[PPC] [DISCLOSURE] Stake Generation Vulnerability

[Sunny King]

Jutarul has made a disclosure today of a stake generation vulnerability here:
https://bitcointalk.org/index.php?topic=131901.0

We have been aware of this vulnerability for a while. A protocol upgrade has been designed and is currently being implemented. Jutarul did not attempt to communicate with us privately before his disclosure today. We appreciate Jutarul's independent research, however given the circumstances it would be more responsible to communicate with me privately to discuss the discovered vulnerability and the schedule of disclosure.

I'll give a summary of the impact here:
Impact level: severe
Description: The current stake generation hashing protocol is vulnerable to a search attack.
Attacker gains advantage of generating more blocks with limited coins.

Given the current checkpoint policy, the impact on the block chains is mostly limited to:

• Attacker may invalidate other nodes' proof-of-stake blocks and force short reorganizations up to 5 blocks (may be mitigated by strengthening the checkpoint policy)
• Pushing up proof-of-stake difficulty to very high level

Given the current checkpoint policy, it is not likely that the following can be achieved by an attacker:

• Preventing transactions from being confirmed.
• Minting more coins than normal through the attack.

We will accelerate the development schedule for this fix so stay tuned. I will give an update in my weekly update later this week on the progress of the release.

Edit: Protocol updated in v0.3.0, switched on March 20, 2013. Issue closed.

[1714045141]

1714045141

[1714045141]

1714045141

[sangaman]

Have you thought of a solution yet?

[Jutarul]

Thanks Sunny for the quick response on this issue.

I am aware that the checkpointing policy renders this vulnerability mostly ineffective as of now. However, there is at least one type of attack which is rational and feasible right now (and it may even be in use right now) - but I don't want to communicate that before a solution to this weakness is developed. Rest assured it doesn't put coin holders at any risk.

I deliberately decided against communicating this with you first, for the following reasons:
- this is a wake-up call for both, the developers and the users of ppcoin. Just because vulnerabilities may not get communicated, does not mean they don't exist.
- don't expect people to play nice, especially when money is at stake
- this thing was baked into the cake from the get-go and should have been obvious to you as a designer. I discovered it early on, but wanted to test it empirically first, to make sure I didn't overlook something. A strategy I had to employ because of the lack of design documents.
- you play a game of cover up. E.g here you indicate that you have no knowledge of any serious vulnerabilities:(https://bitcointalk.org/index.php?topic=101820.msg1403378#msg1403378). This leads me to conclude that killerstorm had the right impression from the start: (https://bitcointalk.org/index.php?topic=101820.msg1122608#msg1122608). You released half-baked code, effectively gambling with other peoples money.

That said - I still think ppcoin implements an innovative concept for securing the network of a cryptocurrency and I'd like to see problems like these resolved, leading to a better design eventually. And I'll gladly help with the discussions. However, until then I consider the design of this currency unfinished, which makes me think whether a 1 year testnet approach would have been the more responsible decision.

[sangaman]

Thanks Jut for your alertness and for sharing a detailed breakdown of the issue in a public forum. It's definitely something that should be in the public domain and you deserve credit and gratitude for using your discovery to inform others rather than keep it to yourself. I think you're under no obligation to report vulnerabilities to the PPCoin developers; in fact you're under no obligation to report it at all and it's admirable that you did.

I too want to see a POS coin succeed and at the moment PPCoin seems like the best hope.

I don't think that post you quoted from Sunny King though is dishonest - I don't think he's implying that there are no known vulnerabilities. Although it does seem a bit odd that Sunny King hasn't mentioned this vulnerability and its implications in one of the weekly updates if he's known about it for a while. I don't expect perfect code but I would like there to be more transparency. For example, if we'd known about this earlier we could have known to wait for extra confirmations for important transactions at least until the vulnerability is patched.

[Deprived]

Well at least we can now see why no proper white-paper was published - everyone would have laughed at it.

This is a bit like making an "energy-efficient" version of a bit-coin miner - by modifying it so it only checks 5 hashes per second. Then praying noone looks at the source-code and decides to increase the number of hashes checked (or uses a different miner).

[sangaman]

Well at least we can now see why no proper white-paper was published - everyone would have laughed at it.

This is a bit like making an "energy-efficient" version of a bit-coin miner - by modifying it so it only checks 5 hashes per second. Then praying noone looks at the source-code and decides to increase the number of hashes checked (or uses a different miner).

Well this vulnerability doesn't allow for a sustainable attack without having a huge % of coins, so it's not exactly like that.

I'd just like to know what the design is for a fix - supposedly there is one - and when we can expect it to be implemented.

[dreamwatcher]

Come on guys, is the rhetoric really necessary?

A bug and possible exploit was found in a coin a few months old, using a new concept (POS) that had been discussed but never implemented before.
Did you honestly think there would be no bugs along the way?

Bitcoin has had its share of bugs and exploits https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.
I cite this not as a criticism to Bitcoin, but to show that every software project can have bugs and exploits.
Yet I do not hear things like "The white paper would have been laughed at" directed at Bitcoin.

We do not know what Sunny or the developers knew or did not know ahead of time. It is easy to be a Monday mourning quarterback, but quite a different story to be in the game.

I do understand the desire to be given a little time to explore the vulnerability before releasing it to the public. I am not advocating secrecy, but give a developer a little time to attempt a fix before every person with malicious intent tries to form an exploit from what is now public information. I have messaged Sunny before about various things with PPC and he has been nothing but professional and responsive to me.

The real test is to see what Sunny and the developers do about this bug in both speed and effectiveness.

Until then, relax a bit, it is a vulnerability that cannot practically be exploited at the moment.

[smoothie]

Come on guys, is the rhetoric really necessary?

A bug and possible exploit was found in a coin a few months old, using a new concept (POS) that had been discussed but never implemented before.
Did you honestly think there would be no bugs along the way?

Bitcoin has had its share of bugs and exploits https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.
I cite this not as a criticism to Bitcoin, but to show that every software project can have bugs and exploits.
Yet I do not hear things like "The white paper would have been laughed at" directed at Bitcoin.

We do not know what Sunny or the developers knew or did not know ahead of time. It is easy to be a Monday mourning quarterback, but quite a different story to be in the game.

I do understand the desire to be given a little time to explore the vulnerability before releasing it to the public. I am not advocating secrecy, but give a developer a little time to attempt a fix before every person with malicious intent tries to form an exploit from what is now public information. I have messaged Sunny before about various things with PPC and he has been nothing but professional and responsive to me.

The real test is to see what Sunny and the developers do about this bug in both speed and effectiveness.

Until then, relax a bit, it is a vulnerability that cannot practically be exploited at the moment.

+1

[sangaman]

+1 to the real test as well

I did not consider the fact that the developers announcing the vulnerability might lead to people to exploiting it. However, given the fact that it's mostly nullified by the checkpoints and we're in an informal "test" period, I would have liked to have known about it when it was discovered.

Anyway Sunny King and company good luck solving the problem and I do hope you can come up with a satisfactory solution soon.

[doublec]

However, until then I consider the design of this currency unfinished, which makes me think whether a 1 year testnet approach would have been the more responsible decision.

PPC should be considered a test currency. As I say on my exchange:

The PPCoin network seems to be experimental. It uses a different approach to blockchain security than Bitcoin. This exchange makes no guarantee that the PPCoin network will remain viable or secure in the long term.

Even if the developers released it as a '1 year testnet' coin I'm sure you'd find speculators jumping on it. And probably even continuing with it after the year. Much like when Solidcoin 1 shut down some people kept it going. One a coin is out in the wild, it's a real coin. One way of preventing this for a true '1 year testnet approach' might be to reset the blockchain reguarly. Hard to do on a chain that requires coin age though. The regular chain resets on bitcoin's testnet seem to stop it being used as a currency pretty effectively.

[Gavin Andresen]

We will accelerate the development schedule for this fix so stay tuned. I will give an update in my weekly update later this week on the progress of the release.

There are several smart people here who would tell you if your fix will work or not, if you listen to them.

Peer review is not perfect, but is much better than assuming that you will always come up with the best solution.

[ripper234]

We will accelerate the development schedule for this fix so stay tuned. I will give an update in my weekly update later this week on the progress of the release.

There are several smart people here who would tell you if your fix will work or not, if you listen to them.

Peer review is not perfect, but is much better than assuming that you will always come up with the best solution.

+1

[Bendur]

Who actually does the dev for this? Is it just Sunny King?

[Jutarul]

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

[Sunny King]

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

[matt608]

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?

[Jutarul]

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?

The 0.3 upgrade introduced some changes. However, no serious security analysis of the new code has been published yet.

[mr_random]

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?

The 0.3 upgrade introduced some changes. However, no serious security analysis of the new code has been published yet.

Empirically though it's been 3 months and is standing up well to stress testing. PPCoin is proving itself just like Bitcoin had too...

[punin]

Actually, my friend lost over 50k in apparently incorrect stake generation. Sunny King has been notified of this potential bug.

[Sunny King]

Actually, my friend lost over 50k in apparently incorrect stake generation. Sunny King has been notified of this potential bug.

https://bitcointalk.org/index.php?topic=101820.msg1736759#msg1736759