Bitcoin Forum

Read this comment on Supercoin by fluffypony, one of the Monero devs, who explains why n-of-m multisig used in Supercoin is not safe:

"The "guarantor" is being trusted to do arbitration between the sender and the mixer. Therefore, given the nature of 2-of-3 multisig transactions, the guarantor and the mixer can sign the transaction, and then refuse to sign the cancellation transaction, leaving the sender out of luck and out of funds."

Also, read this, why using the txid to do mixing in Supercoin is not safe:

"Even worse - the workflow is based on the txid and verifying the txid. Have we not learnt by now that the txid can change? How do you people not understand that this was the very thing that mtgox blamed for their destruction?

The issue here is relying on the txid, when malleability has shown that the txid can change. This so-called "trustless system" relies on txid's to confirm transactions in an automated fashion. That is bad, stupid, and fundamentally broken."

Be careful not to fall for new shady coins promising the earth and screaming FUD at more established coins.

It certainly beats me how trusted third parties - "escrow" services, a very pre-Bitcoin thing - are presented as either trustless or anonymous.

m-of-n multisig was not designed for trustless anonymous payments.

Would have said exactly this a lot sooner... it's just that the kids at Super & Mammoth seemed so happy these days, I just couldn't be the one to break the bad news to them.

SUPERCOIN BACKFIRE IMMINENT ;D


Even though I dont usually partake in these types of threads, this is well deserved

They are even deleting normal responses that don't agree with them and provide good arguments..

not only that, but along with posting stuff like this

https://bitcointalk.org/index.php?topic=742025.msg8386280#msg8386280

How can you leave a post like this up and remove other ones. I had about 10 posts deleted so far, its clear that they are trying to paint a picture that is skewed in their favor and making it seems like we cannot come up with a legitimate response even though we have multiple times. Utterly pathetic, I wish the worst for Supercoin and its future.

This was removed as well:

Quote from: marseille on Today at 08:49:59 PM
BTW, this is Gavin Andersen's example on the multisig in Bitcoin. Supercoin/mammothcoin implemented exactly the multisig technology, same is done at OpenBazaar.

https://gist.github.com/gavinandresen/3966071

XC devs please learn and hope you will have a real multisig system implemented, not just a name.

read before he deletes this: 

Funny... do you still use AOL for your email as well.  You are using bitcoin technology and open bazaar's rationale, both without anon....  therefore nodes can be more trusted, but they have to be trusted.  XC offers trustless mixing where every node signs off and can't steal coins, if it doesn't sign, it resyncs and sends the transaction to another set.   Highly likely most transactions will be very quick, but if there is an attempt to be a bad actor they are inhibited from gaining access to the coins.   Your old technology multi sig allows bad actors/nodes to steal coins.  THis has been know for a long time, with coins before yours that you stole to write your code.   In fact you deleted a 500 post thread because it primarily discussed the inadequacies of this design.

The following posts of mine were deleted by timerland:

The Supercoin fanboys seem strangely quiet  :P

I should add, I have not deleted any posts here (yet).

Thanks for quoting me:)

There was a lot of push-back in that thread, which surprised me as strasboug seemed quite logical in his thread denouncing Cloakcoin's PoSA as not being trustless (https://bitcointalk.org/index.php?topic=713836.0). I couldn't understand how he could accurately describe Cloakcoin's system as not being trustless, and then think that a system that only requires 2 parties to collude is somehow "trustless".

Look, cryptography is VERY, VERY hard to get right. I've got a reasonable grasp of it and I would NOT attempt to invent new cryptography that didn't simply build on the foundations others have left. I notice a lot of hero worship in this part of the forum - "the dev said X" or "the dev promised Y" and everyone accepts that. Cryptographers (real ones) don't push out code until they've pushed out papers and completely opened their ideas up for discussion. More importantly, those cryptographers are also able to accept where they're wrong. There is NOTHING wrong with being flat out wrong about an idea...but when you stick with the idea in spite of it being bad, that's a dangerous road to drive.

Nothing is flawless, but this is YOUR MONEY. Expect and demand good and cryptographically sound solutions - fewer pictures, more maths in a "whitepaper"!

Just own a few nodes so you can be Guarantor and Mixer.   Free Supercoin/Mammothcoin!   Weeee!

Okay. I am no dev and am invested in Supercoin as many know. 8)

I'm just trying to understand that is it that easy to "gain" both the guarantor & the mixer node (2 completely different nodes) to be under your control like what was said in order to out-vote the sender or its cancellation? If it was, I guess it would be the same for any coin with small number of confirmations. As far as I remember, Supercoindev said he will start with 2-of-3 but can increase this number at any time to increase its security at the expense of transaction time. So I don't think that's a real strong argument to the case of Supercoin's new system.

As for the txid, that sounds like a valid concern that supercoindev will need to answer. Surely for a dev who seems very competent (I'm sure you guys also agree to an extent), this txid stuff sounds too dumb/simple for him to make such a mistake. Well, if it was a mistake, I guess it can easily be changed anyways to use a more static ID. But yeah, I'm also curious about the truth to this argument.

BTW, I don't remember supercoindev ever bad mouth XC or any other coin before. Feel free to check his previous posts.
Ignore the fanboys on both sides of the fence who are just pouring fuel to the flame to this. I do. I just want facts.

Update:
Even my post in their thread asking about this just got deleted.
Fine line between clarifying & stopping troll/fud attacks I guess. :(

Final Whitepaper will be out in 48hours.
Beta Testing is running smooth and its only a short period till release to the public.

So, lot of talking going on here, when Supercoin Phase 2 goes live, test it, hack it, whatever you like to do.
If thats done, come back here and talk about the facts  :)

Till then, thats nothing but chitchat.

Why would i be invested in a known scam coin to begin with ?

Which one is a known scam coin? Both aren't last time I checked. :P

Hear hear. I wish there was more space for genuine conversation about various coins' technologies.

FYI. Sorta related which was posted by supercoindev few days ago:

Really surprised no-one from supercoin is addressing the tx id issue.

Guess the devs just don't care? Have they not even acknowledged this fundamental flaw?

its outdated tech, I dont expect much of it and it corresponds exactly to Super's pathetic market cap.

I'm confused then why supercoin "supporters" are spreading FUD and lies about coins with working anon tech like XC... when their own tech is broken  :D

Ok I personally had to disturbed our dev during this hardworking time and he took time to answer me. I don't really get the XC/Supercoin "war" (from both sides) and I won't go any further than posting this because my specialty is finance, not tech.



/closethread

To me, you guys are spreading FUD without doing your own research also.
Anyways, it's now been answered. Hope that helps a little. ;)

BEEEEEP, wrong!

Firstly, not all possible malleability vectors are "fixed" in 0.9 (https://bitcointalk.org/index.php?topic=570512.0), so transactions are still quite malleable and the transaction ID can still change. The other thing is that they've made the changes to isStandard(), which is a function that checks for standardness and not for validity. In other words, very new nodes won't relay or mine tx's that already exist but have been modified and rebroadcast, but most of the network (like 90%) will.

Furthermore, there are pools like Eligius that mine non-standard transactions (ie. transactions that would fail these new isStandard() malleability checks but are still perfectly valid transactions). Anything relying on a transaction ID in an automated system is fundamentally broken, and harping on "0.9.0 fixes malleability!" is nothing more than an act of desperation.

Oh, and lastly - "the only consequence it will cause the anonymous send to fail" - why would anyone touch a system where an attacker can trivially prevent all anonymous transactions from working?

Damn

https://i.imgur.com/d6RqVMk.gif

Supercoin just been delivered a knockout blow.

Whaat? Whaat!? Shitcoi...I mean Supercoin is the best coin on deh market!

#1!

I am on shitcoi...I mean Supercoin's Foundation Board, and I will strive to make Supercoin the best coin there is.

Don't forget to download the Supercoin Wallet Updates!

Your argument is based on the attacker being able to change TXID of every anon transaction?
Can you do that? Is it that easy? or you just saying that some genius hacker can if he really tries?

Last time I checked, even Bitcoin is vulnerable if an attacker spends enough money/time to do it. So that's bad also?
We both do not know what securities supercoindev has put in place nor how easy it is to change txid-reliance in code.
Code isn't finished & public beta test hasn't started. So just wait until it's released before making further accusations. 8)
I hate people attacking each other with mostly assumptions and with a completely biased view. It's not productive.

The foundation is built on tx id's so it doesn't matter what else is in place.

The fact is, the Supercoin dev said don't worry about transaction malleability, it's fixed in bitcoin 0.9... except it's not fixed and the transaction ID can still change. So the OP of this topic is still valid.

It's trivially easy. Maybe 20 lines of python code that use libbitcoin bindings - all I have to do is watch for transactions broadcast that match a certain spec, and then I can rebroadcast hundreds of the same transaction with just the slightest thing changed so that each of those transactions has a different tx id, and voila: the transaction will be included in a block, but with a different transaction ID from the one expected by the automated system.


Yes, Bitcoin has its own special set of vulnerabilities all with various levels of likelihood or ease of attack. One would hope that a system based on Bitcoin would at least try to not introduce more vulnerabilities than Bitcoin already has.

I'm not making accusations, I'm pointing out where the design is fundamentally flawed. The tx id malleability is the least of my concerns, so don't conflate the two. The system is fundamentally flawed, and it should be dropped in favour of a system that has provable and verifiable cryptography and mathematics behind it.

In fact, the coin itself is not flawed, all the developer needs to do is dump the flawed system, come up with a new one that isn't broken, publish a whitepaper on it that express (mathematically) the underpinnings of the system, and then open it up for debate and discussion. But he won't. Just like every other altcoin "developer", he'll push out diagrams and walls of text meant to demonstrate technical ability, and then write and release shoddy code that embodies a broken design. No mathematics. No cryptography (who needs that in a cryptocurrency, after all). No research. No discussion among clever people that can make a good design even better. Because who needs all that stuff when you can have a diagram hastily shoved together in PowerPoint!

/rant

I will admit that I am not a pro coin coder.  I've just recently started looking into how some of this works.  I have a logical question...

"Firstly, not all possible malleability vectors are "fixed" in 0.9 (https://bitcointalk.org/index.php?topic=570512.0), so transactions are still quite malleable and the transaction ID can still change."

If I understand what you are saying here, TX IDs can be changed or fudged to cause issues with tracking that transaction.  I assume this can cause coins to get lost or stolen.  So my question is, assuming my previous two assumptions are correct, if this is a real issue AND is easy to do, why aren't you forging btc transactions and stealing BTC all day long?  The problem that you say Super has should be a problem that every coin out there has. 

SUPER and MAMM are apparently the same team (devs), once a time I had some MAMM, dev 100% delusional, saying nonsenses since begining like saving animals rights, they keep flooding their own thread to gain attention, it´s kinda funny: of 10 posts in SUPER thread ,4 are hot girls pics with superman uniform hahah.... I almost get a lost on MAMM...altcoins nevermore, learned the lesson, from now on just BTC matters, enough PnD shit.

MAMM dev now deleting 90% of the posts, saying his under FUD attack, both coins are unreliable since day one.

See: https://bitcointalk.org/index.php?topic=737468.0

Tks for the explanation, will help others to do not loose their precious BTC into a broken tech.

His last comment:

"Also there are several ways the tx verification can be done (not always need txid) as pointed out by strasboug."

No need to clutch on straws. He seems to know exactly what he is doing unlike us.
So my argument still stands. Code isn't finished & public beta test hasn't started.
Just wait until it's released before making accusations based on assumptions. 8)

More people lost more BTC on LTC, DRK, SYS, VRC, VIA, VOOT and even XC due to whales & P/D.
When a coin & its devs are not a scam, people losing BTC due to bad trades are not coin's fault.

I also hate self-moderated threads. I also hate threads with a feeling of religion/cult group. (so many)
But there is no need to attack other coins unless they really are a scam. That's not the case here. :P

No, if it is that vulnerable, why is Bitcoin not compromised so far?

Go there, explain to them that they are "doomed", cause panic, and get rich in two ways: cheap bitcoin, and bitcoin gained by modifying tx...

They will laugh in your face, sir...Come on, steal BTC, and pump your coins with it...

How will you change tx id of every transaction, between all senders and receivers sir? If this is possible, somebody would destroy Bitcoin long time ago.

I recommend newcomers to read through supercoindev's previous posts before making assumptions.
He has always been professional with zero condescending remarks. He's a genuine coder at heart.
Please don't confuse "supercointeam" with "supercoindev" account. They are 2 different people. :P




More here: https://bitcointalk.org/index.php?action=profile;u=341100;sa=showPosts

Those are the screenshots from alpha testing on Mammoth wallet done by Mammothdev, Superdev and a bunch of testers, there's also video's if interested.

Or you could apply as a beta tester if you have doubts, at least you'll be the first to know if there's something wrong.

FYI - New update using Supercoin's real network has been also posted today by the dev.

Are you all afraid that supercoin could kill 99% of altcoins and make a new standar in crypto world or what?

You're a denigrating a coin where price is between 1-3k and market volume is one of the lowest ever regarding anon coin.
So, why all this posts again a coin that is at bottom of most altcoin?

There are coins on bittrex like Eutopium,solecoin,quantum2,shadowcoin etc etc that got 20 times more value and volume market that supercoin, and all is focusing only on supercoin.

So,you're fudding a coin at 2k. I can understand if this coin were quoted 80k-140k....but at this prices...this really make no sense at all.

Supercoin got a daily volume of about 0.8btc a day x exchange(pump and dump period apart).
So,why posting all this stuff about a little coin as supercoin?

A malleability attack doesn't stop the transaction from going through, it just mostly goes through with a different tx ID to the one kicked back by your wallet. Your coins won't disappear, the recipient address will still receive them, and nothing can be stolen. Malleability does not and cannot change the validity of the transaction, the destination, the amount, the p2sh hash (if there is one), the inputs, the outputs, or anything else. The only thing it changes is the transaction ID.

Therefore, if you made a payment to your friend, and sent him the transaction ID, he may not be able to match that with his address history by payment ID. He will still be able to match it based on where it came from and the amount. Bitcoin is still vulnerable to this, as pointed out in the link you reference, and Eligius and other pools will still gladly mine valid transactions that fail isStandard() tests.

Some little words about first beta-test made with supercoindev today on irc:

[21:49] <supercoindev> This is normal, this is what happened:
[21:50] <supercoindev> you send 2.987754 to me
[21:50] <supercoindev> 1st thing is that you send 2.987754 x2 + fee (0.5 coin) = 6.475 to multisig address
[21:50] <supercoindev> this is the escrow
[21:51] <supercoindev> then mixer and guarantor will deposit 2.987754 to escrow
[21:51] <supercoindev> then mixer will send 2.987754 to the destination (me)
[21:51] <supercoindev> after sender (you) verifies the money indeed sent to the destination
[21:52] <supercoindev> it will return one 2.987754 to you
[21:52] <supercoindev> one 2.987544 to mixer (because he sent it to destination)
[21:52] <supercoindev> and send service fees to mixer/guarator
[21:53] <supercoindev> then return the deposit amnount of mixer / guarator to them
[21:53] <supercoindev> ok why so complcated process?
[21:53] <supercoindev> because this is a trustless system
[21:53] <supercoindev> the sender can not trust anyone
[21:53] <supercoindev> so he only put money in escrow
[21:54] <supercoindev> if mixer said he sent to destination, but did not actually do it
[21:54] <supercoindev> the sender will get all his money back from escrow

So in order to send $1000 you first need to have $2000 available AND it needs to be tied up until this transaction is complete?

I'm going to guess, but I may be reaching, that this will never have any sort of longevity:-P

this thread was started because you have idiots in your community that picked a stupid fight against the XC community (which is 10x larger than Super's) and spread FUD about our coin and  this thread was more of a retaliation. Our community is usually very good and for such a large community, we have relatively few people that like to go around and stir the pot. However, the self-moderated thread about XC made by a Supercoin investor was pathetic with most of XC's posts being deleted only leaving FUD comments for the entire community to see. On top of that,  the MAMM dev accused our dev of cheating, we had Supercoin investors come in and call XC a scam, a cheat, liars....pretty much anything to defame XC. After a few days of arguing, and dealing with constant bullshit in the self moderated thread (and it was obvious Supercoin investors was trying to skew the story by looking like we didn't have any legitimate responses to their inquiries, however we did and they were constantly deleted), many XC investors were aggravated beyond belief and one opened this thread, just to sort of 'balance the bullshit'.

Supercoin Q&A by the supercoindev has been posted.
Hopefully it'll clear up some technical misunderstandings.

https://bitcointalk.org/index.php?topic=736705.msg8426652#msg8426652

Well some individuals deserved this, I must say. It's unfortunate it got an impact on the whole SUPER community while only few persons fudded (and honestly I believe it was mainly people from mammoth and no 'real' community members of SUPER). Supercointeam, me and others asked these people to stop the fud several times because it was basically immature the way they did this, and they were damaging our reputation aswell. None of us ever supported them, let that be clear. But since no community is able to decide who invests in its coin we can not have full control over them.

Not sure why some XC investors took the same path as them and started a counter-fud, instead of just opening a thread of their own with answers. But I truely hope 'our' fudders learned their lesson.

I agree that FUD is immature, the thread came off as a personal attack more than just common FUD. I think that is what really added fuel to the fire. I dont condone to FUD and I think it puts a bad reputation on communities in general. Our XC community is for the most part very sensible and down to earth, but I guess if you push even the nicest people they will respond an equal push back.

Thanks for the insightful posts fluffy.

For the unaware, fluffy is one of the Monero devs and as you can tell from his messages, he knows crypto extremely well.

This all was actually started by one guy, and to be honest I haven't seen him in Supercoin or Mammothcoin thread ever so i have no idea why. Too bad his scheme actually worked and bullets were being fired from both sides. I don't really see the point in keeping this up though in the end we are all working towards the same goal.