organofcorti
Donator
Legendary
Offline
Activity: 2058
Merit: 1007
Poor impulse control.
|
|
April 29, 2015, 11:31:58 PM |
|
Pool: GIVE-ME-COINS.com Website: http://give-me-coins.comProxy: No Generation address: 17wqvgUuKPBesXbGDBMKfPdwtdfQXzCuKG Coinbase signature: GIVE-ME-COINS.com Payout method: PPLNS Fee: 0% Pay Tx Reward: Yes Vardiff: 12 SPM Local Work: stratum Pay Orphans: No Min Withdrawal: 0.01 Merge Mining: Currently disabled. Will be re-enabled soon Done. Please check for errors.
|
|
|
|
kha0S
|
|
April 29, 2015, 11:36:54 PM |
|
Pool: GIVE-ME-COINS.com Website: http://give-me-coins.comProxy: No Generation address: 17wqvgUuKPBesXbGDBMKfPdwtdfQXzCuKG Coinbase signature: GIVE-ME-COINS.com Payout method: PPLNS Fee: 0% Pay Tx Reward: Yes Vardiff: 12 SPM Local Work: stratum Pay Orphans: No Min Withdrawal: 0.01 Merge Mining: Currently disabled. Will be re-enabled soon Done. Please check for errors. Perfect. Thanks!
|
|
|
|
adaryian
Sr. Member
Offline
Activity: 392
Merit: 250
★ BitClave pre-ICO: 25/07/17 ★
|
|
April 30, 2015, 01:33:21 AM |
|
Pool: Crypto-Miners Club Website: www.Crypto-Miners.ClubGeneration address: 1Q8M87yTySES5cS44gjapr2Uw7WCV58oQC Blockchain.info sig: H/jWZVfKAD/0X3B2C2ajmtcHXcFA7lhzYYFPeRN6mk7FaSmqXi7evwVzPghJS3PSkSPeJZan6/OHUxnz17nLE6o= Payout method: Group Solo Mining Pool Fee: 0.5% Pay Tx Reward: Yes Vardiff: Yes / User-Defined Local Work: Stratum Pay Orphans: No Min Withdrawal: 0.001 BTC Merge Mining: Not Yet Updated original post as well.
|
|
|
|
,'+██': ,█████████████; .██████████████████ .████████████████████ █ .███; ,███████. ██ .█+ '█████' `███ .█+ ,;'': █████+ ████ .█+ ███████████, ,████+ █████ .████████████████, ████, ██████ .██████████████████ `████ ;██████ .█████` '██████ .█████ ████ ██ .███ :████████████. +███ ██ .█. `.. ████████████ ████ ██ . .███████' ███████████` ,███ ██ ███████████ ███████████ ████ ██ █████████████` `██████████ ███; ███ ███████████████ ██████████` ███ ███ .████████████████ `█████████' ,███ ███ █████████████████ ██████████ '███ ,███ █████████████████: ██████████ +███ ;███ `██████████████████ ██████████ ████ '███ .██████████████████ +█████████ ████ '███ .██████████████████ +█████████ '███ :███ █████████████████' ██████████ :███ ███ █████████████████ ██████████ ███ ███' '████████████████ ██████████ ███, ████ ███████████████` ██████████, ████ ,███: `█████████████+ ██████████ ;███ ████ `███████████+ ███████████ ███' .████ █████████` +██████████; ████ █████ :███' +███████████ ████ █████` ████████████+ ████, ██████` +█████. +█████ ████ █████████++████████` ████. .████ ;████████████████ █████ '████` +████████████ █████ +████+ `'█████+. .█████ +█████. ██████ ,██████; .███████ █████████':,:;█████████. ,███████████████████+ .███████████████; `'████████,
| |
|
|
|
kano
Legendary
Offline
Activity: 4536
Merit: 1847
Linux since 1997 RedHat 4
|
|
April 30, 2015, 01:41:01 AM |
|
A solo pool with a minimum payout
|
|
|
|
organofcorti
Donator
Legendary
Offline
Activity: 2058
Merit: 1007
Poor impulse control.
|
|
April 30, 2015, 01:54:52 AM |
|
Pool: Crypto-Miners Club Website: www.Crypto-Miners.ClubGeneration address: 1Q8M87yTySES5cS44gjapr2Uw7WCV58oQC Blockchain.info sig: H/jWZVfKAD/0X3B2C2ajmtcHXcFA7lhzYYFPeRN6mk7FaSmqXi7evwVzPghJS3PSkSPeJZan6/OHUxnz17nLE6o= Payout method: Group Solo Mining Pool Fee: 0.5% Pay Tx Reward: Yes Vardiff: Yes / User-Defined Local Work: Stratum Pay Orphans: No Min Withdrawal: 0.001 BTC Merge Mining: Not Yet Updated original post as well. Is this different to other solo-mining pools?
|
|
|
|
adaryian
Sr. Member
Offline
Activity: 392
Merit: 250
★ BitClave pre-ICO: 25/07/17 ★
|
|
May 01, 2015, 02:49:23 AM |
|
A solo pool with a minimum payout I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool. Pool: Crypto-Miners Club Website: www.Crypto-Miners.ClubGeneration address: 1Q8M87yTySES5cS44gjapr2Uw7WCV58oQC Blockchain.info sig: H/jWZVfKAD/0X3B2C2ajmtcHXcFA7lhzYYFPeRN6mk7FaSmqXi7evwVzPghJS3PSkSPeJZan6/OHUxnz17nLE6o= Payout method: Group Solo Mining Pool Fee: 0.5% Pay Tx Reward: Yes Vardiff: Yes / User-Defined Local Work: Stratum Pay Orphans: No Min Withdrawal: 0.001 BTC Merge Mining: Not Yet Updated original post as well. Is this different to other solo-mining pools? No, I suppose not. Just didn't know how to word it.
|
|
|
|
,'+██': ,█████████████; .██████████████████ .████████████████████ █ .███; ,███████. ██ .█+ '█████' `███ .█+ ,;'': █████+ ████ .█+ ███████████, ,████+ █████ .████████████████, ████, ██████ .██████████████████ `████ ;██████ .█████` '██████ .█████ ████ ██ .███ :████████████. +███ ██ .█. `.. ████████████ ████ ██ . .███████' ███████████` ,███ ██ ███████████ ███████████ ████ ██ █████████████` `██████████ ███; ███ ███████████████ ██████████` ███ ███ .████████████████ `█████████' ,███ ███ █████████████████ ██████████ '███ ,███ █████████████████: ██████████ +███ ;███ `██████████████████ ██████████ ████ '███ .██████████████████ +█████████ ████ '███ .██████████████████ +█████████ '███ :███ █████████████████' ██████████ :███ ███ █████████████████ ██████████ ███ ███' '████████████████ ██████████ ███, ████ ███████████████` ██████████, ████ ,███: `█████████████+ ██████████ ;███ ████ `███████████+ ███████████ ███' .████ █████████` +██████████; ████ █████ :███' +███████████ ████ █████` ████████████+ ████, ██████` +█████. +█████ ████ █████████++████████` ████. .████ ;████████████████ █████ '████` +████████████ █████ +████+ `'█████+. .█████ +█████. ██████ ,██████; .███████ █████████':,:;█████████. ,███████████████████+ .███████████████; `'████████,
| |
|
|
|
kano
Legendary
Offline
Activity: 4536
Merit: 1847
Linux since 1997 RedHat 4
|
|
May 01, 2015, 03:32:38 AM |
|
A solo pool with a minimum payout I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool. ... Eh? Do you even know what a solo mining pool is?
|
|
|
|
organofcorti
Donator
Legendary
Offline
Activity: 2058
Merit: 1007
Poor impulse control.
|
|
May 01, 2015, 03:54:00 AM |
|
Is this different to other solo-mining pools?
No, I suppose not. Just didn't know how to word it. Good-oh, list had been updated.
|
|
|
|
organofcorti
Donator
Legendary
Offline
Activity: 2058
Merit: 1007
Poor impulse control.
|
|
May 01, 2015, 03:55:19 AM |
|
A solo pool with a minimum payout I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool. ... Eh? Do you even know what a solo mining pool is? I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc.
|
|
|
|
kano
Legendary
Offline
Activity: 4536
Merit: 1847
Linux since 1997 RedHat 4
|
|
May 01, 2015, 05:05:07 AM |
|
A solo pool with a minimum payout I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool. ... Eh? Do you even know what a solo mining pool is? I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc. Some time in about ... 1.25 years ... then ~4 years after that ... then ~4 years after that. Yeah I don't really think it's a problem stopping the pool once every ~4 years to set that to half it's value As for the min payout listed here - well it's not relevant to a solo pool even if the software has some silly configuration in it about that. Maybe he should fix the code ... ... ... ... ... ... ...
|
|
|
|
adaryian
Sr. Member
Offline
Activity: 392
Merit: 250
★ BitClave pre-ICO: 25/07/17 ★
|
|
May 01, 2015, 12:38:42 PM |
|
A solo pool with a minimum payout I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool. ... Eh? Do you even know what a solo mining pool is? I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc. Some time in about ... 1.25 years ... then ~4 years after that ... then ~4 years after that. Yeah I don't really think it's a problem stopping the pool once every ~4 years to set that to half it's value As for the min payout listed here - well it's not relevant to a solo pool even if the software has some silly configuration in it about that. Maybe he should fix the code ... ... ... ... ... ... ... Why should I have to do extra work when I could simply put a 0.01 payout and it doesn't effect anything? I'm still curious on why you're even commenting on trivial issues as if it is going to effect you somehow.
|
|
|
|
,'+██': ,█████████████; .██████████████████ .████████████████████ █ .███; ,███████. ██ .█+ '█████' `███ .█+ ,;'': █████+ ████ .█+ ███████████, ,████+ █████ .████████████████, ████, ██████ .██████████████████ `████ ;██████ .█████` '██████ .█████ ████ ██ .███ :████████████. +███ ██ .█. `.. ████████████ ████ ██ . .███████' ███████████` ,███ ██ ███████████ ███████████ ████ ██ █████████████` `██████████ ███; ███ ███████████████ ██████████` ███ ███ .████████████████ `█████████' ,███ ███ █████████████████ ██████████ '███ ,███ █████████████████: ██████████ +███ ;███ `██████████████████ ██████████ ████ '███ .██████████████████ +█████████ ████ '███ .██████████████████ +█████████ '███ :███ █████████████████' ██████████ :███ ███ █████████████████ ██████████ ███ ███' '████████████████ ██████████ ███, ████ ███████████████` ██████████, ████ ,███: `█████████████+ ██████████ ;███ ████ `███████████+ ███████████ ███' .████ █████████` +██████████; ████ █████ :███' +███████████ ████ █████` ████████████+ ████, ██████` +█████. +█████ ████ █████████++████████` ████. .████ ;████████████████ █████ '████` +████████████ █████ +████+ `'█████+. .█████ +█████. ██████ ,██████; .███████ █████████':,:;█████████. ,███████████████████+ .███████████████; `'████████,
| |
|
|
|
kano
Legendary
Offline
Activity: 4536
Merit: 1847
Linux since 1997 RedHat 4
|
|
May 01, 2015, 01:22:16 PM |
|
A solo pool with a minimum payout I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool. ... Eh? Do you even know what a solo mining pool is? I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc. Some time in about ... 1.25 years ... then ~4 years after that ... then ~4 years after that. Yeah I don't really think it's a problem stopping the pool once every ~4 years to set that to half it's value As for the min payout listed here - well it's not relevant to a solo pool even if the software has some silly configuration in it about that. Maybe he should fix the code ... ... ... ... ... ... ... Why should I have to do extra work when I could simply put a 0.01 payout and it doesn't effect anything? I'm still curious on why you're even commenting on trivial issues as if it is going to effect you somehow. Still curious about my comments? When were you curious before? I'm curious why you are running a pool when you can't even edit the software to resolve such a trivial problem but instead comment on how the value you've used is to save you from restarting the pool once every 4 years ... ... ... ... That sort of comment raises a major flag IMO. I've made comment about this before around the forum about people running pools who are unable to fully manage the pool. I guess when there comes a problem with the pool and you are unable to change/fix the code, then anyone who chose to mine on your pool is now in the situation of waiting until you find someone (trustworthy? or omg I better grab the first person I can find) to fix the problem. People seem to think they can run a pool on their home internet connection or some tiny vps worth $10 a month Then of course there's issues like tuning the server to handle a large number of connections. Then the obvious stuff like ensuring the pool has a very good connection to the bitcoin network so that miners aren't throwing hashes at you and getting regular orphans - even big pools like Eligius fail at doing that I wonder where your pool wallet is? Is it on a server that you may know next to nothing about managing? Do you know all the services running on the server and what they do? Do you monitor the connections and keep an eye on server access and security? These sorts of things become an issue down the track when the pool operator says OMG someone hacked the pool and stole all the BTC. Sorry. It's happened quite a few times in the past with pools. Seems the latest trend is people seeing some free pool download software and thinking OMG I can make a fortune running a pool. Being able to fully run a pool may be no where in their repertoire.
|
|
|
|
loshia
Legendary
Offline
Activity: 1610
Merit: 1000
|
|
May 01, 2015, 03:12:03 PM |
|
A solo pool with a minimum payout I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool. ... Eh? Do you even know what a solo mining pool is? I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc. On ckpool Pure solo there is no minimum payout No restarts every 4 years are needed. The only restart you need is to catch up with git commits and that is all..
|
|
|
|
Balthazar
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
May 05, 2015, 03:07:23 PM Last edit: May 05, 2015, 03:34:11 PM by Balthazar |
|
Hi guys. Read an article yesterday, and I think I know why some pools are so "unlucky". In fact they're not unlucky, they're attacked through share multiplication issue. There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago. Vulnerability is caused by incorrect algorithm of verification for uniqueness. Instead of checking raw solutions, most of the pools are doing this through checking the hex-encoded representation. This allows miner to create multiple versions of the same share through applying uppercase function to hex encoded solution. {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31ee"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31eE"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31Ee"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31EE"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0aD31ee"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} This vulnerability seems as intentionally made i.e. backdoor. Simplest workaround is to use lower() method: @@ -192,7 +192,12 @@ def submit_share(self, job_id, worker_name, session, extranonce1_bin, extranonce # Check nonce if len(nonce) != 8: raise SubmitException("Incorrect size of nonce. Expected 8 chars")
+ # normalize the case to prevent duplication of valid shares by the client + ntime = ntime.lower() + nonce = nonce.lower() + extranonce2 = extranonce2.lower() + # Check for duplicated submit As far I know, stratum-mining/eloipool/node-stratum-pool are vulnerable. Example of affected pools is ghash.io... Some pools like BtcGuild are not affected for unclear reason. Probably because they're using proprietary software.
|
|
|
|
DrHaribo
Legendary
Offline
Activity: 2730
Merit: 1034
Needs more jiggawatts
|
|
May 05, 2015, 03:46:01 PM |
|
Some pools like BtcGuild are not affected for unclear reason. Probably because they're using proprietary software.
Yes, they are. Same thing with Bitminter. I would expect most pools are using their own software and are not vulnerable. I thought ghash had their own implementation as well. Although of course they could have made the same mistake. I hope you contacted these pools and gave them a chance to fix the issue before going public with it.
|
|
|
|
wizkid057
Legendary
Offline
Activity: 1223
Merit: 1006
|
|
May 05, 2015, 04:52:03 PM |
|
Hi guys. Read an article yesterday, and I think I know why some pools are so "unlucky". In fact they're not unlucky, they're attacked through share multiplication issue. There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago. Vulnerability is caused by incorrect algorithm of verification for uniqueness. Instead of checking raw solutions, most of the pools are doing this through checking the hex-encoded representation. This allows miner to create multiple versions of the same share through applying uppercase function to hex encoded solution. {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31ee"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31eE"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31Ee"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31EE"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} {"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0aD31ee"]} {"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]} This vulnerability seems as intentionally made i.e. backdoor. Simplest workaround is to use lower() method: @@ -192,7 +192,12 @@ def submit_share(self, job_id, worker_name, session, extranonce1_bin, extranonce # Check nonce if len(nonce) != 8: raise SubmitException("Incorrect size of nonce. Expected 8 chars")
+ # normalize the case to prevent duplication of valid shares by the client + ntime = ntime.lower() + nonce = nonce.lower() + extranonce2 = extranonce2.lower() + # Check for duplicated submit As far I know, stratum-mining/eloipool/node-stratum-pool are vulnerable. Example of affected pools is ghash.io... Some pools like BtcGuild are not affected for unclear reason. Probably because they're using proprietary software. lol. I'm guessing you haven't actually looked at the code for eloipool. No where in the code does it check the ascii-hex version of anything share related. FUD.
|
|
|
|
Balthazar
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
May 05, 2015, 04:53:18 PM |
|
I've sent a message to some involved people and pool owners mail list. Though there is no sense because we have found this vulnerability a month ago after experiencing the misterious unluck and checking the share log. So I guess it has been exploited for a while... Maybe a few months or even few years. wizkid057FUD I didn't check eloipool myself so yep, I can be wrong there. But stratum-mining and node stratum are definetely affected.
|
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
May 05, 2015, 04:56:16 PM |
|
There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago. Why did you make a public disclosure in Russian of a security bug in software written and maintained by people who probably don't understand Russian? The proper procedure for such things is to privately get in touch with the maintainers so they have an opportunity to fix it before public disclosure - especially for bugs easily exploited. Vulnerability is caused by incorrect algorithm of verification for uniqueness. Instead of checking raw solutions, most of the pools are doing this through checking the hex-encoded representation. This allows miner to create multiple versions of the same share through applying uppercase function to hex encoded solution.
This vulnerability seems as intentionally made i.e. backdoor. Simplest workaround is to use lower() method: While it's a pretty stupid bug, I don't think I'd automatically assume malice. As far I know, stratum-mining/eloipool/node-stratum-pool are vulnerable. Why do you say Eloipool is affected? It checks for duplicate submissions in binary.
|
|
|
|
Balthazar
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
May 05, 2015, 04:57:35 PM |
|
Luke-JrOK, then it's fine. Again, I didn't check Eloipool myself because I had not so much free time. Sorry for that.
|
|
|
|
|