Bug in Stratum Mining Software

[denis2342]

Hi

The Stratum Mining Software has a serious bug. It allows a Miner to send the same share several times without the duplicate check detecting it. With clever programming this can be more than 1000 shares that it should be in the worst case. Normally it is possible to get eight times the shares.

The problem is, that the duplicate check works with strings (nonce, extranonce...) and does check them case sensitive.
So the exploiter simply sends his values in all variations with small and big letters (because it is in hex)

example:

03:51:47.760512 IP 87.203.91.128.28348 > xxx.xxx.11.163.3333: Flags [P.], seq 535:1070, ack 216, win 64185, length 535
.m.g..h..P...kn..
{"id":913,"method":"mining.submit","params":["uphellper.5553", "424", "f5670100", "550cdcbf", "5d82727c"]}
{"id":913,"method":"mining.submit","params":["uphellper.5553", "424", "f5670100", "550cdcbf", "5d82727C"]}
{"id":913,"method":"mining.submit","params":["uphellper.5553", "424", "f5670100", "550cdcbf", "5D82727c"]}
{"id":913,"method":"mining.submit","params":["uphellper.5553", "424", "f5670100", "550cdcbf", "5D82727C"]}
{"id":913,"method":"mining.submit","params":["uphellper.5553", "424", "f5670100", "550cdcbF", "5d82727c"]}

03:51:47.859746 IP xxx.xxx.11.163.3333 > 87.203.91.128.28348: Flags [.], ack 1070, win 65535, length 0
.n..h..m.i.P........
03:51:47.951332 IP xxx.xxx.11.163.3333 > 87.203.91.128.28348: Flags [P.], seq 216:431, ack 1070, win 65535, length 215
.n..h..m.i.P....3..{"error": null, "id": 913, "result": true}
{"error": null, "id": 913, "result": true}
{"error": null, "id": 913, "result": true}
{"error": null, "id": 913, "result": true}
{"error": null, "id": 913, "result": true}

The diff for the fix looks like this:

file: stratum-mining/lib/template_registry.py

         # Check for duplicated submit
-        if not job.register_submit(extranonce1_bin, extranonce2, ntime, nonce):
+        if not job.register_submit(extranonce1_bin, extranonce2.lower(), ntime.lower(), nonce.lower()):
             log.info("Duplicate from %s, (%s %s %s %s)" % \

The fix may be not complete though.

I understand that the pool owners and especially slush (his pool seems to have this fixed) do not share their hard work.
But to not release this bugfix is not what the bitcoin community stands for.

If anyone appreciates this public disclosure you can show it here: 19c4bA6qHLjnWgYQmS9VuqwHuNT6jR5Atz

Denis, owner of the small but old pool btcmp.com

PS: the user which attacked my pool had the name "uphellper". Shame on You!

[-ck]

There is no public disclosure here. You are talking about client software aren't you? No pool software is stupid enough to allow you to submit duplicates and get paid for them and there is plenty of free and open pool software code (mine included) to see. The pools will just rightly reject duplicates.

[denis2342]

Hi

I'm talking about the server side of the stratum mining.

The bug is in the reference code itself (at least I would say it is the reference because it was the first one).

https://github.com/slush0/stratum-mining

Denis

[-ck]

Nice. Fortunately there are alternatives.

[TheCoinFinder]

Thanks for fix.

Added it to my pool. It does seem to do the job.

[ThePiGuy]

Does anyone know of actual pool that allows this duplicate share submission?

[okae]

Does anyone know of actual pool that allows this duplicate share submission?

i dont thing that there is stupid enought pools that allow you to do that, why will they allow you to do that? they will loose money if they do that man...

edited: just to quote this, was a better reply than mine

There is no public disclosure here. You are talking about client software aren't you? No pool software is stupid enough to allow you to submit duplicates and get paid for them and there is plenty of free and open pool software code (mine included) to see. The pools will just rightly reject duplicates.

[ThePiGuy]

Does anyone know of actual pool that allows this duplicate share submission?

i dont thing that there is stupid enought pools that allow you to do that, why will they allow you to do that? they will loose money if they do that man...

edited: just to quote this, was a better reply than mine

There is no public disclosure here. You are talking about client software aren't you? No pool software is stupid enough to allow you to submit duplicates and get paid for them and there is plenty of free and open pool software code (mine included) to see. The pools will just rightly reject duplicates.

Just because it's stupid doesn't mean that there aren't people stupider than the reference client [or similar] programmers who allowed this bug to exist.  Looking at some of the big bugs in software throughout history (for example, gambling places allowing double spends, and ultimately going bankrupt because so many people double-spent their servers), it's pretty funny to see the major epic fails.

[kano]

... this problem is due to using high level slow languages and treating data as strings rather than what they really are ...