|
Title: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: flound1129 on May 30, 2013, 11:57:03 PM Per the following post (https://forum.litecoin.net/index.php/topic,4002.0.html) on the litecoin forums, a few pools have reportedly been attacked by miners exploiting this vulnerability.
The vulnerability in the viperaus fork of stratum-mining (and possibly others) allows miners to submit extremely low difficulty shares that will be considered valid by the pool because the difficulty calculation is off by a factor of 2^16 (65536). Thanks to Skyfall on the Litecoin forums for posting the patch: Quote Change line 145 (If you're using viperaus): https://github.com/viperaus/stratum-mining/blob/master/lib/template_registry.py#L145 Code: [Select] Code: diff1 = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000 TO this: Code: [Select] Code: diff1 = 0x0000ffff00000000000000000000000000000000000000000000000000000000 Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: flound1129 on May 31, 2013, 12:26:38 AM bump
Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: peacefulmind on May 31, 2013, 12:31:07 AM This is huge.
I lost out about $100 over 3 days because of this - it has hit two major pools I know for sure because of the drops in earnings I saw first hand - both give-me-ltc and we-mine-ltc. I moved miners to Coinotron and all my earnings shot right back up to estimates. I will be staying on Coinotron until the above mentioned pools want to announce how they are going to compensate miners that were stolen from. To be clear though - this is NOT a problem with Litecoin - it is problem with certain pools. Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: fenican on May 31, 2013, 12:51:58 AM Does this impact p2pool or only push pools ?
Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: fcmatt on May 31, 2013, 12:54:45 AM Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully using the new code change. This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.) My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block in that condition. So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations? Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: flound1129 on May 31, 2013, 12:57:40 AM Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully using the new code change. This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.) My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block in that condition. So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations? Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix. Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: fcmatt on May 31, 2013, 01:00:27 AM Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully using the new code change. This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.) My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block in that condition. So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations? Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix. But not litecoin. I just did some googling. That .pyc file is sorta created for the next time the program is ran. Everything is in memory anyway so if it cannot create it no big deal. It just has to do it again next time it is ran... Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: flound1129 on May 31, 2013, 01:09:39 AM Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully using the new code change. This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.) My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block in that condition. So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations? Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix. But not litecoin. I just did some googling. That .pyc file is sorta created for the next time the program is ran. Everything is in memory anyway so if it cannot create it no big deal. It just has to do it again next time it is ran... No, not litecoin, but it's almost the same exact codebase so I don't see why it shouldn't. We are averaging about 2 days per litecoin block at the moment. Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: M0nsieurChat on May 31, 2013, 02:19:39 PM Patch is working flawlessly on our pool (solving a block every 3 hours)
Title: Re: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP Post by: fcmatt on May 31, 2013, 03:08:13 PM Patch is working flawlessly on our pool (solving a block every 3 hours) thank you. since i implemented it I have only had an orphan. so naturally i worry. i did have a block with no .pyc file created due to a permission problem so that meant it was probably working fine based on my understanding of python and .pyc files. But good to hear this from you. |