Bitcoin Forum

Pool owners running pool software from viperaus or startum etc.. you may be susceptible to a new attack this has been noted on a few pools recently. This may not be affecting all pools but it is definitely worth a mention.

here's the issue a significant fake hash rate may be counted as valid instead of rejected by the vulnerable pool server. I am working with a bunch of pool operators as well as the litecoin dev team at the moment to find the cause of this issue and resolve it.
I Believe the attacker is able to trick the server into accepting shares at a lower difficulty then the server sends out thus causing their hash rate to spike. I am not 100% sure on this which is why i make this post, if you think you pool is affected please join us

Here is what i have suggested so far. Disabling vardiff code and setting the share difficulty cap at 32. This will not be a permanent solution but might potentially stop these attacks until we can find the root cause.


Please take note.
Any pools that has custom coded stratum software will not be affected by this bug this is for pools that are using the same codebase as each other.
The litecoin dev team are not responsible for pool code but they are lending a hand where they can.
I would also like to mention that there is NO issue with the LTC network at all! this is all to do with attacks and exploits on pool software.

if you're a pool op, join us on #unitedminers-2 on freenode.

This sounds like the same vulnerability that WeMineLTC released info on a few days ago.

Litecoinforums are down, but here's a bitcointalk link about it:

https://bitcointalk.org/index.php?topic=220641.0

Is this exploit fixed on givemeltc? Noticed my payouts in the last 2 days are about 15% lower then projected.

I've noticed spikes in some sites as well, and on some pools the earnings have been really wonky the last few days. Hopefully this is resolved soon.

Not the same exploit.  Related.  It's possible the wemineltc fix only made it better, but wasn't precise enough.  There are other theories.

Note: Litecoin Dev Team lended some help on issue, but pool software is solely the responsibility of pool owners.  It seems that serraz has given time to help analyze this issue even though he doesn't use this pool software.

I suggest that some of the affected pool operators post in this thread to identify cheating IP addresses and payout addresses.

We run our own custom software. It did not affect us i left that out of my post because this is not to promote our pool this is to raise awareness on this issue and fix it.

Its a new exploit but it seems to have the same affect as that issue. The fix has been applied to the pools experiencing this also which is why i need more help.

One of the developers might have found the new vulnerability.  They are testing a fix now. Not identifying them so people won't bother them.  They need to get this right.

https://github.com/viperaus/stratum-mining/pull/4
Yet again, pooler saves the day for dozens of other scrypt pools.

I hope you other pools appreciate his work.  Please consider donating to him.  LTCPooLqTK1SANSNeTR63GbGwabTKEkuS7

Update: It turns out that bhunt discovered the fix at roughly the same time as pooler.  Donations to pooler's address will be split with bhunt.

Awesome, glad a fix was found.  :)

only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?

Just this one I think.

Any stratum scrypt pool based on this code could be vulnerable.  So that could be LTC or any of those scrypt-based scam coins.

Awesome work Pooler.  Once again you have done an outstanding job.

To be clear, WeMineLTC is not affected by this bug.  We DO NOT use the viperaus fork, our stratum backend is completely custom.  We had our stratum server working more than a month before viperaus scrypt stratum software was working.  I have read ppl saying we use viperaus several times and this is just not true.

As for our exploit that we announced on 5/29, after we found the exploit we tested the viperaus code and confirmed it had the same bug and we wanted pools to know about it, this seems to have ppl thinking that is the code we use.

i guess that some btc pools based on https://github.com/slush0/stratum-mining can be affected by this if they don't use difficulty 1

i am not so sure about that as I looked through the commits of the viperaus fork and this bug is due to sections of code being stripped from the starting code by the viperaus fork.

I stopped reading here.

that is awkward sorry about my horrible spelling. No need to be a smart ass about it tho...

Thank you to pooler once again. Special mention to bhunt89 also. We really appreciate your hard work!

As mentioned in my post. The top 5 pools all run custom stratum code so this bug was not affecting them. I am sure other pools are also running custom code but i have not checked or asked them. Never the less this fix will sure save many pool operators a lot of heartache.

Thanks again to all who were involved!

Thanks for your wonderful contribution to this discussion.

thanks everyone, always appreciated!