Bitcoin Forum

A horrible Terracoin attack happened recently. Hundreds of thousands of TRC were created and disappeared.
Details can be found from
https://bitcointalk.org/index.php?topic=261986.0

One attacker (ID on bter: m100003-6399 and m100002-12129) deposited around 120k TRC on Bter.com during the TRC network attack and dumped more than half of them.
The attacker withdrew about 50BTC value (in BTC, LTC, FTC, TRC, etc) from Bter successfully before we disabled his accounts.
Some of his deposits are listed below. The deposits are confirmed normally without any problem but later the confirmations all became zero and all he deposited TRC disappeared.

We have disabled the TRC trade.
We need to reverse all the trading transactions people made with the attackers IDs m100002 and m100003.
BTCs will be credited back the Bter users' accounts who are affected so that they can get their BTC back.
Bter will take all the loss during the attack.

We need time to handle all the affected transactions very carefully. Please be patient.

I am sorry for all the trouble to Bter users during this event. We are doing our best to handle it.

---------------------------------------------------
--balance of the attacker's two accounts

./terracoind getbalance 6399
-39381.71600000
./terracoind getbalance 12129
-82980.08650000

----------------------------------------------------
----- last 5 deposits from the attacker
[
    {
        "account" : "12129",
        "address" : "18dCGtwALpJJMF6horVcbYY1Afft6pZfZq",
        "category" : "receive",
        "amount" : 480.00000000,
        "confirmations" : 0,
        "txid" : "68ce85dce72c4cc28053e823e453b52acbf2aa29ddd22f17f8c244ce756a6536",
        "time" : 1374858805,
        "timereceived" : 1374858805
    },

    {
        "account" : "12129",
        "address" : "18dCGtwALpJJMF6horVcbYY1Afft6pZfZq",
        "category" : "receive",
        "amount" : 4000.00000000,
        "confirmations" : 0,
        "txid" : "b5f3444bd2f8289b3d88e7784dd0fd6277054847acb8d5b7390c3ac0007e9207",
        "time" : 1374859127,
        "timereceived" : 1374859127
    },

    {
        "account" : "12129",
        "address" : "1M5jECA4CU4KnNVgbDAdPBcvScdhdkJT1H",
        "category" : "receive",
        "amount" : 7600.08650000,
        "confirmations" : 0,
        "txid" : "5b53dbd629d0bfb4ab71db94308f4f08ca073d40ce6eb8f07bde4cd18aa6ab92",
        "time" : 1374860903,
        "timereceived" : 1374860903
    },

    {
        "account" : "12129",
        "address" : "1M5RGitwKkT9AUea6638ZwzfiPV5kasu3c",
        "category" : "receive",
        "amount" : 8520.00000000,
        "confirmations" : 0,
        "txid" : "ebc4df3e1ecc4569cd51cc255e19852039a673d2f48e322f094e27300715146e",
        "time" : 1374861841,
        "timereceived" : 1374861841
    },

    {
        "account" : "12129",
        "address" : "1MnsunUAK2vJW21mE6azbXyXJSgJhDsy1Y",
        "category" : "receive",
        "amount" : 62380.00000000,
        "confirmations" : 0,
        "txid" : "172e3c1ba0ccf8284d4a031a149786788cf122dba9800e15ce73af4cc6022bfa",
        "time" : 1374862281,
        "timereceived" : 1374862281
    },

Don't know if this will help at all or not, but here are all known address that attacker's account sent/received money from:

1PAnMKuTs9R4U9FF7xdQSmQc655d2r9zeB (main account)
13kfKR1BS9gtsxppMeqDTx4rAvbwWjvYSL (Used back in April, then mined blocks 175027-175037)
19hWiCHiWk3Bu3mXCCCDRhY9WVLUvoPVAR
1LEyVjbVJw3NSFtxa8o45TvAkpjWkYCuqX
1JZp28yknx5jm9TMPSnGzMyJq3ENCkvme7
111exFkjLXP5mXmEfVqGd2r7bXQhVhux3
1LrwViNiowvXaCKb33BYoYeXkQfUiAHpZ7
122xarBR5XSvcgZ27qNmgvP4VQCUgfzcsa
1LGkXWSE5qvMbxtY6H3CFTCJBKN5wa2NA2
1EYD7hV7t8fN9qXHsj41v2vpyq9SbySqkR
1Kbq1XfK8Zs2wZsAK6SAmaF5jAwym8xaKg
149JyDVZCW46vRJfLRfH1hzypLD5mV4mDk
1M3hwfdTVAHEEmLCepAj3ULNFaM2C7SF3v
1CVkkpMqK7fvNz5t6KecnuErnJxpzGCumS
1D5y3YSzTfT6WTqioW99cuJ6izXiTZg8YD
149JyDVZCW46vRJfLRfH1hzypLD5mV4mDk
1MwK8iA8nSqDDSiYytEntdd9UVYdiZ3qFe
1NCoJCE4sp5sjAnFwgViwRQrcCAE2hsq9u
1Q47BFwRP7nPEewgkRNQFzjVsQp3maQURx
1E1YNV1Rdv8vZtr6iHppGtkrFfFdMTYezK
15fZ3Dk3t89EBgwJieMv43oVGWLZkAHojL
1KeheSehZLUrXCSd5bcFGHNKDBgDWuhdZu
17gvfTjPVtNqV4b7iX1zALoNjCV93na4Y
15AzEWzQwi1wGvUtjEKCXi14zGikR6eSzk

I don't think we can trace our loss back but thanks a lot for your help which makes us feel better

wait wait.. if the bastard moved 120k trc and sold half of them on BTER, how did they disappear? aren't they on the account of the people who bought them? or just HIS coins he was unable to sell disappeared?

A couple days ago, it sounded like the TRC network was 51%'ed; sounds like this was a MAJOR double spend. He sold the coins, all thought they were fine so he got BTC, then overwrote the blockchain from the point of transfer onward. Correct, or no? Definitely would be of aid to BTC and all the others to have an understanding of exactly what occurred.

1st, it wasn't a 51% attack, but a time warp attack.  The fix TRC made to their client (by my understanding) was supposed to invalidate all the time-warped blocks, meaning all the coins this person exploited vanished once the block chain hit the 175000 block.  Therefore, any coins he mined and sent elsewhere should have vanished at block 175000 (which they seem to have from the OP).  The current TRC blockchain is at block 175040 while the old client chain (that someone is still mining) thinks the current blockchain it at 175460.  If you were still using the old client, those coins would still be there.

This sounds like a serious 51% doublespending attack on bter. Note the original time warp requires 51% attack as a basis.

what a mess!

wouldn't have been better to keep those coins as valid, so to let the attacker keep his profits without harming specific people (like bter in this case), at the end of the story he didn't cause any harm apart from an increased inflation and dilution of the coin...which basically it's what central banks do everytime they print new money out of nothing.

Yeah that's why the dev didn't roll things back to before the attack, because of the valid trades the exchanges had done/etc and they rely on the chain remaining intact as best as possible.

I had lost 8 LTC when my Bter account got hacked sometimes back. I withdrew everything and left it - there are much better exchanges out there.

Good luck though - I do hope you bounce back.

have those coins disappeared or not? I still don't understand.
if I bought some on BTER (which actually I did) and sold them on there or on another exchange, did those who bought from me see the trc disappear after block 175k??? this sounds impossible to me! in fact I was able to move like 18 coins I bought on bter (most likely from the attacker) to another exchange and I still see them! they have not disappeared anywhere. I still own them, as I think any other buyer do.

please explain.. this is fishy.

if BTER says the coins have disappeared when actually they have not, in reimbursing the buyers at the price they bought, they keep the TRC for themselves and do make a profit selling them at current prices. not so much as taking a loss... come on!

please explain!!

thanks

Was this double spend after or before the double spend attacks started? If after, then the exchange is completely to blame for not stopping TRC deposits upon the first double spend hitting the network.

the exchange is with no doubt to blame for not stopping the unusual activity on TRC... vircurex did, other raised the confirmation up to 100, bter stood still at 4 confirmations and let massive and unusual trading to take place for more the 24 hrs. I mean when I saw that massive dumping I bought something and I took a huge risk, in fact  everybody was talking about TRC to be screwed up and worth nothing, so to me the dumper could have been just a guy with lots of them just scared to lose his money and wanting out. but that was indeed suspicious to me. since my activity is arbitrage coins I saw the opportunity and even if I thought it was very risky I bought some in order to sell somewhere else at higher price.

NOW, what I want to know here: the coins the bastard sold on BTER have disappeared OR NOT?? cause it doesn't look like to me... the ones I was able to move out of BTER are sitting on my other accounts and have NOT disappeared. so how could BTER affirm the coins have disappeared... the only coins that might have disappeared after block 175k are the ones the bastard couldn't sell which are still sitting on his account...

...unless, and here I prove I don't know how exchanges really works, the buying/selling trades on each exchange aren't really settled until the coins are moved from the buyer to another address. in this case everything that's still on BTER truly disappeared, except the coins that buyers were able to move out of their BTER account.

am I right?

The attacker's deposit disappeared.

Right, which is what double spend is all about.

Chain A I sent coins to BTCe. They clear, I sell them for BTC. I withdraw the BTC.

Now I make a new chain B started the block before I sent the coins, and make it longer than chain A so clients switch to it instead. My coins were never sent to BTCe, I still have them, but I also have the BTC I sold them for. BTCe is left without the BTC or the TRC.

I trust BTCe is on the mailing lists of all coins they support, so they always know about mandatory upgrades in advance.

let me understand how an exchange works...
a guy deposit x coins on his address...
then he sells something to someone else
are the coins really moved to the seller address to the buyer address after the trade?

Happy that a 24/24 monitoring and immediate update to 100 confirmations deposit with a special checking on each then TRC deposit, helped crypto-trade.com to be safe of such lost.

I guess when you run an exchange and accept small Alt coin you have to expect such problem...and be ready to react immediatly as some hours can cause disaster. If you cannot handle it just don't accept such alt coin, or don't run an exchange taking risk to lost funds of your users. Sorry to be rude but I would be same with myself even worst...

Edit : just noticed that on your website : > Manually confirmed withdrawal

It means you processed the 50 btc manually to then understand your site was like attacked? I dont get it fully

Neotrix, Admin of crypto-trade.com

here something else I don't understand
during the attack 100 confirmations were a matter of a few minutes... since the blocks were generated with very high frequency... what difference did it make?

None. Coinotron had over 100 confirmed blocked they mined erased by the attacker before they suspended the TRC pool. The difficulty exploit made the attack unstoppable for the most part. In the main thread discussing the attack we were surprised trading was open at all.

Letting few minutes more to check more about big deposits.

When you see 120k trc coming if you monitor as you know it is attacked, you usually suspect something...And lock the user for more investigation

Even smaller amount looking enornous compar to usual... Of course as said 24/24 monitoring is needed... Or the TRC trading should be stopped directly before any disaster... I agree on that


I agree while coinotron is a pool, managed by only one operator. Pool also dont earn same fees than exchange and dont push same risk on users. We can understand that coinotron took time to react. An exchange shouln't run if is not 24/24 monitored, my opinion remains the same about this.

I completely agree.  Good to know you have the proper safety checks at crypto-trade.  I know Cryptsy also had alerts triggered and disabled accounts.  Your efforts will help keep damage to altcoins to a minimum as the industry continues to mature, and for that I thank you.

-Merc

Thanks, nice to see some people more concerned on securities and future of cryptocurrencies.

Especially when it take 10 min to any programmer to make some script to check such special activities (big deposit...) We talk as admin of exchangers sometime managing hundreds of USD worth owned by users, also making good money with fees... I wont say more you got my point ;) If admin of an exchange cannot hire some people to monitor 24/24, then exchange should'nt run or users should expect some lost anytime....Or just avoid this exchange.

The hard-fork really damages a lot except the attacker is happy at the end.
I think terracoin community should thank bter.com for taking most of the damage. Otherwise, TRC value will be dilute more.

When you deposit, you just deposit to the exchange wallet; where other deposits happen too. Same happens with withdrawl. So you don't do a point to point transaction between buyer/seller.

thanks a lot for that answer

but I'm still confused!

what I would like to know is: which coins really disappeared??

1) the ones the attacker deposited on BTER? (this seems to be confirmed by BTER)

2) the ones the attacker sold on BTER but still sitting in the buyer's BTER account? (this also seems to be the case)

3) the ones that were moved out of BTER buyer's account into other exchange accounts (in this case any other exchange should have a total of TRC which is less that the total of its clients' TRC individual holdings, the difference made by the disappearead TRC brought in there)

are all the three cases true?

thanks for your help

neotrix, did any TRC disappear from your exchange? any at all? not even 1.

What is in you account is just a number. You don't have a separate wallet. Bter's TRC balance reduced after the attackers TRCs disappeared.

When buyers withdrew TRC, it MAY been partly the attacker's ones too. If no user reports that they have any TRC missing, there is a very strong possibility that Bter is hiding something.

Basicly this is what happens during a 51% attack:
You have to understand that the blockchain contains all the transactions and block are minted on top of it
The attacker build his own blockchain, with his mining speed, he can be faster than the network
Blockchain acceptation is done by consensus by all the nodes, basicly, the longest chain wins
The attacker spend his money on the network chain, but his money remains on his (and longer!)
The attacker broadcasts (release) his chain to all the node, in order to be accepted by them
The longest chain is validated, orphaning the network's chain, reversing his spending
The attacker, sucessfully spent his money (like exchanging TRC in BTC) and keep his money on the newly accepted chain
In this case, I think that he successfully use his minting reward because he doesn't seem to have balance before the attack
This attack seems to give 100% of minted blocks to the attacker

Please tell me if I'm wrong somewhere.

the blockchain now says:

175049           2013-07-29 11:49:19   36   126.31668153   294231.656   3501029.85549999

on the 23th before the attack there were 327049 TRC, here the situation at block 163500

163500   2013-07-23 03:36:06   1   20   20574.792   3270049.85549999

11549 blocks difference, 20 trc on each block: 230980 TRC total generated by these 11549 new blocks

3.270.049+230.980 = 3.501.029

EXACT!

so the frigging TRC coins generated by all those blocks are still counted by the block chain
but... if THEY DISAPPEARED, shouldn't they be erased and not computed anymore???

the mystery is still there... are those coins existing or not??

I still can't get it!

....unless those coins belongs to the attacker now and he's holding them somewhere, they disappeared from BTER but still are in the attacker's possesion, aren't they?

As lamiomni said, a profit happens when you double spend. In the current blockchain the deposit by the attacker would be invalid. So they are still with the attacker (unless they have been spent again).

Some of that TRC  deposit may have been withdrawn by Bter users and should have vanished. Since nobody is reporting that it seems a tad fishy. Unless by luck all the withdrawls used other TRCs only.

in other words he still have the cake and ate it too

Try this explanation: Attacker has legally mined 100 coins


Since the attacker's blockchain is longer and he has more hashrate, he forces his blockchain onto the network as the real one and the real one disappears (orphaned).  The spend he made at block 106 to the Exchange at Address D 'disappears'(even though the exchange credits it after the 4/6 confirmations), the coins mined by A, B and E disappear, their blocks orphaned.  Attacker goes to exchange, converts credited coins to BTC or other coins, transfers them out, Exchange later sees balance mismatch between wallet and their system and trace it back, but too late, attacker has run with converted coins.

Now, by this explanation, the attacker still has the coins.  TRC developers though said the time warped blocked would be invalidated.  What does this mean?  Dunno.  Maybe the attackers address is rendered invalid in the system and while the coins are 'in' his wallet, the client will never allow them to be spent.  Maybe it's just a platitude given to us to calm the masses into thinking the attacker lost his coins, while they sweep it under the rug and let him go.  Maybe... <insert your theory here>

We will never know the real truth unless the TRC dev's come right out and explain it in terms we can understand.

Yup.

Here is a simplified explanation:
- 2 blockchains: One where you spend it (on the legit blockchain, B1), one where you keep it (on the attacker's one, B2)
- During the attack, you deposit your funds on an exchange and withdraw BTC, LTC, whatever, something different than TRC, these transactions takes place on B1 but not on B2
- You broadcast B2 to reverse TRC transactions you did on B1, this is likely to succeed only if you have more than 51% of the network
- Unfortunately, all the others blockchains didn't reverse the transaction so you still have withdrawn BTC, LTC... and TRC

Time warp attack seems to block difficulty to a low level, so the blocks can be minted at very high speed.

I think you are not looking at the big picture.

Exchange wallet: 2,000,000 TRC
Attacker sends 120,000 TRC, coins go to his deposit address, then into exchange wallet.
Exchange wallet: 2,120,000 TRC
Attacker converts on site to BTC and withdraws
Exchange wallet: 2,120,000 TRC
Attacker invalidates original blockchain and deposit disappears
Exchange wallet: 2,000,000 TRC

Now, *IF* someone happened to withdraw from the exchange during this brief period, their TRC sent to other sites would disappear, but how often do people transfer out of an exchange?

Heads up and condolences for Bter.

But also a good illustration for us all who would invest in unsecured cryptocurrencies.

Not really, since normally blockchain acceptation is weighted with transactions, the attacker's blockchain contains all the transactions except his own (as a node, you have the ability to rejects transactions).

I'd ask freeworm, who seems to be part of BTER staff, to post here all the trades done by the attacker.

There are risks in every business...you`ll get over this. Heads up - i appreciate your approach on this matter.

I renew the request, this would be just fair and transparent.

So, does 101 blocks mined at difficulty 1 win over 1 block at difficulty 100?

Hi there. I trust you upgraded to -48 in time before the mandatory block to avoid this happening again? I put in a support ticket ahead of time to make sure your staff knew another mandatory update was coming.

the most frequent attacked coin to date. I'm amazed how trc is still alive.

Since TRC is steadily rising and my deposits don't even show as pending, I'm worried you forked again without installing -48 in time. I've let support know (well in advance) and mentioned it on Twitter. Not sure how better to try and get your attention when you and customers are at risk of losing money again...