Test launch of TEA open source reward project clouded by repository spam attack 

Test launch of TEA open source reward project clouded by repository spam attack 

A project set up to reward open source developers has stumbled after scammers that targeted GitHub repositories in search of crypto rewards made meaningless contributions to open source projects.

The open source Ghost CMS (Content Management System) saw its GitHub repository receive multiple pull requests (PRs) whose sole purpose was to register the contributor with the TEA project, via a file called tea.yaml. “I believe people are rushing to add this file without explaining what it does because in each case it establishes their blockchain wallet as the ‘code owner’ of the popular Ghost project, even though they aren’t regular contributors. So in practice the TEA project is not helping to support the Ghost project, but is instead causing a rush of self-serving PRs to be submitted to cash-in on other people’s work,” said bona fide Ghost contributor Mark Stosberg.

A reason for Ghost being targeted was that TEA project had featured it in an introductory video. Other repositories also suffered, including those for Node.js and Grafana. “This is why I often hate crypto. This idea and execution has done nothing but steal time from open source contributors and clog up review time and research for a bunch of garbage pull requests,” complained developer Connor Tumbleson, who saw a similar PR on a repository of his own.

The TEA project and company was founded in 2021 by Homebrew creator Max Howell and blockchain developer Timothy Lewis, with the intention of helping to fund open source software via a blockchain-based “proof of contribution” algorithm. According to the white paper, “registered projects will receive rewards from the tea protocol commensurate with their contributions.” The project is not yet live, but February 21st saw the launch of a “Testnet” enabling developers to try out the protocol and web app. 

Howell apologised for the incident and said: “we are going to add verification steps to ensure we do not generate YAML for projects without proof that the user is a legitimate contributor.” Detail came soon after, when the TEA project posted about an enhanced project registration process, whereby a contributor’s GitHub account is linked to their TEA profile, and checks that the user is listed as a contributor on the project for which they are claiming contributions, along with further checks.

According to the roadmap, tea will proceed with its full version 1.0 launch on June 12th this year, and on the same day will issue tea tokens.

Rewarding open source developers is a hard problem, but it is not surprising that the sniff of something for nothing has attracted the wrong sort of attention. 

There is another question too, presuming that TEA manages to stem the tide of phoney contributors, which is where the money comes from that will reward open source developers. The TEA web site invites donations, stating that “anyone can donate tokens to any software project registered with the tea protocol. Donated tokens may be native to tea or among the protocol’s supported stablecoins.” Then again, there are already less complicated ways to donate to open source, and it is well known that donation alone is generally insufficient for sustainability.

As for the Ghost project, a contributor has come up with a GitHub Action that might help: automatically close PRs which include tea.yaml changes or additions.