Bitcoin Forum

*Updated*
Technical Analysis:  https://xcpfeeds.info/cfd_exploit/ (https://xcpfeeds.info/cfd_exploit/)

Note as of earlier today Counterparty CFDs are disabled



Here is the Bot to exploit said vulnerability: https://github.com/porqup1ne/cfd_camper

I've made multiple attempts to disclose this. Also I have offered to prove the exploit on a CFD made by PhantomPhreak - he has refused to do so, but has deleted my posts from the official thread.

Hi everyone, I'm known as Porqupine on Bitcointalk and Porqup1ne on reddit,
My github is here https://github.com/porqup1ne -
I am the sole developer/maintainer of https://xcpfeeds.info
I have also contributed consistently to bug fixing the Counterpartyd reference client and it's development.

I am announcing publicly because over a week ago I discovered a bug in the Counterparty CFD implementation which could be exploited to cause anyone making CFD's to loose their entire wager. I have spent the entire week in attempting to make a reasonable disclosure of this issue and to implement a fix. I have been blocked on Skype by Phantomphreak, my emails have been ignored, he has denied that there is any kind of exploit or vulnerability, and my requests have been closed on Github.

I have made sure to keep Evan, Ouziel and Robby (the other team members) aware of this issue as well, and have CCed them in all of my correspondence with PhantomPhreak (Adam). I have proposed a working fix - which anyone can verify is working. PhantomPhreak (Adam) claims he has done work on this issue - he has opened a ticket specifically ignoring my discussion of why that ticket will not work, his 'example fix' causes Sanity Errors in the protocol, he has demonstrated consistent disregard for the exploit by denying it exists or any such thing is possible.

After my initial private communications were shut off I open sourced a bot 'CFD Camper' (https://github.com/porqup1ne/cfd_camper) in an attempt to disclose this issue without getting jerked around again by these internal communications. These have had no effect. I cannot in good faith continue to develop or promote XCPfeeds.info or Counterparty while this remains unfixed. Those users who have lost their funds to CFD Camper (it has only been around 80 XCP worth of bets) will be reimbursed directly to their addresses.

I will now proceed to publicly demonstrate the nature of this exploit, shortly after I will post an article explaining how CFD Camper works, the nature of the exploit, the technical details of the code that led to it, and so forth, for those technically interested.

P.S. PhantomPhreak will obviously try to delete my posts and otherwise Ban me. Please believe me when I say I am making this public because this is a fundamental issue for anyone invested in Counterparty or interested in open-source finance. Protocol development I am convinced cannot be in the hands of a maniac with various eccentricties that prevent him from taking responsiblity and given considerations to opinions other than his own, Especially when it leaves users vulnerable to loss of funds.

TL:DR I am an open-source developer working on the Counterparty platform, I have spent over a week getting jerked around by Adam (PhantomPhreak) while trying to disclose and fix a security issue. I am now publicly disclosing the issue, I will prove it is an issue by exploiting it to steal an arbitrary amount of funds from any open CFD. I am selling all my stake and I am done developing on Counterparty.

I never got involved with Counterparty, but this issue seems big.

Did you try to approach him privately? Not publicly ?

Maybe he felt attacker, or something?

I have indeed messaged him in private, to the point of being blocked on skype, than spent a week attempting to email and make him aware of this, I have also CCed all the other devs and they know the issue has been raised. Also on Github. I can post screenshots / Chatlogs to prove this if anyone has doubts.

Makes no sense why he wouldn't listen to you and really reduces my interest in XCP for a lead dev to do that.

Sad day for XCP.

The only reason to avoid listening is because the dev needs to cash out before it gets exploited.  I never took an interest in Counterparty but considering the dev would act so immaturely when a fellow community is trying to help strengthen the system makes me not want to look into XCP even more. 

One of my many issues opened (closed instantly):
https://github.com/CounterpartyXCP/counterpartyd/issues/189 (https://github.com/CounterpartyXCP/counterpartyd/issues/189)

PhantomPhreak opens an issue:
https://github.com/CounterpartyXCP/counterpartyd/issues/191
With a proposed fix:
https://github.com/CounterpartyXCP/counterpartyd/commit/0229f63008fdbdd2d363d96646136e16a1006bd4

Here is my email writing out the basic arithmetic. The funny thing is I basically wrote it out before he posted that issue with a broken "fix".


Notice it was a total of 20 (the wager) - but out of escrow comes only 19.01 - .99 just disappear!

Cash out now before it falls!!!!

Thank you very much for what you are doing!! Will try to keep this thread up top for people to read!

Here is the Reddit thread.

http://www.reddit.com/r/counterparty/comments/2bmlg6/ann_counterparty_exploit_public_disclosure/

Sorry for the dumb question but how is the BEAR allowed to bet 1,000 on 10 escrow while the BULL isn't?

Wouldn't the BULL want to employ the same leverage as the BEAR?

If they did, then the calculation would add up to 20.

delta = (initial_value - value) * leverage * config.UNIT

bear_credit = bear_escrow + (delta * Fraction(bear_escrow,
bear_wager_quantity))
bull_credit = (escrow_less_fee - bear_escrow) - (delta *
Fraction(bull_escrow, bull_wager_quantity))

delta= 1
bear_escrow(10) + ( delta(1) * (bear_escrow(10)/bear_wager_quantity(1000))
10.01
bull_credit  = (escrow(20) - bear_escrow(10)) - (delta(1) *
(bull_escrow(10)/bull_wager(1000)) = 9.99

9.99 + 10.01 = 20

It's like an order on an Exchange that can be split into smaller blocks - so that someone betting 1000 XCP - should be able to split to match with 10XCP, 100XCP etc. so they can get filled - if they needed to get matched exactly it would probably make the entire system useless.

Okay so by placing the order of 1000 the bear is assuring that he has an additional 1000 XCP to throw down for escrow in case the order gets completely filled. And its not that he has 100:1 leverage and the bull doesnt...

If the delta runs the other way (-1) then the bull gets 11 and the bear gets 9.99, meaning the system eats a cost of the amount equal to the original example.

Unless there's something else I'm not seeing, yes you're right, the proportionality of the payouts seems off. Does your fix suggest removing "wager_quantity" denomination?

I hope you're not trying to match orders with different leverages. You can't assign them the same delta if you are.

CFDs arent legal in my country and I never heard about them until today so please excuse my ignorance.

Sad day indeed, I rate XCP highly,. I am still hoping that sanity will prevail and the devs can get back together. Lead dev ignoring potential flaws is a serious case for concern, maybe we will hear from him soon why.

There's more going on behind the scene if you're interested:

https://bitcointalk.org/index.php?topic=395761.msg8016900#msg8016900

And now that I've accidentally bumped this thread I hope the people that read the whole thing can see that the problem isn't an "exploit" so much as a coding flaw.

The only thing is going on is PhantomPhreak lying to cover up his gross negligence of an Exploit, and deleting any post I make. 


It's an exploitable coding flaw. Any unmatched CFD can be stolen - see https://github.com/porqup1ne/cfd_camper (https://github.com/porqup1ne/cfd_camper)

I will be posting a technical paper with descriptions of the exploit and the original bug later as promised.

I wrote up a Technical Analysis of the exploit: https://xcpfeeds.info/cfd_exploit/  (https://xcpfeeds.info/cfd_exploit/)

This has gone silent for some time. Have this been solved? I hope the developers come to a compromise, hate to see this nice innovation suffering.

Fixing any flaws is best for us all.

They have several other issues they are currently working on, some more pertinent than this one.

This is a 100% novel, free product for anybody to use that offers a bunch of revolutionary new services that have never been implemented in software design before. I don't think its right to expect perfection from it, now or ever.

Yes, this sounds like a problem that needs to be solved.

No, it is not central to the core of Counterparty and is easily avoidable.

I was too poor to invest . But still  want some coins .

If you create a Counterwallet (https://counterwallet.co/) bitcoin address and PM it to me I will send you some free tokens to play around with. Unfortunately you will still need a little bit of your own BTC if you want to trade them.

They have several  issues they are alway working on! Just waiting for it. ;D

 This is really funny coming from a TROLL   

I guess you don't mind it if I post the private messages you've been sending me then and then all can see what a troll you are.

Real original threat there silly guy:


The message I am referring to is the one where you threatened to head-butt me over your perception that I was costing you money. We both agreed already that this was not the case yet you continue to hound me... Why?