Bitcoin Forum
February 18, 2019, 09:34:48 AM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: [PPC] [DISCLOSURE] Stake Generation Vulnerability  (Read 16582 times)
Sunny King
Legendary
*
Offline Offline

Activity: 1205
Merit: 1001



View Profile WWW
December 21, 2012, 06:09:38 PM
Last edit: April 07, 2013, 08:33:41 PM by Sunny King
 #1

Jutarul has made a disclosure today of a stake generation vulnerability here:
https://bitcointalk.org/index.php?topic=131901.0

We have been aware of this vulnerability for a while. A protocol upgrade has been designed and is currently being implemented. Jutarul did not attempt to communicate with us privately before his disclosure today. We appreciate Jutarul's independent research, however given the circumstances it would be more responsible to communicate with me privately to discuss the discovered vulnerability and the schedule of disclosure.

I'll give a summary of the impact here:
Impact level: severe
Description: The current stake generation hashing protocol is vulnerable to a search attack.
Attacker gains advantage of generating more blocks with limited coins.

Given the current checkpoint policy, the impact on the block chains is mostly limited to:
  • Attacker may invalidate other nodes' proof-of-stake blocks and force short reorganizations up to 5 blocks (may be mitigated by strengthening the checkpoint policy)
  • Pushing up proof-of-stake difficulty to very high level

Given the current checkpoint policy, it is not likely that the following can be achieved by an attacker:
  • Preventing transactions from being confirmed.
  • Minting more coins than normal through the attack.

We will accelerate the development schedule for this fix so stay tuned. I will give an update in my weekly update later this week on the progress of the release.

Edit: Protocol updated in v0.3.0, switched on March 20, 2013. Issue closed.
1550482488
Hero Member
*
Offline Offline

Posts: 1550482488

View Profile Personal Message (Offline)

Ignore
1550482488
Reply with quote  #2

1550482488
Report to moderator
1550482488
Hero Member
*
Offline Offline

Posts: 1550482488

View Profile Personal Message (Offline)

Ignore
1550482488
Reply with quote  #2

1550482488
Report to moderator
1550482488
Hero Member
*
Offline Offline

Posts: 1550482488

View Profile Personal Message (Offline)

Ignore
1550482488
Reply with quote  #2

1550482488
Report to moderator
Your Bitcoin transactions
The Ultimate Bitcoin mixer
made truly anonymous.
with an advanced technology.
Mix coins
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1550482488
Hero Member
*
Offline Offline

Posts: 1550482488

View Profile Personal Message (Offline)

Ignore
1550482488
Reply with quote  #2

1550482488
Report to moderator
1550482488
Hero Member
*
Offline Offline

Posts: 1550482488

View Profile Personal Message (Offline)

Ignore
1550482488
Reply with quote  #2

1550482488
Report to moderator
1550482488
Hero Member
*
Offline Offline

Posts: 1550482488

View Profile Personal Message (Offline)

Ignore
1550482488
Reply with quote  #2

1550482488
Report to moderator
sangaman
Sr. Member
****
Offline Offline

Activity: 342
Merit: 250



View Profile WWW
December 21, 2012, 06:32:37 PM
 #2

Have you thought of a solution yet?
Jutarul
Donator
Legendary
*
Offline Offline

Activity: 994
Merit: 1000



View Profile
December 22, 2012, 12:07:59 AM
 #3

Thanks Sunny for the quick response on this issue.

I am aware that the checkpointing policy renders this vulnerability mostly ineffective as of now. However, there is at least one type of attack which is rational and feasible right now (and it may even be in use right now) - but I don't want to communicate that before a solution to this weakness is developed. Rest assured it doesn't put coin holders at any risk.

I deliberately decided against communicating this with you first, for the following reasons:
- this is a wake-up call for both, the developers and the users of ppcoin. Just because vulnerabilities may not get communicated, does not mean they don't exist.
- don't expect people to play nice, especially when money is at stake
- this thing was baked into the cake from the get-go and should have been obvious to you as a designer. I discovered it early on, but wanted to test it empirically first, to make sure I didn't overlook something. A strategy I had to employ because of the lack of design documents.
- you play a game of cover up. E.g here you indicate that you have no knowledge of any serious vulnerabilities:(https://bitcointalk.org/index.php?topic=101820.msg1403378#msg1403378). This leads me to conclude that killerstorm had the right impression from the start: (https://bitcointalk.org/index.php?topic=101820.msg1122608#msg1122608). You released half-baked code, effectively gambling with other peoples money.

That said - I still think ppcoin implements an innovative concept for securing the network of a cryptocurrency and I'd like to see problems like these resolved, leading to a better design eventually. And I'll gladly help with the discussions. However, until then I consider the design of this currency unfinished, which makes me think whether a 1 year testnet approach would have been the more responsible decision.

The ASICMINER Project https://bitcointalk.org/index.php?topic=99497.0
"The way you solve things is by making it politically profitable for the wrong people to do the right thing.", Milton Friedman
sangaman
Sr. Member
****
Offline Offline

Activity: 342
Merit: 250



View Profile WWW
December 22, 2012, 12:33:03 AM
 #4

Thanks Jut for your alertness and for sharing a detailed breakdown of the issue in a public forum. It's definitely something that should be in the public domain and you deserve credit and gratitude for using your discovery to inform others rather than keep it to yourself. I think you're under no obligation to report vulnerabilities to the PPCoin developers; in fact you're under no obligation to report it at all and it's admirable that you did.

I too want to see a POS coin succeed and at the moment PPCoin seems like the best hope.

I don't think that post you quoted from Sunny King though is dishonest - I don't think he's implying that there are no known vulnerabilities. Although it does seem a bit odd that Sunny King hasn't mentioned this vulnerability and its implications in one of the weekly updates if he's known about it for a while. I don't expect perfect code but I would like there to be more transparency. For example, if we'd known about this earlier we could have known to wait for extra confirmations for important transactions at least until the vulnerability is patched.
Deprived
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
December 22, 2012, 12:41:12 AM
 #5

Well at least we can now see why no proper white-paper was published - everyone would have laughed at it.

This is a bit like making an "energy-efficient" version of a bit-coin miner - by modifying it so it only checks 5 hashes per second. Then praying noone looks at the source-code and decides to increase the number of hashes checked (or uses a different miner).
sangaman
Sr. Member
****
Offline Offline

Activity: 342
Merit: 250



View Profile WWW
December 22, 2012, 12:56:56 AM
 #6

Well at least we can now see why no proper white-paper was published - everyone would have laughed at it.

This is a bit like making an "energy-efficient" version of a bit-coin miner - by modifying it so it only checks 5 hashes per second. Then praying noone looks at the source-code and decides to increase the number of hashes checked (or uses a different miner).

Well this vulnerability doesn't allow for a sustainable attack without having a huge % of coins, so it's not exactly like that.

I'd just like to know what the design is for a fix - supposedly there is one - and when we can expect it to be implemented.
dreamwatcher
Legendary
*
Offline Offline

Activity: 1064
Merit: 1000


View Profile WWW
December 22, 2012, 01:33:57 AM
 #7

Come on guys, is the rhetoric really necessary?

A bug and possible exploit was found in a coin a few months old, using a new concept (POS) that had been discussed but never implemented before.
Did you honestly think there would be no bugs along the way?

Bitcoin has had its share of bugs and exploits https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.
I cite this not as a criticism to Bitcoin, but to show that every software project can have bugs and exploits.
Yet I do not hear things like "The white paper would have been laughed at" directed at Bitcoin.

We do not know what Sunny or the developers knew or did not know ahead of time. It is easy to be a Monday mourning quarterback, but quite a different story to be in the game.

I do understand the desire to be given a little time to explore the vulnerability before releasing it to the public. I am not advocating secrecy, but give a developer a little time to attempt a fix before every person with malicious intent tries to form an exploit from what is now public information. I have messaged Sunny before about various things with PPC and he has been nothing but professional and responsive to me.

The real test is to see what Sunny and the developers do about this bug in both speed and effectiveness.

Until then, relax a bit, it is a vulnerability that cannot practically be exploited at the moment.



smoothie
Legendary
*
Offline Offline

Activity: 2128
Merit: 1016


LEALANA Monero Physical Silver Coins


View Profile
December 22, 2012, 01:55:47 AM
 #8

Come on guys, is the rhetoric really necessary?

A bug and possible exploit was found in a coin a few months old, using a new concept (POS) that had been discussed but never implemented before.
Did you honestly think there would be no bugs along the way?

Bitcoin has had its share of bugs and exploits https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.
I cite this not as a criticism to Bitcoin, but to show that every software project can have bugs and exploits.
Yet I do not hear things like "The white paper would have been laughed at" directed at Bitcoin.

We do not know what Sunny or the developers knew or did not know ahead of time. It is easy to be a Monday mourning quarterback, but quite a different story to be in the game.

I do understand the desire to be given a little time to explore the vulnerability before releasing it to the public. I am not advocating secrecy, but give a developer a little time to attempt a fix before every person with malicious intent tries to form an exploit from what is now public information. I have messaged Sunny before about various things with PPC and he has been nothing but professional and responsive to me.

The real test is to see what Sunny and the developers do about this bug in both speed and effectiveness.

Until then, relax a bit, it is a vulnerability that cannot practically be exploited at the moment.





+1

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA  PHYSICAL MONERO COINS 999 FINE SILVER.
 
sangaman
Sr. Member
****
Offline Offline

Activity: 342
Merit: 250



View Profile WWW
December 22, 2012, 03:33:54 AM
 #9

+1 to the real test as well

I did not consider the fact that the developers announcing the vulnerability might lead to people to exploiting it. However, given the fact that it's mostly nullified by the checkpoints and we're in an informal "test" period, I would have liked to have known about it when it was discovered.

Anyway Sunny King and company good luck solving the problem and I do hope you can come up with a satisfactory solution soon.
doublec
Legendary
*
Offline Offline

Activity: 1078
Merit: 1000


View Profile
December 22, 2012, 04:24:56 AM
 #10

However, until then I consider the design of this currency unfinished, which makes me think whether a 1 year testnet approach would have been the more responsible decision.
PPC should be considered a test currency. As I say on my exchange:
Quote
The PPCoin network seems to be experimental. It uses a different approach to blockchain security than Bitcoin. This exchange makes no guarantee that the PPCoin network will remain viable or secure in the long term.

Even if the developers released it as a '1 year testnet' coin I'm sure you'd find speculators jumping on it. And probably even continuing with it after the year. Much like when Solidcoin 1 shut down some people kept it going. One a coin is out in the wild, it's a real coin. One way of preventing this for a true '1 year testnet approach' might be to reset the blockchain reguarly. Hard to do on a chain that requires coin age though. The regular chain resets on bitcoin's testnet seem to stop it being used as a currency pretty effectively.
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 1018


Chief Scientist


View Profile WWW
December 22, 2012, 01:05:45 PM
 #11

We will accelerate the development schedule for this fix so stay tuned. I will give an update in my weekly update later this week on the progress of the release.
There are several smart people here who would tell you if your fix will work or not, if you listen to them.

Peer review is not perfect, but is much better than assuming that you will always come up with the best solution.

How often do you get the chance to work on a potentially world-changing project?
ripper234
Legendary
*
Offline Offline

Activity: 1274
Merit: 1000


Ron Gross


View Profile WWW
December 24, 2012, 09:29:16 AM
 #12

We will accelerate the development schedule for this fix so stay tuned. I will give an update in my weekly update later this week on the progress of the release.
There are several smart people here who would tell you if your fix will work or not, if you listen to them.

Peer review is not perfect, but is much better than assuming that you will always come up with the best solution.


+1

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Bendur
Member
**
Offline Offline

Activity: 60
Merit: 10



View Profile
December 24, 2012, 10:27:00 AM
 #13

Who actually does the dev for this? Is it just Sunny King?

Jutarul
Donator
Legendary
*
Offline Offline

Activity: 994
Merit: 1000



View Profile
January 05, 2013, 02:40:27 PM
 #14

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The ASICMINER Project https://bitcointalk.org/index.php?topic=99497.0
"The way you solve things is by making it politically profitable for the wrong people to do the right thing.", Milton Friedman
Sunny King
Legendary
*
Offline Offline

Activity: 1205
Merit: 1001



View Profile WWW
January 07, 2013, 04:55:49 AM
 #15

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.
matt608
Legendary
*
Offline Offline

Activity: 952
Merit: 1000


Gambling Investment Fund


View Profile
April 04, 2013, 08:33:52 PM
 #16

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?


GIFcoin




.
Gambling
Investment Fund
  Invest in a working business  .......        ✔︎ 
  80% of the net profits are shared .....      ✔︎ 
  Profit share token     ✔︎ 
Follow us & check out the .      whitepaper     .
.
Website    Announcement    Twitter    Telegram    Facebook
Jutarul
Donator
Legendary
*
Offline Offline

Activity: 994
Merit: 1000



View Profile
April 04, 2013, 08:36:09 PM
 #17

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?
The 0.3 upgrade introduced some changes. However, no serious security analysis of the new code has been published yet.

The ASICMINER Project https://bitcointalk.org/index.php?topic=99497.0
"The way you solve things is by making it politically profitable for the wrong people to do the right thing.", Milton Friedman
mr_random
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000


Deex.exchange


View Profile
April 04, 2013, 08:59:46 PM
 #18

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?
The 0.3 upgrade introduced some changes. However, no serious security analysis of the new code has been published yet.

Empirically though it's been 3 months and is standing up well to stress testing. PPCoin is proving itself just like Bitcoin had too...

MAIN  DECENTRALIZED ECOSYSTE ▌   D E E X   E X C H A N G E   ▐     ▌BOUNTY PROGRAM 2.0   ▌   FROM THE 12th OF OCTOBER
▬   ▬▬   ▬▬▬   ▬▬▬▬   ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬   ▬▬▬▬   ▬▬▬   ▬▬   ▬
|      [ WHITEPAPER ]  [ BOUNTY ]  [ ANN THREAD ]       |         Facebook        Telegram        Twitter        Instagram          |
punin
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


View Profile WWW
April 04, 2013, 09:02:06 PM
 #19

Actually, my friend lost over 50k in apparently incorrect stake generation. Sunny King has been notified of this potential bug.

Head of Product Development
Bitfury Group
www.bitfury.com
Sunny King
Legendary
*
Offline Offline

Activity: 1205
Merit: 1001



View Profile WWW
April 04, 2013, 09:09:59 PM
 #20

Actually, my friend lost over 50k in apparently incorrect stake generation. Sunny King has been notified of this potential bug.

https://bitcointalk.org/index.php?topic=101820.msg1736759#msg1736759
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Bitcointalk.org is not available or authorized for sale. Do not believe any fake listings.
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!