So, I think figured out today how the attack worked. Throughout the day, the chain was spammed with "mimic" pool payout transactions. This was to enlarge the median blocksize. Then, when the block size hit the required size for the attack, the merkle tree hashing code was overflowed by including >511 tx (these were tiny tx with one input and no outputs) followed by two unique transactions with inputs and outputs. The last two transaction hashes in the tx merkle tree (512, 513) could be replaced with anything so long as they were valid tx hashes, as they didn't actually factor into the block hash. This was due to a bug in tree-hash.c. This was block 202612. The net effect of this was that you could swap in any tx into the block at positions 512 and 513 so long as they were the same size and were valid.Here's the interesting part: When the attacker mined 202612, he transmitted two different blocks to the network, both of which had valid block headers, and both of which contained different transactions in index 512 and 513. Block 202612 Fork 1 (monerochain): index 512 2a58f802202db09cbd1377630ae73becff1eaff52e8969980672496dc39a5f6f 1.999999999999 622
index 513 57ce3aab446d75726221c908a4bf6ac2f67485cab80a2e2bedfe5519cabd8848 1.999999999999 622 Fork 2 (chainradar, minergate): index 512 d59297784bfea414885d710918c1b91bce0568550cd1538311dd3f2c71edf570 1.999999999999 622
index 513 d2d714c86291781bb86df24404754df7d9811025f659c34d3c67af3634b79da6 1.999999999999 622 Note that both of these above blocks have the same header hash, because the merkle tree code simply ignored including these tx into the tree. If it had, the block header hash would have been different. So, now half the network had one block, and half had the other, but they both thought they were valid and exactly the same even though they weren't. Now, here's how the attacker forked the network. Two blocks later, at height 202614, the attacker generated and submitted two new blocks. These blocks contained the transactions below: Block 202614 Fork 1 (monerochain): index 2 d59297784bfea414885d710918c1b91bce0568550cd1538311dd3f2c71edf570 1.999999999999 622
index 3 d2d714c86291781bb86df24404754df7d9811025f659c34d3c67af3634b79da6 1.999999999999 622 Fork 2 (chainradar, minergate): index 2 2a58f802202db09cbd1377630ae73becff1eaff52e8969980672496dc39a5f6f 1.999999999999 622
index 3 57ce3aab446d75726221c908a4bf6ac2f67485cab80a2e2bedfe5519cabd8848 1.999999999999 622 Noticed that these two new blocks both contain tx which the other chain already had -- at this point the network forked, because for each network one of these blocks would be invalid because it contained a doublespend of transactions that were already included. Here's some output from a daemon on the forked network (fork 1, monerochain), from exactly when it hit the fork point: [P2P6]Block with id: <c29e3dc37d8da3e72e506e31a213a58771b24450144305bcba9e70fa4d6ea6fb>have at least one unknown transaction with id:\ <57ce3aab446d75726221c908a4bf6ac2f67485cab80a2e2bedfe5519cabd8848>
[P2P6]Removed transaction from blockchain history:<e0d8f60983f90bbf8030f166cfe151c9ee45fe2e5bdc19abb32d80bfeaf1b368>
[P2P6]Removed transaction from blockchain history:<227ec7670f47107c45a8d096510d385ffbd09aa59f47f60f98f915b079f48d8e>
[P2P6]Block verification failed, dropping connection This has been the most elaborate attack on a cryptocurrency I've ever seen -- it required incredible coordination and took great lengths to hide itself from being see from casual users of the network until it was too late. Of course, we were watching and could tell something was up, so we caught the fork immediately and were able to protect our users by notifying them and the exchanges of it. Still, I'm frankly amazed at the lengths the attackers went to to conduct this attack, and the complexity of it. |
|
|
|
... kind of begs for a comment from the dev team.
I agree that the C in the codebase in insane and dangerous. In the least, we need to refactor to C++ and comment the code. |
|
|
|
Yes I got the merkle tree overflow stuff. I was asking specifically about the tree hash bug and what the fix was going to be ..
To me both chains need to be co-exist. It is pretty obvious that XMR will continue to get targeted. It will only make the code better in the long term, but there will be targeted disruptions from time to time.
The fix is to stop coding in C, which should never be used for distributed consensus, and to refactor the codebase. |
|
|
|
Back on topic:
Thanks, tacotime, smooth, fluffypony for keeping us update in realtime. This is precisely the emergency response I was hoping for.
Two questions:
1) Can you already rule out that the same (or similar) attack can be mounted again?
2) Can you already rule out conclusively that no lasting damage was done (as in: according to the pre-attack ownership situation)? Any chance that some subtle damage was done that'll be discovered only later?
1) yes, it's an overflow bug in C. 2) yes, once the nodes all update no more corrupted blocks should be generated. the corrupted block now needs to be hardcoded into the software. |
|
|
|
Great job in always watching the chain tacotime.
Also looks like the fixes implemented are going to be different? Are you going with reduced max block size ?
Nah, it was a simple overflow bug, the basic fix is the same, to just fix the horrible C code line that caused it. The long term fix is just tossing all the horribly dangerous C code that contains naked pointers and moving to something somewhat less terrible like C++. |
|
|
|
CZ updated the statement and acknowledged the XMR devs without any protests or reservation. This was most likely unintentional. Simple misunderstanding. The reactions of XMR devs are bit harsh IMHO....
We're just cranky because most of us haven't slept much  |
|
|
|
I expected nothing less than 'grumpy smooth' to be the result of BBR pulling even in volume with XMR. I assure you my irritation has nothing to do with trading and everything to do with not being properly credited for the work that rfreeman_w and I did (he first discovered the source of the problem and I came up with the sizeof*8 fix). And I caught the section of code with the problem last night: https://bitcointalk.org/index.php?topic=583449.msg8665829#msg8665829 |
|
|
|
Good morning. It looks like the code I called into question within an hour after this happened last night was indeed the problem code. So, within an hour or so of the attack, I'd narrowed it down to about a page of code, and it looks like we have the first fix this morning. Now the CN "saviours" have flown in and magically have a similar fix, who knew? The code was obviously orchestrated by someone with an intimate knowledge of the codebase, to the point where: 1) Txs to expand the blockchain were made to emulate pool payout tx so not to raise suspicion. 2) The tx used as inputs for the block that broke consensus was 4 days old so we couldn't find it easily. 3) The mempool was not filled up so as to also give the impression a spam attack was not going on. There are more notes here: https://bitcointalk.org/index.php?topic=583449.msg8665829#msg8665829Here's what happened with us: We caught the bullshit going on in the network despite efforts to conceal it and caught the fork immediately. We had Poloniex shut down deposit withdrawal as soon as the fork arose, so no one lost their money. |
|
|
|
I need to crash. Fluffypony and the other devs will be up soon and will continue diagnosing it. My guess it that it's a buffer underflow/overflow code relating to the merkle tree code, but I'm not entirely sure. The crazy block that broke the network had the following idiosyncrasies: - Normal coinbase - 510 tx with 0.0000000000001 inputs and 0.000000000000 outputs (effective fee 0.000000000001) - 2 tx at the end of the block with 2.0 inputs and 1.9999999999999 outputs --> 513 tx total included, possibly overflowing a value related to the merkle tree tx calculation somewhere (for instance, if a binary merkle tree has two branches which are allowed to contain 256 tx each, and then when you get over 512 something bad happens, eg memory access somewhere there shouldn't be) Now, the outputs of 0.0000000000001 that were used were produced 4 days ago, so it looks like the attackers were well aware of the bug, but needed to expand the block size to get all these outputs into a single block. To do so, they emulated normal pool payout transactions but added high mixin and tx_extra content to bloat the tx. These transactions were otherwise indistinguishable from pool tx payouts, aside from occasionally using strangely large inputs. To not raise suspicion, the tx mempool was not flooded by tx, but rather 4-10 new tx were submitted whenever a new block entered the network (so that the mempool didn't look suspiciously large). Our course, we recognized these as bizarre ealier in the day and were watching the blockchain like a hawk. Overall, it appears it was an extremely well coordinated attack to exploit an unexpected engineering flaw in the handling of merkle trees. I still don't understand why it happened, but I'm already up way too late and I need to get some sleep. Someone will pick up where I left off. |
|
|
|
|
Network is forked. Do not move funds, do not spend, we're likely going to have to apply an emergency patch and roll back to before the corrupted block.
|
|
|
|
What does that link mean, tacotime?
Successful attack achieved by including a corrupted block, we're trying to figure out what happened now. |
|
|
|
I think you made a typo tacotime, because two keys are repeated. What you mean is {
"0":"02b631fc5e901982a8d130ea65f2966e99a51375030b3c9c64288f4631943ed194"
"1":"032e76a7de5584eee15a23e872c08543fcca5445d844a6ce63d37c5d25ce377888",
"2":"04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f"
}
and I can indeed verify your signed message with this ring Ah, yes, correct, I'll fix it up above.  |
|
|
|
Do you know if they are aware of our value blinding scheme described in my writeup? Yup, the math/crypto guys that have been hired have gone over it a lot. Unfortunately, it's a rather large change in terms of core code that we'd have to make and right now we're still trying to figure out why even basic stuff in the codebase like network propagation/syncing is dysfunctional. Large, likely hardfork changes like that will be a while off to implement, although it is a really cool idea. |
|
|
|
Edit: Ok, looks like we have to generate the keyring manually? To make a keypair you use the -g command. There is an example keyring that comes with program {
"0":"024627032575180c2773b3eedd3a163dc2f3c6c84f9d0a1fc561a9578a15e6d0e3",
"1":"02b266b2c32ba5fc8d203c8f3e65e50480dfc10404ed089bad5f9ac5a45ffa4251",
"2":"031ea759e3401463b82e2132535393076dde89bf2af7fc550f0793126669ffb5cd",
"3":"03320cd05f3538159693cd253c30ec4972fa06ad10f1812951923a5ea063e9748c",
"4":"039b9033d0377e3af7fdf4369134f3ec96aa03326fd07f89d60dc3ba70d0a19956",
"5":"03c81094edb63ba28b1e4d5556d91dc030b725e105be94fb4005bee987f80a38f0",
"6":"032077679a3f1579acc22308f09b7d5f597cba4ea9f314b8aaf86ab2f052fa0157",
"7":"039b9033d0377e3af7fdf4369134f3ec96aa03326fd07f89d60dc3ba70d0a19956",
"8":"02dcdb96d05d6cd36ce7014a69ebce8b48f8d7de46ce3bfa99482af65284697e13",
"9":"04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f"
}
So I guess we will just copy the format. My key for this thread is 02b631fc5e901982a8d130ea65f2966e99a51375030b3c9c64288f4631943ed194 Yes, this is correct. Here is a test pubkey from me: 032e76a7de5584eee15a23e872c08543fcca5445d844a6ce63d37c5d25ce377888 I will sign using this keyring: {
"0":"02b631fc5e901982a8d130ea65f2966e99a51375030b3c9c64288f4631943ed194"
"1":"032e76a7de5584eee15a23e872c08543fcca5445d844a6ce63d37c5d25ce377888",
"2":"04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f"
}(The first is andytoshi, the second is me, and the third is Satoshi (from the genesis block).) This is the message: The Times 03/Jan/2009 Chancellor on brink of second bailout for banks Using the verify text feature, here's the returned signature for you to validate: 144VfXoJFBzxhFe7c4GXsCpPogkhXkkrQut5r7waHxgUv+FiH39RvZ5LSYEUFR2UXKfgcgzxZ48Dd3f2CdgycnUKHk+FFkDCK438Zdpza9RaAyh5VCMcpe5d1Yj29SP1111vZtL&5dma9x2cspgqM3TZZugDuyjVz5dmJLC9JU4JVb4frTdb&BnJdCj4DAsr6QzK22Qx5n4ts8Rzas4s23Cs5YDDirThA&+HJmdbgEnpXcQ7mDnuywXsy6bdzg5zN1RCdeYN8RLnhnm&78K3TP8PbjrMKWKEHmWM1Cf7nUsnse3EQ6owKoJFi3f3&9duvujESzXaHTKxDEJPESYoSRVYbVxHQej3FEZbysMGc& This signature is from either me, or andytoshi, or Satoshi. If you check the key file, you will also see that generated keys include mainnet V1 addresses (although these aren't used by the program itself). |
|
|
|
This is great stuff tacotime! I bet we have a lot of fun with this. Maybe I will install Go, generate a key, and post it here for us to play ringsigning games.
Are you involved with Monero?
Thanks! Admittedly I don't follow 100% of the ring signature crypto code that Hein wrote, but the usage and verification is as expected. One thing I did add was sorting to the key ring input based on the public key X and Y values, so that ordering of the keyring did not impact signature generation/verification. The output for signatures is in Base58, in the format: X+Y+[C_0]&[C_1]&...&[C_N]&+[T_0]&[T_1]&...&[T_N]& I am involved with Monero as a (volunteer) member of the core team, although most of what I do is higher level consulting on how to maintain anonymity using the stock ring signature code. This has been kind of a "rabbit hole" problem of endlessly more things to consider in terms of deanonymization attack vectors, but we should have some publications and proposals out soon that further investigate this that you and gmaxwell will probably be interested in. |
|
|
|
As part of ongoing efforts of the Monero Project, a small program has been generated that allows you to do 1-of-N ring signatures using a secp256k1 keypair and a keyring of public keys. The program signs both binaries and text files. https://github.com/monero-project/ursTo build and install, use this command after installation of Go: go get -u -v github.com/monero-project/urs/... According to the paper, unique ring signatures are anonymous except in the case of signing the same message multiple times (in which case X and Y in the signature appear to be the same). http://csiflabs.cs.ucdavis.edu/~hbzhang/romring.pdfA potential usage might be to sign gitian asserts from a trusted keyring anonymously that contains well known members of the Bitcoin project. Another usage would be for members of a trusted community of Bitcoin users to anonymously vote for some proposal by signing it separately and publishing their signatures. Thanks to Hein Meling for the initial URS implementation, Conformal Systems for their immensely useful libraries, and gmaxwell for inspiration. |
|
|
|
This is my first post here, but I am not a "troll". I am a significant holder, accumulating over the last months, and you can tell by my twitter @indiemaps that I have supported Monero in the past. But I can't see how anybody can trust the socialist devs of this project after the revelations of the past few days. I will not dump b/c I believe there is more BTC to be made off this flavor of the season coin. But I have certainly lost my trust and faith in the coin and team.
The developers claim to want to separate the monetary system from the government, yet David Latapie also believes in socialist education, redistributionist schemes, and forced/violent taxation. How this is compatible with an anonymous cryptocurrency is beyond me.
I and I hope all the other anarchists who have supported this coin in the past need to move on....to a coin with nonviolent developers who do not wish to force their views of society on us.
Decentralized development means different people will have different opinions, see Mike Hearn versus Peter Todd versus sipa in Bitcoin. If you can't handle other people having different opinions about the monetary systems of the world, you might be fascist. |
|
|
|
When can we expect this to go out?
There should hopefully be a closed source testnet in the next month or two that people can muck around with. Excellent. I'm sure you'll get plenty of testers - looking forward to participating. What environment do you envision supporting first? Linux/Windows? Or just Linux first? It should build pretty much anywhere as it's written in Golang. Initial daemon/wallet will be command line. |
|
|
|
|
Show Posts
