 Show Posts
|
|
Pages: [1] 2 3 »
|
GHash.IO was vulnerable to this exploit, but it is already fixed. Thanks to everybody for cooperation. Hi guys. Read an article yesterday, and I think I know why some pools are so "unlucky". In fact they're not unlucky, they're attacked through share multiplication issue. There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago. Vulnerability is caused by incorrect algorithm of verification for uniqueness. Instead of checking raw solutions, most of the pools are doing this through checking the hex-encoded representation. This allows miner to create multiple versions of the same share through applying uppercase function to hex encoded solution. {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31ee"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31eE"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31Ee"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31EE"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0aD31ee"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} This vulnerability seems as intentionally made i.e. backdoor. Simplest workaround is to use lower() method: @@ -192,7 +192,12 @@ def submit_share(self, job_id, worker_name, session, extranonce1_bin, extranonce
# Check nonce
if len(nonce) != 8:
raise SubmitException("Incorrect size of nonce. Expected 8 chars")
+ # normalize the case to prevent duplication of valid shares by the client
+ ntime = ntime.lower()
+ nonce = nonce.lower()
+ extranonce2 = extranonce2.lower()
+
# Check for duplicated submit As far I know, stratum-mining/eloipool/node-stratum-pool are vulnerable. Example of affected pools is ghash.io... Some pools like BtcGuild are not affected for unclear reason. Probably because they're using proprietary software. |
|
|
|
Is Ghash.io still having issues ? I've never seen a period like this last week or so where the block-times have been so long.
Just bad luck ?
Last week there was a problem where miners could not mine for 6 hours at all. Right now, everything is under control, we are managing the attacks well. Blocks taking so long to mine is, unfortunately, bad luck indeed. |
|
|
|
...we are not getting any profit from the mining pool...
BS. You don't seriously expect anyone to believe that do you? GHash.IO does not get any profit from miners. Our pool has 0% fees, and every block reward goes to miners who have chosen to connect their hardware to the pool and contribute to the Bitcoin network. We do not get any profit from our cloud mining services (which are still available for everyone – you can turn on cloud mining manually if you choose to do so) as well – all the fees go to service providers to cover electricity and maintenance cost. We consider these two directions as our input in the Bitcoin community and cryptocurrency itself. Our main project is CEX.IO, the exchange, and trading is where the revenue comes from. By registering with GHash.IO, miners automatically get a CEX.IO account where they can trade their GHs or crypto. Truth to be told, by allowing miners to use our 0% pool, we are hoping to increase our user base at CEX.IO. |
|
|
|
Official Statement on the Last Week’s DDoS-attack against GHash.IO Mining PoolLast week, GHash.IO has experienced a DDoS-attack against the pool. Although the website itself did work, miners were not able to mine during 6 hours, as a result of the attack tacking up to 40 Gbps. At the moment, GHash.IO works properly. Anti-DDoS protection provided by Voxility hosting is integrated with our platform. It’s worth mentioning that there was no information leak or crashed accounts, and only GHash.IO stratum server has been attacked, not affecting CEX.IO exchange. The attack has been conducted by a hacker who has already DDOS-ed CEX.IO in October, 2014. Previously, he demanded 2 BTC for stopping the attack. This time, the payment has been raised to 5-10 Bitcoins. According to his words, “Usually, I have to run the attack for 1 hour or less and I get paid, so large damage is prevented,” which means, other services have also been attacked. After everything has been fixed, the hacker stopped writing to us. At the moment, we are in touch with other services that have been DDOS-ed, among them — Bitalo. We are open for communication and are ready to help other Bitcoin services to prevent the attacks. Since we suspended cloud mining services, all miners that are currently using GHash.IO are individual miners who trust our platform. With a 0% fee, we are not getting any profit from the mining pool, but we believe that mining is an extremely valuable process for the industry in general, for generating new coins and confirming transactions. That is why we’ve made all possible efforts to restore the service and are encouraging miners to connect their hardware to the pool. We will continue developing mining side of our company and invest into improving security of the pool so that Bitcoin adherents could enjoy using our service that is secure and free of charge. Source: CEX.IO blog – http://blog.cex.io/news/official-statement-on-the-ddos-attack-against-ghash-io-mining-pool-13355(CoinDesk: http://www.coindesk.com/bitcoin-mining-pools-ddos-attacks/)
|
|
|
|
Anyone here help a partially blind person set up a new worker on windows 7 cex.io .I am mining 500 just now with there hash but want to buy my own antminer S3 but cant set up a worker,would love someone to do it my remote
Ghash automatically sets the worker up when you point it to the pool. daddyfatsax (Great name by the way!!!) is right, as long as you enter the correct details into your miner configuration we take care of the rest. 'You should name your workers yourusername.<WORKERID> (e.g. yourusername.worker1). Workers are added automatically, you can use any/empty password. The minimum stratum difficulty is 16. Support: webmaster@ghash.io' |
|
|
|
are the problems with multhash pool fixed and is the pool merge mining doge...?
Yes the pool is merge mining Doge. We have recently resolved the issue of stuck rewards on Litecoin and Doge wallets. All Litecoin and Doge rewards are being pushed out now, so expect to see your coins in your wallets soon. We are sorry for the delay in solving this issue. https://support.cex.io/hc/en-us/articles/203843593 |
|
|
|
I am mining a gridseed blade on the ltc-doge pool I made more then 20 blocks in the last week and they don't pay it. I have .999 ltc pending for days. I have lots of missing doge coins really annoying
Hey Philipsma1957, Our apologies, we have had payout issues in the LTC+Doge merged pool. Any pending payments should and will be paid. Have you raised a support ticket? That way you will get specific feedback on your situation. The payout issue has been commented in our support forum https://support.cex.io/hc/en-us/articles/203393656 |
|
|
|
If it is a pool that communicates with the general community it will usually refund the fees. BTCGuild's Eleuthria did that as well before on a large fee block. GHash.io may very well refund the fees and we would never know - their communication with the mining community isn't the greatest. Try making a ticket and see where that gets you  We have refunded genuine mistakes and they have been documented here on this forum https://bitcointalk.org/index.php?topic=602152.0 |
|
|
|
Is anyone else having trouble logging in?
I eventually am able to log in but I've had to go through three to four captcha challenges before I could do so; then I get challenged again each time I refresh my stats. It's a major pain in the tuchas. I never had to deal with this chit until a couple of weeks ago. I guess CEX/GHash has been too busy socializing and expanding their business that they have neglected the maintenance of the usability If you have 2F authentication once authenticated you should not be getting multiple captchas on refresh etc. The only time you would be requested for auth again would be if you made a withdrawal request for example. So what you are experiencing is not normal. Please contact support so they can help you with the access issue. |
|
|
|
Anyone notice block #320234 showing up 16 times! Looks like 16 payments also.  What the heck is going on? Multiple incorrect iterations of Block 320234 showing in the Last Blocks table are under investigation, we will advise outcome as soon as possible. |
|
|
|
Glad to see it finally showing up (even though the delete button just hides the workers). How about sorting the workers better next? Right now my workers are this big jumbled mess. It would look a lot nice if they were alphabetical.
If you click on the heading of any of the columns relating to the workers you can rank by number, name, hashrate etc. Have you tried that? |
|
|
|
All GHash.IO users, We thank-you for your inputs in this thread. The ability to delete old workers has been an issue on the table for some-time and many users have communicated to us the feature would be good to add. Users also recently raised the same issue here. We do listen to inputs and are pleased to be able to inform everyone that the feature to delete old workers has been implemented and is working.  |
|
|
|
GHash,
Thanks for implementing the worker delete function. However, what's up with the overzealous captcha. It seems that I have to go through it twice each time I refresh or switch pages. I never had to this until about over a week or so ago. I understand that it is a security thing but doing it once (during login) should be good enough for the entire session until logging out of it. But to be subjected to it twice each time I refresh or switch pages is very annoying and time consuming, especially when the characters are not readable and a new set needs to be generated. Please take it back to the way it was or at least, tame the captcha challenges.
What you are seeing doesn't sound correct, please can you contact support and inform them of what you are experiencing. |
|
|
|
We had an hour or so downtime yesterday which is now resolved.
Regarding some recent block find activity we have identified a discrepancy between solved blocks reported on the GHash.IO stats and that reported on the blockchain. There are 2 instances block 317321 and 317304, neither of which show in the GHash.IO last blocks but appear attributed to GHash.IO in blockchain.
We will advise the situation regarding these blocks after investigation into our system.
The outstanding issue regarding blocks 327321 and 317304 has been resolved and rewards distributed. Many thanks for your patience. https://support.cex.io/hc/en-us/articles/203393233-25-August-2014-Missing-Block-Rewards |
|
|
|
And what about alt-coins? For example Aurora: No payout since bloc 48154, i.e. for about the last 40 blocks. SImilar situation with other altcoins.
Also under investigation, thanks. |
|
|
|
Look at block 317304 and block 317321. According to blockchain.info it was solved by ghash.io, according to ghash.io they did not solve it so they aren't paying miners for it. Those are the only 2 out of the last 100 blocks as I only just checked because someone else noticed it first.
It could be just 2 blocks that they kept for themselves either because their software is broken (again) or because they needed an extra ~$25k for hookers and blow. I really dont know but it does make me want to dig deeper into which blocks they have paid on and which ones they should have paid on. If it is 2% of all blocks then there is a serious problem in not disclosing that to people, if they are going to charge a fee they need to declare it and not claim 0% pool fee.
Edit: ha! beat me to it
Edit 2: I am currently pulling blocks from blockchain.info associated with ghash.io to see what is going on. I will also look at what IPs were used to see if one is particularly bad about it or not. I am going to go back a couple hundred more blocks and if I dont see anything give up. Program is running now to do all this.
Edit 3: in the last 167 blocks solved by ghash/cex pool only those 2 did not get paid out. They still have not been at the time of this writing.
GHash.IO pays every found block to its miners, so your investigation regardless of the number of edits will not reveal anything other than that. We are aware of a discrepancy relating to 2 recent blocks and have announced we are investigating such on our Official thread. https://bitcointalk.org/index.php?topic=627111.msg8522350#msg8522350 |
|
|
|
|
We had an hour or so downtime yesterday which is now resolved.
Regarding some recent block find activity we have identified a discrepancy between solved blocks reported on the GHash.IO stats and that reported on the blockchain. There are 2 instances block 317321 and 317304, neither of which show in the GHash.IO last blocks but appear attributed to GHash.IO in blockchain.
We will advise the situation regarding these blocks after investigation into our system.
|
|
|
|
|
