rug or by design, but in all honesty if they coded that 1/100 withdrawals fails by design as a slow-rug…..there’s no way to audit that, you don’t see their code…you just trust it. And if and when you do lose money in there and you reach out to them to ask what happened, they can just call you a liar and a scammer and call it a day.
This was my experience.
For privacy reasons: amounts, timestamps, signatures, addresses are all removed. I am willing to share these details with certain reputable people in the community, if they want to validate details before resharing. In that regard, I am keeping out specific proof here.
As an early adopter I provided LP to Sugarbeet early after launch. I did not add anything major, but certainly enough to purchase a used car.
I went to withdraw funds the other day to a new wallet (to experience ‘privacy’) and within the web UI I saw my balance decrease, and 20minutes or so later noticed the funds never arrived at the new wallet.
Figuring I may have fat-fingered the address, or what, I checked everything on the blockchain to see where the funds have gone since user error is very possible and if that happened, well, it’s my fault. I could not find a movement of that amount of the token on the blockchain, but found a transaction that lined up that was listd as ‘failed’. So I reached out to the developers.
As a native of Birmingham I’m trying to use by British charm here and be civil — we all want to do the right thing. I want them to have a successful protocol. If there is loss of funds that sucks, but there’s an opportunity for them to find out why, fix any bugs and make sure it’s solid code. If they can recover the funds that’s a net plus, but at this point I assume funds are gone.
I decided to equally ping @EMPboomer who seemed to be a dev or at least be an official spokeman for the team.
A few notes on the above discourse. I’m not attacking, just trying to get the bottom of it — namely to help them fix their code. EMPboomer acknowledges the failed transaction amount and corrects my amount with greater accuracy, confirming that it’s correct. Another point is that EMPboomer is not the dev as per this chat. If you’re wondering why you see EB instead of the beetroot icon — it’s because he later blocks me so this is my current view of chat (In an amateur manner, he blocked me without selecting ‘delete chat for both of us’) meaning I still have the receipts.
DAY 2:
Once again, read my demeanor. I’m ok with losing the funds here which is more than reasonable. My level of concern escalates after EMPBoomer claimes that everything looks fine on their end. You can see from my tone I get a little more pationate, and am suggesting he should halt the site until he gets to the bottom of it.
For perspective: I’ve built large SW projects. If there’s a hint of a bug you spend hours and hours and hours investigating — if the bug is ‘funds lost’ this is a pretty bad type of bug that you absolutely don’t want to be associated with. I’m not advertising this, I’m keeping it between me and the team.
Now — There’s a real chance I’m a scammer trying to scam the team. My assumption (now) is that’s what they are thinking. It’s small/amateur thinking is what it is for the following reasons:
- The actor is not requesting his tokens back.
- The actor is giving real addresses, real transactions.
- The actor’s wallet balance dwarfs the amount in question.
- The actor is raising the possibility of a critical flaw in their code that they can’t verify. This alone, even if the actor were a scammer, is a massive red flag to a serious dev/product team.
The conversation goes on and there are more red flags. I am providing onchain verifiable amounts, and he isn’t even looking at those amounts. He’s struggling to even know the amount in dispute…..the guy doesn’t understand his own protocol/code and apprently his dev doesn’t either.
I should not have to dox myself — but again my charm. I do this the crypto way, signing a message which unfortunately I think went over his head because he stopped liking me all of a sudden. I had C/P the signature above so that he could easily verify the msg.
Things to note: 2 checkmarks means read, one checkmark means not read. So he has not read the last 2 messages. This was when I realized what the EB for his icon meant: “oh, he blocked me…and he banned me from beetroot chat”. Whoa boy — what were red flags quickly turned into a mushroom cloud.
- Boy creates centralized ‘privacy’ app.
- Boy notified of critical loss of funds bug.
- Boy bans the messenger.
Bullocks, now i’m thinking this boy is just mad. I decide to try to find others in their community (maybe it’s a bigger team? Maybe I hit a nerve?). Surely others might care they have a critical bug in their code that their dev can’t even diagnose?
2 Silly mistakes this project owner made:
- He blocked me without having telegram delete our chat history (epic fail)
- I was still able to access the forum for a while and get the list of users/admins. They’ve since rectified this so I’m REALLY banned. I suspect because I reached out and made my case to another admin/investor who is likely quite concerned by my story.
In the meantime I tried all avenues….because if I were in their position I would want to know I had such a bug.
What’s strange here — I remember Marcelo having a different icon too. Can it be? When EMPboomer banned me, and blocked me, the other admin also blocked me. There’s actual effort there — they are really tring to hush this one up. Either they are VERY embarassed, or worse — maybe the funds being lost wasn’t a bug but a real life Office Space style scam ‘every X transaction just fails and we keep the funds’. Gee an audit would be nice. Seeing the source code would be nice. I guess it’s their word against my experience.
Then I decide to reach out on twitter, not sure if they are a bigger team, who knows right?
Interestingly enough — you can see that they’ve seen at least the first 2 messages. The fact that after the above, getting through to them through another admin — I am beginning to wonder if there is actually a scam.
Out of frustration as a last resort…I make a post to twitter that I assume they will see (they follow me)….basically saying I will name their project if they don’t do the right thing. I didn’t name a project yet, but they knew who they were….so there they are in my replies (again amateur hour).
Net Net
If you’re reading this — I can prove most if not all of the above, and I’ll do this for doxxed people of note who want to make sure I’m not a scamming jackass before they reshare the story…it’s not cool to spread FUD for the sake of FUD. The reality is that I could be a bitter scammer so they would likely want to see more info from me before resharing and risk tarnishing their brand. What is not provable is what their code does (it’s closed source) without their code being exposed and all API calls made to their platform since inception.
Reality Check: this is hidden, closed source code and you are giving up your coins and custodying it in their posession on some server in the UK. That alone should keep you far away from the project. My story is my story — and it’s what happens when you put your money in someone else’s hands, that’s my responsibility and I own it. When I noticed a bug, I tried to get their team informed about the bug, but their response to my interactions should be a serious red flag to all. If after all of this, you continue to use their sugarbeet protocol — you deserve what may or may not happen to you.
Final Note:
If the Beetroot team doxxes any of the hidden details that I laid out, it should serve as the nail in the coffin of whether they can be trusted or not. I continue to act in good faith, and want to see them succeed, but they have a bug they need to fix, and doxxing me would just show how much they value your and my privacy.
Looks like they’ve already ‘threatened’ to doxx my address in telegram — again from Marcelo who I’ve never even engaged with. Cute points to note:
- They get to pretend I’m scamming. That’s fine, I don’t care about the lost funds. I do care that they run closed source hidden software, and others will lose money. I think the fact they blocked me while I was trying to provide my proof, etc… tells me they are either freaking out, or they are bad actors.
- No FUD has been spread, I haven’t even named names until now.
- They assume I think I’m well known. I’m not well known — I’m nobody.
