Our consultants at Mantra identified a critical flaw in a European Deposit Return System (DRS), which could allow a malicious actor to exploit the system for unlimited monetary gain. This article outlines our investigative process and offers a practical recommendation for addressing this vulnerability. The proposed solution should be technically feasible within the existing framework, enhancing the security and reliability of the DRS.

Disclaimer: The title of this post reflects a common style of naming in the tech community. No fraudulent activity was conducted in this research. Not by us, at least!
Our aim is to highlight potential areas for improvement in this particular collection/recycling environment, with no intent to disrupt or block the existing system. After careful consideration and responsible disclosure to the relevant company, we’re sharing our findings to promote awareness and refinement in barcode-based recycling methods.

The European Union created the Directive 2019/904 that deals with the reduction of certain plastic items including single use plastic (SUP). It demands that the member countries collect the 90% of SUP that are sold for recycling. Sounds great, although PET recycling seems to be a lie (glass and aluminium is not) anyways, but institutionalised collection is definitely the right step forward.

Many EU countries have implemented deposit return systems, where customers pay a small deposit on plastic bottles (and cans) that’s refunded when they return the empty bottles at collection points. This system has existed for years in some regions, while others have adopted it only recently. One particular country introduced the system this year, where our consultants had the chance to collect some experience with the process.