Bitcoin Forum
March 29, 2024, 02:37:42 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they believe that the creator of this topic displays some red flags which make them high-risk. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 [48] 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 »
  Print  
Author Topic: Nxt source code flaw reports  (Read 113301 times)
ricot
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
January 13, 2014, 08:07:07 PM
 #941

Now onwards to the 100k one... Killing a copy-coin in a day...
Do we have a supercomputer available for the job? Wink

[edit]
Was any discussion in that thread somewhere close to that bug or haven't we touched that at all yet?
1711679862
Hero Member
*
Offline Offline

Posts: 1711679862

View Profile Personal Message (Offline)

Ignore
1711679862
Reply with quote  #2

1711679862
Report to moderator
1711679862
Hero Member
*
Offline Offline

Posts: 1711679862

View Profile Personal Message (Offline)

Ignore
1711679862
Reply with quote  #2

1711679862
Report to moderator
1711679862
Hero Member
*
Offline Offline

Posts: 1711679862

View Profile Personal Message (Offline)

Ignore
1711679862
Reply with quote  #2

1711679862
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711679862
Hero Member
*
Offline Offline

Posts: 1711679862

View Profile Personal Message (Offline)

Ignore
1711679862
Reply with quote  #2

1711679862
Report to moderator
1711679862
Hero Member
*
Offline Offline

Posts: 1711679862

View Profile Personal Message (Offline)

Ignore
1711679862
Reply with quote  #2

1711679862
Report to moderator
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 13, 2014, 08:08:11 PM
 #942

Now onwards to th 100k one... Killing a copy-coin in a day...
Do we have a supercomputer available for the job? Wink

No. Wink

5 y.o. computer is enough.
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 13, 2014, 08:14:29 PM
 #943

So... was this related to the found flaws?

thnx   Smiley

No
CrazyEyes
Full Member
***
Offline Offline

Activity: 137
Merit: 100


View Profile
January 13, 2014, 08:15:51 PM
 #944

Well done rico and bloodyrookie Smiley
jkoil
Hero Member
*****
Offline Offline

Activity: 833
Merit: 524


Nxt NEM


View Profile
January 13, 2014, 08:27:41 PM
 #945

looks like a needless if-block

Code:
for (i = 32; i--!=0; ) {
if (i==0) {
i=0;
}

or does it have any purpose? At least a place for a breakpoint ... Smiley


gsan1
Newbie
*
Offline Offline

Activity: 50
Merit: 0


View Profile
January 13, 2014, 08:30:21 PM
 #946

When generating a block, you have 2 signatures that could go wrong.
One is the generationSignature, which is calculated from the previousBlock, so there is no chance in changing it when it fails. (i.e. 25% invalid block).
The other one is the blockSignature. Currently, this is only generated once and contains a hash of e.g. all the transactions. If that signature fails in NRS, the client will just output invalid block and don't continue to try.
If Bob isn't using NRS, he could generate the blockSignature again with different data, i.e. different transactions. It's relatively easy to find a payload that will generate a valid hash.
Bob could then transmit the perfectly fine block, which NRS would have not enabled him to do. So he got an advantage by not using the default client.

Well, u and BloodyRookie explained 99% of the serious flaw. I think u both should get 1'000 NXT. Post ur account.

@BloodyRookie: Post ur Nxt account, plz.


PS: The description of the serious flaw is:

Code:
An incorrect block signature is not recalculated. This gives ability to use less than 50% of the stake to attack the network.

Congrats  Grin
I was so close to find out this flaw, but you were faster. Well even if I detected no flaw, it gave me a really good understanding of NXT works.  Smiley Time to invest some more money in NXT I guess.  Cheesy
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 13, 2014, 08:30:34 PM
 #947

looks like a needless if-block

Code:
for (i = 32; i--!=0; ) {
if (i==0) {
i=0;
}

or does it have any purpose? At least a place for a breakpoint ... Smiley


U should ask the author of the code.
msin
Legendary
*
Offline Offline

Activity: 1470
Merit: 1004


View Profile
January 13, 2014, 08:44:02 PM
 #948

When generating a block, you have 2 signatures that could go wrong.
One is the generationSignature, which is calculated from the previousBlock, so there is no chance in changing it when it fails. (i.e. 25% invalid block).
The other one is the blockSignature. Currently, this is only generated once and contains a hash of e.g. all the transactions. If that signature fails in NRS, the client will just output invalid block and don't continue to try.
If Bob isn't using NRS, he could generate the blockSignature again with different data, i.e. different transactions. It's relatively easy to find a payload that will generate a valid hash.
Bob could then transmit the perfectly fine block, which NRS would have not enabled him to do. So he got an advantage by not using the default client.

Well, u and BloodyRookie explained 99% of the serious flaw. I think u both should get 1'000 NXT. Post ur account.

@BloodyRookie: Post ur Nxt account, plz.


PS: The description of the serious flaw is:

Code:
An incorrect block signature is not recalculated. This gives ability to use less than 50% of the stake to attack the network.

Congrats guys!  Can we get a summary on what flaws are left to be uncovered?
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 13, 2014, 08:47:12 PM
 #949

Congrats guys!  Can we get a summary on what flaws are left to be uncovered?

The fatal flaw with 100K reward. It will kill a copy-coin in a day, an old computer is enough for the attack.
BloodyRookie
Hero Member
*****
Offline Offline

Activity: 687
Merit: 500


View Profile
January 13, 2014, 09:02:50 PM
 #950

Account number is in my sig.

Nothing Else Matters
NEM: NALICE-LGU3IV-Y4DPJK-HYLSSV-YFFWYS-5QPLYE-ZDJJ
NXT: 11095639652683007953
msin
Legendary
*
Offline Offline

Activity: 1470
Merit: 1004


View Profile
January 13, 2014, 09:04:16 PM
 #951

Congrats guys!  Can we get a summary on what flaws are left to be uncovered?

Each flaw has a small description. Here r SHA256 hashes of these descriptions:

bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward
888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward
f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward

The flaws must be reported before the 3rd of April, after that date they can be revealed at any moment.

Well, I guess it's appropriate that the fatal flaw is the last to be discovered.
grizmoblust
Sr. Member
****
Offline Offline

Activity: 379
Merit: 250



View Profile
January 13, 2014, 09:06:50 PM
 #952

Congrats guys!  Can we get a summary on what flaws are left to be uncovered?

Each flaw has a small description. Here r SHA256 hashes of these descriptions:

bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward
888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward
f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward

The flaws must be reported before the 3rd of April, after that date they can be revealed at any moment.

Well, I guess it's appropriate that the fatal flaw is the last to be discovered.


It sounds like bcnxt knows the fatal flaw according to his wording.






░░░▄▀█░░░▄░▄▄░▄░░░█▀▄
▄▄▄▀▀██▀░█▐▌█ ▀██▀▀▄▄▄
▐▌░░░▐▀░▄▀░▐▌░▀▄░▀▌░░░▐▌
▐▌░░░█░░▄▀▄▐▌▄▀▄░░█░░░▐▌
▐▌░░░█░░▀▄░▀▀░▄▀░░█░░░▐▌
▐▌░░▄░█▄░▀▄▐▌▄▀░▄█░▄░░▐▌
▐▌░█▄█░░▀▀▀██▀▀▀░░█▄█░▐▌
▐▌░░░░░░░░░░░░░░░░░░░░▐▌
▐█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀█▌
▀▀▀▀▀▀▀█▀▀▀▀▀▀█▀▀▀▀▀▀▀
░░░░░░░▀▀▀▀▀▀▀▀▀▀
.
░░░░░░░░░░░░░▄█▄░░░░░░░▄█▄
░░░░░░░░░░░░░░░░░▄█▄░░░
░░░░▄▄▄▄▄░░░░░░░░░░░░░
░░█▀▄▄▀▄▄▀█░░░▐▌▐▌
░░░░░░░▐▌▐▌
░░░░░░░░█▄░░░░▄█
█▄█▄▄▄▄▄█▄█░░░░▄▄▀▀▀▄▄
░░░░▄▄▄░░░░░▄▀▄██▀█▌▀▄
░░░██▄██▄▄█▀█▌█▐█▄█▌█▐█
░░░░█▄▄▄▄▄█▄█▌█▐█▄█▌█▐█
░░░░█▄█░░░░░█▄▄█▄█▄█▄█
▀▄▄▄▄▄▄▄▄▄▄▀░░░▀▀▄█▄█▄▀▀
.


░░░██▄▄░░██░██
▄▄░░░░░▀█░█▄▐▌░░░░░▄▄▄
▀▀▀▀▀▀▀█▐▌▄█▐▌░░░░█░▀▀
░░░░░░█▀▄▄▄▄▄▄▀▀▀▀░░▄▄
░░░░░░█░▀▀▀▀▀▀▄█▀▀▀▀▀▀
░░▄▄▄▄▄░▄▄▄▄▄▄▀▄
░░▀▀░░█▄▀▀▀▀▀█▄▀
░░░░░░░█▐▌▀█░█
██▀▀▀▀▀▀▐▌░█░░▀▀▀▀▀▀█
░░░░░░░░██░░▀▀▀▀▀██░██
.
BloodyRookie
Hero Member
*****
Offline Offline

Activity: 687
Merit: 500


View Profile
January 13, 2014, 09:22:40 PM
 #953

Edit:  A little friendly reminder...   Wink    Hey ricot and BloodyRookie... you need to take a look quick!

I think that was related to the block id flaw.

Nothing Else Matters
NEM: NALICE-LGU3IV-Y4DPJK-HYLSSV-YFFWYS-5QPLYE-ZDJJ
NXT: 11095639652683007953
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 13, 2014, 09:24:33 PM
 #954

Not a fatal flaw, but something to think about.

What you do is forge /every/ chain, keep every alt chain you have. Forge on it and wait until you can forge on everything, even after you get a block. And then spam those out because theres a small chance they could become the longest

You don't get penalized in transparent forging, because you forge on everything. You get a block, your forge time in 2 minutes. At 90 seconds, someone else forgers you ignore this, and forge at 2 minutes as if you didn't receive.
now there are two chains, the longest, and one thats off by only 30 seconds, you receive both. but the 30 second longer one is advantageous to you, because it gives you a lower forging time, so you forge on it.
as soon as you can (even if you have received other blocks for it).and so on and so forth, creating an incentive to create exponential alt chains and process non-longest chains.

If this can happen, then the network would under a lot of pressure.

Regards
j0b and ZjP

Sounds like multiverse concept. We already have coins and anticoins, superposition of transactions lost in limbo, event horizon that limits rate of the transactions, time warp of transparent forging...
Jaguar0625
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250


View Profile
January 13, 2014, 10:56:11 PM
 #955

But I'd be very interested in hearing why the unverifiability happens and to see numbers on how often that happens.

Sometimes verification faces a situation similar to

Code:
X * 0 == Y * 0

In this case it's impossible to make sure that X == Y.

It happens ~ each 4th time.

Are you saying that you can't verify 25% of signatures? Isn't that a pretty serious issue?

NEM - nem.io
Jaguar0625
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250


View Profile
January 13, 2014, 10:58:49 PM
 #956


In this case, let's say B is malicious and wants to replace A(1, 2, 2) with a different block. In this case, B(1, 2, 10) does not chain to the last block in A so it is put in as a future block. The two possible chains for A are:
A.1: { (0, 1, 1), (1, 2, 2), (2, 3, 3) }
A.2: { (0, 1, 1), (1, 2, 10) }

Since A.2 has a higher difficulty, it will be chosen. As far as I can tell, I don't see anything preventing a malicious attacker from manipulating cumulative difficulty scores in order to get blocks dropped.

Maybe I haven't slept enough, but I think you're right, but...

This would imply two things:
  • He would have to be generator of (1,2,10) - ok he can predict that
  • but he would also have to be generator of (1,2,2) (coz verify generation signature would't pass)

so basically he would invalidate his own block...

This would also work if B was manipulated to have both new chaining blocks and future blocks, e.g.
B: { (0, 1, 1), (1, 2, 2), (2, 3, 3), (3, 4, 4), (1, 2, 10) }

In effect, this would keep transactions (B(3, 4, 4) in the example completely hidden from A.

Or am I missing something?

I think this is good example, that those situations (adding to end of chain AND invalidating tail of chain) are (or rather should, as they are not now)
mutually exclusive cases...


So, isn't this something that can be taken advantage of by a large account holder? The largest account holder right now has 70M NXT, which means that he should be able to forge 7% of blocks. At this rate, it seems very possible that he can generate two blocks within the block height of 720 that clients look at when syncing. (Not to mention that this could also be exploited if there was collusion by among some of the top account holders).


I don't think anyone has replied to this yet.

NEM - nem.io
Jaguar0625
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250


View Profile
January 13, 2014, 11:33:57 PM
 #957

Good. We'll get some bitcoins to set a reward for Nxt crypto algo audit. Yes, bitcoins, not nxts, coz if the algo is flawed nxts won't be worth a lot Grin.

@CfB, have the developers considered switching to Ed25519 instead?
I think it could easily be deployed (i.e, require all txes + blocks > 40k block to have new sig).

There are many advantages.
First one being it's much better verified and tested than current sing+verify.
Second one is probably speed (although I haven't tested), as computations in Edward's form should be easier.

Do u have fast java implementation?

I came across this: http://crypto.stackexchange.com/questions/12743/is-curve25519-java-secure. So it seems like curve25519 doesn't natively support signing. I'm curious as to why it was chosen?

NEM - nem.io
liyi3c
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile
January 14, 2014, 06:04:59 AM
 #958

someone can generate a block in legit way and try to modify some bytes so that it has block_id = 0,  as pushBlock only check blocks.get(block.getId()) != null where it does = null, the next generated block will override genesis block in analyze()
Code:
if (previousBlock == 0) {

lastBlock = GENESIS_BLOCK_ID;
blocks.put(lastBlock, this);
baseTarget = initialBaseTarget;
cumulativeDifficulty = BigInteger.ZERO;

Account.addAccount(CREATOR_ID);

}
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 14, 2014, 06:28:15 AM
 #959

Are you saying that you can't verify 25% of signatures? Isn't that a pretty serious issue?

It was already reported.
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1009

Newbie


View Profile
January 14, 2014, 06:29:01 AM
 #960

I don't think anyone has replied to this yet.

It will be changed soon.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 [48] 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!