[ANN][STABLECOIN][POOL][PPLNS][STRATUM][1% FEE] Silverwolf's StableCoin Pool

[nearmiss]

I am increasing mine to 5% donation.  Have you fixed the issue that allowed the individual to do that?

I'm pretty sure he used some kind of software or plugin to submit the post data for a manual withdrawal several times in rapid succession (all within the same second), this resulted in multiple payouts being started before the first payout was completed and his balance was reset to 0.

Automatic withdrawals are not subject to this vulnerability because they are run by the cron job.  They cannot be triggered manually.

Manual Withdraws have been disabled completely.  Automatic Withdraws are working normally.

I will not re-enable Manual Withdraws until I'm certain the issue has been fixed.  So we are safe from this happening again, we just won't be able to do manual withdrawals until I can figure it out.

probably want to consider wrapping the process in a transaction, doing the db updates first (update balance, insert into ledger), then the coin send (if the previous sql succeeded), and if the coin send succeeds commit, otherwise rollback.

Just a suggestion.

That might still be vulnerable to the same kind of attack, I'm not sure.  

What I'm thinking is I'm going to separate the actual send function from the front end completely.

Like this :

1. The user hits the withdrawal button and a flag is set in the database.
2. 1 minute later when the cron job runs again it will send the payment, adjust the balance and ledger, and reset the flag.

That way, no matter what you can't trigger multiple payments, you'd just be setting the flag over and over again.  It wouldn't have any effect.

It would mean a short delay (up to 1 minute) in sending manual payments, but that's a pretty small inconvenience.

Yeah, more or less the 'every 60s approach'.  It mimics the safety of the auto-withdraws, which is good.  Good luck with it.  Nothing worse than someone cheating the system.

[the1silverwolf]

I am increasing mine to 5% donation.  Have you fixed the issue that allowed the individual to do that?

Thank You for helping !

I'm pretty sure he used some kind of software or plugin to submit the post data for a manual withdrawal several times in rapid succession (all within the same second), this resulted in multiple payouts being started before the first payout was completed and his balance was reset to 0.

Automatic withdrawals are not subject to this vulnerability because they are run by the cron job.  They cannot be triggered manually.

Manual Withdraws have been disabled completely.  Automatic Withdraws are working normally.

I will not re-enable Manual Withdraws until I'm certain the issue has been fixed.  So we are safe from this happening again, we just won't be able to do manual withdrawals until I can figure it out.

Hey, about you delete that post...for obvious reasons.

Well... I don't know about that.  Transparency is important.  This attack is out there and being used regardless if I leave this post up. Other pool owners need to be aware of this attack so they can modify their pools to prevent it.

Leaving it in the dark only helps the people doing the thieving in my opinion.  A more careful thief might have been able to continue doing this without being discovered.  I'm certain it's happening right now to other pools based upon the same or similar mmcFE code.

Does anyone else have an opinion about leaving this data up or taking it down ?  I would consider taking it down if I'm the only one who thinks leaving it up is a good idea.

If I had a way to make it available to only the pool operators or the developer than I would, but I don't.  This same code has been forked a dozen times and is being used by tons and tons of pools.

[the1silverwolf]

Yeah, more or less the 'every 60s approach'.  It mimics the safety of the auto-withdraws, which is good.  Good luck with it.  Nothing worse than someone cheating the system.

Agreed. and thank you.

[FiiNALiZE]

What a faggot.

He deserves to have his IP DoS'd

[the1silverwolf]

What a faggot.

He deserves to have his IP DoS'd

I don’t disagree with that assessment, lol.

We will recover, it's just a matter of time.

[the1silverwolf]

I would like to give a shout out to "noble" who is donating 100% of his mining income.  I'm assuming it's to help us recover.  I haven't spoken with him I just noticed him on the PPLNS status list right next to me, at the bottom, lol.

Thank You.

I will remember your assistance and once the pool is back in the black I will make it up to you!

[FiiNALiZE]

What a faggot.

He deserves to have his IP DoS'd

I don’t disagree with that assessment, lol.

We will recover, it's just a matter of time.

Well I finally transferred my rig into a plastic crate.

I'll donate 100% for 12 hours. That should help a bit.

All other pool operators should ban his IP.

[the1silverwolf]

What a faggot.

He deserves to have his IP DoS'd

I don’t disagree with that assessment, lol.

We will recover, it's just a matter of time.

Well I finally transferred my rig into a plastic crate.

I'll donate 100% for 12 hours. That should help a bit.

All other pool operators should ban his IP.

Thank You !

Hows the crate working for you ?  I've heard that it makes a big difference but haven't tried it yet myself ?

[the1silverwolf]

RESERVED FOR DONATORS:

noble - 100%
FiiNALiZE - 100%
peonminer - 100%
ROGGOR - 100%
ManOfKnight - 100%
yonsje - 50%
Ethera - 10%

Thank You guys !

(If I missed anyone, please let me know !!)

[FiiNALiZE]

What a faggot.

He deserves to have his IP DoS'd

I don’t disagree with that assessment, lol.

We will recover, it's just a matter of time.

Well I finally transferred my rig into a plastic crate.

I'll donate 100% for 12 hours. That should help a bit.

All other pool operators should ban his IP.

Thank You !

Hows the crate working for you ?  I've heard that it makes a big difference but haven't tried it yet myself ?

Makes things a lot neater and the airflow is pretty good.

Lol its a pretty ugly setup because I didn't have the right tools to cut out parts of the crate.

I'll finish everything up tomorrow but I'm just glad everything's working right now

[the1silverwolf]

On a side note, the network hash has increased to the point where we are now less than than 45% so new user registrations have automatically unlocked so there are some slots available.

They will automatically lock again if we exceed the 45% threshold.

[the1silverwolf]

Thank You !

Hows the crate working for you ?  I've heard that it makes a big difference but haven't tried it yet myself ?

Makes things a lot neater and the airflow is pretty good.

Lol its a pretty ugly setup because I didn't have the right tools to cut out parts of the crate.

I'll finish everything up tomorrow but I'm just glad everything's working right now

Sounds sweet!  You should post a pic!

[the1silverwolf]

On a side note, the network hash has increased to the point where we are now less than than 45% so new user registrations have automatically unlocked so there are some slots available.

They will automatically lock again if we exceed the 45% threshold.

Wow, that didn't take long.  Back up to 46% and registrations properly locked again.

Anyhow, if your interested in an account keep an eye on the network hash.  As it increases our registrations will automatically unlock.

[peonminer]

Sorry to hear about the attack. I've adjusted to 100% donation for the good of the people. Silverwolf, please let us know in a thread update or PM that we have recovered the pool funding that was compromised.

I vote to leave the information up and well known. We don't need what ever tools the thief is using to become a widespread problem. If the devs and pool operators can be notified, it needs to be done. A sticky thread in the Pools forum should be made ASAP.

[the1silverwolf]

Sorry to hear about the attack. I've adjusted to 100% donation for the good of the people. Silverwolf, please let us know in a thread update or PM that we have recovered the pool funding that was compromised.

I vote to leave the information up and well known. We don't need what ever tools the thief is using to become a widespread problem. If the devs and pool operators can be notified, it needs to be done. A sticky thread in the Pools forum should be made ASAP.

Thank You and I agree :

https://bitcointalk.org/index.php?topic=229767.new#new
https://bitcointalk.org/index.php?topic=229766.0

[yonvanom]

Sorry to hear about the attack. I'm donating 50% (as yonsje).

[Ethera]

Giving 10% for the time being.

[ManOfKnight]

Moving to 100% for a few hours...please let us know when you are close to the black again.

[ManOfKnight]

Giving 10% for the time being.

What is bad is Ethera giving 10% is actually MORE than me giving 100%   

[Ethera]

its not bad we all have our sympathies for pool op, so we can do what we can (i mean we dont need to fix this insta second!). Within  a day pool will be back operating normaly, we all happy. (I like seeing numbers pop.. you know what i mean).