colinistheman
|
|
March 14, 2014, 12:21:37 AM |
|
Here is a simple fix for the exploit.
When a block has an earlier timestamp than the previous block, its difficulty adjustment needs to be based on the difficulty of the most recent block its timestamp is later than rather than on the block immediately prior in the block chain.
For example, if a block has a time earlier than the last four blocks then it should start its difficulty calculations with the difficulty as it was before those four blocks.
I think that this makes every instance of the time warp exploit impossible.
And it's a simple adjustment to whatever difficulty algorithm you're using. Kgw included.
That sounds good. But I just thought of one scenario: What if the most recent block IS a block with a modified earlier timestamp?
|
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1132
|
|
March 14, 2014, 01:43:07 AM |
|
Simple rule. You go back to the most recent block that is timestamped earlier than the current one. Whether or not the previous block is also backward in time it's later than the current one or we wouldn't be calling the current block backward in time.
As for a modified block with a fake timestamp, that can't happen because it would not match its hash. Nobody would mistake that for a valid block.
|
|
|
|
Starlightbreaker
Legendary
Offline
Activity: 1764
Merit: 1006
|
|
March 14, 2014, 05:29:56 AM |
|
I am a little confused on how someone can flagrantly flaunt the idea of purposely crippling a network and not be in prison. Calling it a "stress test" or not doesn't mean it is any less or more legal.
You will end up picking a fight with the wrong person eventually...
AFAIKT it is all just braggadocio and posing. There is no evidence anywhere (other than anecdotal) that he has done, or is capable of doing, any of the things he claims or threatens. ~~^^^~~ really? you're lazy or just stupid? there's this function called "search", and look at past few years. BCX basically killed plenty of coins and pools. when he/she/it will do something, it will happen.
|
|
|
|
Nite69
|
|
March 14, 2014, 07:00:20 AM Last edit: March 14, 2014, 07:19:57 AM by Nite69 |
|
Here is a simple fix for the exploit.
When a block has an earlier timestamp than the previous block, its difficulty adjustment needs to be based on the difficulty of the most recent block its timestamp is later than rather than on the block immediately prior in the block chain.
For example, if a block has a time earlier than the last four blocks then it should start its difficulty calculations with the difficulty as it was before those four blocks.
I think that this makes every instance of the time warp exploit impossible.
And it's a simple adjustment to whatever difficulty algorithm you're using. Kgw included.
Hmm.. One scenario where this would not work.. and maybe also that fix which would allow jump back 1 block: 1. Mine blocks to the future getting 10% lower diff every block. 2. When you are at the lowest diff, stay on that time by jumping forward-backward-forward-backward.. 3. Repeat that until your block's time is in the real time window and publish it For this to sucess, one must be able to generate blocks without going forward on time while keeping diff low. So jumping forward- backward has to generate higher diff/block than going forward only. Edit: Not sure but I think this scenario would not work; he would get 10% lower diff every time he goes forward, but 20% higher when backward -> he would end up very high diff shortly.
|
Sync: ShiSKnx4W6zrp69YEFQyWk5TkpnfKLA8wx Bitcoin: 17gNvfoD2FDqTfESUxNEmTukGbGVAiJhXp Litecoin: LhbDew4s9wbV8xeNkrdFcLK5u78APSGLrR AuroraCoin: AXVoGgYtSVkPv96JLL7CiwcyVvPxXHXRK9
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1132
|
|
March 14, 2014, 08:08:57 AM |
|
1. Mine blocks to the future getting 10% lower diff every block. 2. When you are at the lowest diff, stay on that time by jumping forward-backward-forward-backward..
For this to sucess, one must be able to generate blocks without going forward on time while keeping diff low. So jumping forward- backward has to generate higher diff/block than going forward only.
Edit: Not sure but I think this scenario would not work; he would get 10% lower diff every time he goes forward, but 20% higher when backward -> he would end up very high diff shortly.
Exactly. When you jump backward in time you undo any lowered diff you got by going forward in time. And because backward is a negative interval, it counts as shorter than the minimum interval to get a maximum upward difficulty bump. So the sequence is Forward (lowers diff by 10%) Backward (undoes that, and raises diff by 10%) Forward (lowers diff by 10%) Backward (undoes that, and raises diff by 10%) etc... If you do the forward/backward thing, you raise the difficulty by 10% each time you jump backward, so you rapidly get to the point where the main chain is producing blocks much faster than you.
|
|
|
|
illodin
|
|
March 14, 2014, 10:24:37 AM |
|
So if KGW has this exploit, shouldn't all KGW coins put up a bounty for getting it fixed asap? Which coins have already fixed it btw?
|
|
|
|
HiroS
|
|
March 14, 2014, 10:31:45 AM |
|
If this is due to being able to produce blocks in the future or the past the fix can be applied to the coin code to limit the acceptable difference in time between the blockchain and the block. Feathercoin saw massive time warp attacks pushing blocks on from yesterday. They coded for this and I have chosen to include this code in the coin I am launching tomorrow which uses KGW. The problem is that most coins leave the little code that manages time the same as where they forked it from but make block time and retargets quicker making them more exposed to attack.
|
|
|
|
Nite69
|
|
March 14, 2014, 11:02:03 AM Last edit: March 14, 2014, 11:20:24 AM by Nite69 |
|
1. Mine blocks to the future getting 10% lower diff every block. 2. When you are at the lowest diff, stay on that time by jumping forward-backward-forward-backward..
For this to sucess, one must be able to generate blocks without going forward on time while keeping diff low. So jumping forward- backward has to generate higher diff/block than going forward only.
Edit: Not sure but I think this scenario would not work; he would get 10% lower diff every time he goes forward, but 20% higher when backward -> he would end up very high diff shortly.
Exactly. When you jump backward in time you undo any lowered diff you got by going forward in time. And because backward is a negative interval, it counts as shorter than the minimum interval to get a maximum upward difficulty bump. So the sequence is Forward (lowers diff by 10%) Backward (undoes that, and raises diff by 10%) Forward (lowers diff by 10%) Backward (undoes that, and raises diff by 10%) etc... If you do the forward/backward thing, you raise the difficulty by 10% each time you jump backward, so you rapidly get to the point where the main chain is producing blocks much faster than you. Actually, the original bitcoin still has this vulnerability! However, I doubt any entity would be able to use it. scenario: - Miner has 10% of the total mining power - He starts isolated mining with timestamps 25% over the normal, ie 12.5 minutes - He continues 2 weeks (his blochaintime, would be 20 weeks realtime!), and gets 25% easier diff - He continues next 2 weeks, gets again 25% easier diff - repeats until diff is very low - now he starts mining 5 blocks forward with 12.5 min interval and one block backward to the same moment (or 1 sec more). This keeps his diff low! He continues this until real blockchain is on the same time. (might take years....) He publishes his blockchain. Edit: Would not work. The last step won't keep his diff low. Difficulty is retargeted every 2 weeks, so he will get 25% higher diff after every 2016 blocks. If retarget time is >= (mediumblocks-1)/2, it won't work.
|
Sync: ShiSKnx4W6zrp69YEFQyWk5TkpnfKLA8wx Bitcoin: 17gNvfoD2FDqTfESUxNEmTukGbGVAiJhXp Litecoin: LhbDew4s9wbV8xeNkrdFcLK5u78APSGLrR AuroraCoin: AXVoGgYtSVkPv96JLL7CiwcyVvPxXHXRK9
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1132
|
|
March 14, 2014, 04:06:24 PM |
|
Yeah, Bitcoin is safe because 2016 blocks is longer than the ~5 blocks or so that the median-of-last-11 blocks rule allows anyone to jump backward. You can play silly buggers with timestamps but the effect of it will be small enough that it's pointless. The fix proposed above is for cryptocurrencies that have introduced a vulnerability by retargeting every block.
|
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1132
|
|
March 14, 2014, 07:27:23 PM |
|
BTCX, as dev of a not-yet-released altcoin, I admire your work on examining and revealing security flaws in altcoins.
If/When I release, I'd really like you to have a crack or two at mine, just to make sure if I got it right and, if no breaks are found or if every break found is quickly fixed, increase long-term confidence.
The multi-petahash hash rate of Bitcoin is indeed excellent assurance against any "reasonable" attack. But as you have said, most people who thought they could "improve" on the design have instead demonstrated why the design is more robust than their improvements.
The fact that ASIC mining rigs have reached the current standards for high-performance chips at 28nm also means that Bitcoin is relatively safe from further very rapid advances in mining rig speed or exploits by people who take advantage of higher tech. The hash rate from here grows as fast as people acquire more machinery and as fast as computer hardware in general advances, rather than with the overwhelming advantage of faster machinery becoming available much more rapidly because people apply increasingly advanced process to it.
But the fact that those rigs exist is deadly for altcoins on SHA256; people with multi-Ghash mining rigs jump on and off of altcoins mining low difficulties with machinery that would, if it mined steadily, result in considerably higher difficulty. Also the 51% attack -- even straight up with no exploits due to stupidity like the time warp attack -- is very hard to defend an altchain against. So that's a real quandary for altcoin devs. With an altcoin you can't take advantage of the SHA256 infrastructure because people who've invested $millions in hashing hardware have the ability to instead take advantage of you.
I keep looking at some variation on proof-of-stake, but the current implementations of PoS are all flawed (and all in more or less the same way) because people can use their stake to mine more than one branch of a chainfork simultaneously instead of committing to one or the other.
|
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1132
|
|
March 14, 2014, 07:36:03 PM |
|
Irrelevant to the AUR test I know, but I've been considering using AES256 as the basis of a "hash" function for the altcoin, because AES256 is built into hardware on most modern CPUs and so you could easily create mining software to take advantage of the capability. Instead of incrementally building up to ASIC miners, we'd be starting with everybody having ASIC miners (with only as much parallelism as the CPU, but still significant).
GPUs can do AES in parallel, but they don't have it built into hardware so even in parallel they're still not as fast as an 8-core CPU at it. The eventual custom ASICs would build that massive parallelism, but I think an altcoin could be well established before they arise and inevitably centralize mining.
|
|
|
|
Fdt
Full Member
Offline
Activity: 137
Merit: 100
Forexcoin Developer
|
|
March 14, 2014, 07:45:18 PM |
|
It may be possible to implement consensus based p2p checkpoints as some people mentioned previously.
|
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1132
|
|
March 14, 2014, 07:53:48 PM |
|
Keep in mind, anything that is limited to the cpu level of mining will totally owned by the botnetters as soon as any coin becomes profitable.
Damn, you're right. Idiots run Windows boxes and continually get Pwned by botnets.
|
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1132
|
|
March 14, 2014, 10:20:49 PM |
|
Even at that, botnets are keeping the chain secure and getting paid for it, just like regular miners. The fact that they're stealing the compute power and electricity to do it doesn't directly affect the altcoin itself.
It is kinda scummy though.
|
|
|
|
tromp
Legendary
Offline
Activity: 990
Merit: 1110
|
|
March 14, 2014, 10:27:18 PM |
|
Keep in mind, anything that is limited to the cpu level of mining will totally owned by the botnetters as soon as any coin becomes profitable.
I made a killing with XPM.
Not "anything". Just things that can run well on the average hardware and stay under the radar. A proof-of-work system that uses 4+GB of memory will send the vast majority of botnet computers into swap-hell, resulting in 1) negligable hashing power 2) their owners realizing something is very wrong
|
|
|
|
gnode
|
|
March 14, 2014, 11:55:44 PM |
|
When does the action start? St Patty's Day?
|
|
|
|
anderl
|
|
March 14, 2014, 11:59:31 PM |
|
Yeah, Bitcoin is safe because 2016 blocks is longer than the ~5 blocks or so that the median-of-last-11 blocks rule allows anyone to jump backward. You can play silly buggers with timestamps but the effect of it will be small enough that it's pointless. The fix proposed above is for cryptocurrencies that have introduced a vulnerability by retargeting every block.
The only true security against any difficulty and/or tw exploits is multi-peta hash rate. ~BCX~
|
|
|
|
Aboroth
Member
Offline
Activity: 60
Merit: 10
|
|
March 15, 2014, 12:05:16 AM |
|
Please follow through with this and be successful. Auroracoin is a stupid, scammy coin with a stupid plan for stupid people.
|
|
|
|
eduffield
Legendary
Offline
Activity: 1176
Merit: 1036
Dash Developer
|
|
March 15, 2014, 04:15:28 AM |
|
Due to exploits found in KGW, I've implemented a new difficulty retargeting algorithm called DarkGravityWave. You guys might be interested, it's a major improvement over KGW and a complete rewrite. What is DarkGravityWave? It uses multiple exponential moving averages and a simple moving average to smoothly adjust the difficulty. This implementation is far more simplistic and better suited to adjust difficulty than KGW and also fixes all known exploits. Check out the source if you're interested: https://github.com/evan82/darkcoin/commit/07c99052edc617975cdcbe4482e02c52e2d1fbf5
|
Dash - Digital Cash | dash.org | dashfoundation.io | dashgo.io
|
|
|
|