[ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP

[flound1129]

Per the following post (https://forum.litecoin.net/index.php/topic,4002.0.html) on the litecoin forums, a few pools have reportedly been attacked by miners exploiting this vulnerability.

The vulnerability in the viperaus fork of stratum-mining (and possibly others) allows miners to submit extremely low difficulty shares that will be considered valid by the pool because the difficulty calculation is off by a factor of 2^16 (65536).

Thanks to Skyfall on the Litecoin forums for posting the patch:

Change line 145 (If you're using viperaus):
https://github.com/viperaus/stratum-mining/blob/master/lib/template_registry.py#L145

Code: [Select]

Code:

diff1 = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000

TO this:

Code: [Select]

Code:

diff1 = 0x0000ffff00000000000000000000000000000000000000000000000000000000

[flound1129]

bump

[peacefulmind]

This is huge.

I lost out about $100 over 3 days because of this - it has hit two major pools I know for sure because of the drops in earnings I saw first hand - both give-me-ltc and we-mine-ltc.

I moved miners to Coinotron and all my earnings shot right back up to estimates.  I will be staying on Coinotron until the above mentioned pools want to announce how they are going to compensate miners that were stolen from.

To be clear though - this is NOT a problem with Litecoin - it is problem with certain pools.

[fenican]

Does this impact p2pool or only push pools ?

[fcmatt]

Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully
using the new code change.  This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.)

My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block
in that condition.

So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations?

[flound1129]

Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully
using the new code change.  This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.)

My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block
in that condition.

So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations?

Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix.

[fcmatt]

Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully
using the new code change.  This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.)

My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block
in that condition.

So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations?

Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix.

But not litecoin.

I just did some googling. That .pyc file is sorta created for the next time the program is ran. Everything is in memory anyway so if it cannot
create it no big deal. It just has to do it again next time it is ran...

[flound1129]

Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully
using the new code change.  This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.)

My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block
in that condition.

So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations?

Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix.

But not litecoin.

I just did some googling. That .pyc file is sorta created for the next time the program is ran. Everything is in memory anyway so if it cannot
create it no big deal. It just has to do it again next time it is ran...

No, not litecoin, but it's almost the same exact codebase so I don't see why it shouldn't.  We are averaging about 2 days per litecoin block at the moment.

[M0nsieurChat]

Patch is working flawlessly on our pool (solving a block every 3 hours)

[fcmatt]

Patch is working flawlessly on our pool (solving a block every 3 hours)

thank you.

since i implemented it I have only had an orphan. so naturally i worry. i did have a block with no .pyc file created due to a permission problem
so that meant it was probably working fine based on my understanding of python and .pyc files.

But good to hear this from you.