SolidCoin Exploited.

[SAC]

...

[1714004620]

1714004620

[1714004620]

1714004620

[1714004620]

1714004620

[FlipPro]

Well started a thread on this page I found about mining the trusted blocks on SolidCoin and one of the SC trolls had this to post in the thread apparently the page was correct and someone has exploited the "unbreakable code of the master programmer" RS.

Response from RealSolid

Posted Today, 06:01 AM
Yeah there was an exploit which currently takes some of the CPF payment away from the CPF in the trust blocks and instead gives it to an address supplied by the attacker. It's mostly been limited though with code given to the trust nodes, exchanges and larger pools. There currently isn't much SC going to the CPF each day, so the amount they got was quite small. The trust node system has allowed us to pretty much nullify any serious attack vector that was possible (as unlikely as they were it did highlight some more things we needed to tie down).

There will be a new version out soon which signs the trust blocks themselves so that they cannot be altered and "reused" at all.

What I find weird on that page though is the fact it's revenge for Litecoin, they think we had something to do with their spam or something? Quite weird when we already know one person who has admitted to spamming in the past and thinks it's a valid "testing tool" , ie artforz. The guy who is also likely behind this exploit.

SAC

I am no more of a SC troll than you are a LTC troll.

[kjlimo]

Well started a thread on this page I found about mining the trusted blocks on SolidCoin and one of the SC trolls had this to post in the thread apparently the page was correct and someone has exploited the "unbreakable code of the master programmer" RS.

Response from RealSolid

Posted Today, 06:01 AM
Yeah there was an exploit which currently takes some of the CPF payment away from the CPF in the trust blocks and instead gives it to an address supplied by the attacker. It's mostly been limited though with code given to the trust nodes, exchanges and larger pools. There currently isn't much SC going to the CPF each day, so the amount they got was quite small. The trust node system has allowed us to pretty much nullify any serious attack vector that was possible (as unlikely as they were it did highlight some more things we needed to tie down).

There will be a new version out soon which signs the trust blocks themselves so that they cannot be altered and "reused" at all.

What I find weird on that page though is the fact it's revenge for Litecoin, they think we had something to do with their spam or something? Quite weird when we already know one person who has admitted to spamming in the past and thinks it's a valid "testing tool" , ie artforz. The guy who is also likely behind this exploit.

SAC

I am no more of a SC troll than you are a LTC troll.

gotta love the troll on troll action!

alternative cryptocurrency volatility FTW!  Day-trading anyone?

[makomk]

The trust node system has allowed us to pretty much nullify any serious attack vector that was possible (as unlikely as they were it did highlight some more things we needed to tie down).

I don't think this is actually true. The thing I didn't entirely grasp when first reading the patch is that unlike Bitcoin, which prefers the first block it saw if it receives two that are equally good, Solidcoin uses the most recent block:

Code:

    // New best
    if (pindexNew->bnChainWork > g_bnBlockBestChainWork || pindexNew->bnChainWork == g_bnBlockBestChainWork)
    {
        if (!SetBestChain(txdb, pindexNew)) return false;
    }

So in theory not even using the trust nodes to completely shut down Solidcoin would be enough to stop someone from exploiting this to rewrite history. They should give RealSolid some power to influence which side of a double spend wins if he catches it soon enough and has enough hashpower, though.

That's a thought actually. If the new version breaks backwards compatibility and some nodes don't upgrade on time it'd require a lot less hashpower to attack those nodes than it normally would.

[k9quaint]

This exploit (and others like it) is why it was so important to release the code the control nodes run.
Before the coin launches, not after.

[DeathAndTaxes]

This exploit (and others like it) is why it was so important to release the code the control nodes run.
Before the coin launches, not after.

Peer review for the win.

WPA vs WEP
Bitcoin vs ScamCoin
AES vs DES

[tacotime]

Looks like SC was dropped from allchains

this is the end my friends

[Schwede65]

Looks like SC was dropped from allchains

this is the end my friends

chart 1: SC is present

chart 2 + 3: very long time no updated data/SC and now its dropped

[naypalm]

SC's still around!?

[kjlimo]

Looks like SC was dropped from allchains

this is the end my friends

chart 1: SC is present

chart 2 + 3: very long time no updated data/SC and now its dropped

agreed, charts 2 & 3 were incredibly hard to compare and didn't necessiarly make sense when comparing.  It seems these CPU chains are apples & oranges....

[makomk]

Well, RealSolid has released an update that claims to fix all the issues and given users a whole hour to upgrade before their clients get stuck. Notice that I said "claims to" here; the source code for it hasn't been released so I have no idea whether he actually did what he's claiming to have done.

SolidCoin v2.02 has been released. This is a mandatory release, you will be unable to move past block 91500 without it.

It is advised you redownload the chain so that it prunes away all the orphans from the recent "spam", you do this by going to the solidcoin2 data directory and deleting blk0001.dat and blkindex.dat . Then you start SolidCoin and it will download the chain again. The chain size (blk0001.dat) should be under 50MB.

New features include :-

*) Trust blocks now signed completely so they cannot be altered by anyone except trust block creator
*) Trust blocks now have tighter checks, such as only one out on generates.
*) Startup speed improvements
*) Block stalling improved, especially during initial download
*) Reorg limits put in place, no client will accept a reorg greater than 5 now
*) Block acceptance limits put in place to reduce orphans adding to blockchain size
*) Check on maximum payments to CPF
*) Maximum block size reduced to 200KB from 1000KB

Also, remember what I said in my previous post?

So in theory not even using the trust nodes to completely shut down Solidcoin would be enough to stop someone from exploiting this to rewrite history. ...

That's a thought actually. If the new version breaks backwards compatibility and some nodes don't upgrade on time it'd require a lot less hashpower to attack those nodes than it normally would.

Apparently it did with not very much time for people to upgrade. If any nodes are still running 2.01 as released an attacker has until they upgrade to build a deep enough history rewrite and double-spend their coins. If they're running RealSolid's non-public upgrade to 2.01 the same may be true depending on what exactly he changed in the upgrade and what happens at 2.02.

[wannaBhacker]

SC's still around!?

ha ha ha

Don't know how but it is. Oh king, what shall your users do now? I thought you made a coin more secure than bitcoin. Ooops, guess not.

[Gabi]

lol scamcoin

[coblee]

SolidCoin v2.02 has been released. This is a mandatory release, you will be unable to move past block 91500 without it.

This is the central control that doomed SC 2.0 the moment it was launched.

One hour notice for a mandatory binary-only update. Really?!?

RealSolid constantly attacks Bitcoin saying that businesses will never accept them because of a possible 51% attack. Does he really think businesses will accept solidcoins when he keeps pulling this kind of crap? They would have to upgrade with an hour notice to a binary that could contain trojans. And there's no recourse. No source code to check and compile themselves. If they don't upgrade, they can no longer transact in solidcoins. Awesome.

[Ahimoth]

Actually source was posted to github within a couple hours of binary release. Admittedly, it was short notice. However, in this situation I think it was prudent to issue a mandatory release as soon as possible.

[CoinHunter]

One hour notice for a mandatory binary-only update. Really?!?

RealSolid constantly attacks Bitcoin saying that businesses will never accept them because of a possible 51% attack. Does he really think businesses will accept solidcoins when he keeps pulling this kind of crap? They would have to upgrade with an hour notice to a binary that could contain trojans. And there's no recourse. No source code to check and compile themselves. If they don't upgrade, they can no longer transact in solidcoins. Awesome.

Coblee I think the difference is people expect SolidCoin to be secure so we work to always achieve that. If the network is slow for a few hours so be it, better that than being attacked. When you have a new code base, new solutions to problems, there are going to be issues that need working out, SolidCoin is still young and we don't have that many businesses yet which are affected by these things. Something like this if we were the size of bitcoin would be unacceptable I would agree with that.

As usual though you're ignorant about many things SolidCoin, source was released not long after the binaries. Unlike perhaps Litecoin, people don't need to worry about Trojans with SolidCoin, only one person makes the binaries and we have done so for nearly 6 months without any issues, we have a history of being safe.

[coblee]

As usual though you're ignorant about many things SolidCoin, source was released not long after the binaries. Unlike perhaps Litecoin, people don't need to worry about Trojans with SolidCoin, only one person makes the binaries and we have done so for nearly 6 months without any issues, we have a history of being safe.

LOL. You sound like Bernard Madoff.

[Starlightbreaker]

Coblee I think the difference is people expect SolidCoin to be secure so we work to always achieve that.

always remember one thing.

"assumptions is the mother of fuck-ups"

[CoinHunter]

Six months, wow your time keeper is off so let me refresh your memory.

SC1 launched on August 21st died on September 10th
SC2 launched October 10th died the instant it was released.

SC1 lived 29 days, SC2 isn't two months old yet.

Where do you get six months?

Thanks, we should promote you to SolidCoin PR, you want that role? You know so much about us

There were private betas before SC1 was launched and of course during our downtime. It's not quite 6 months but nearing on it.

[coblee]

As usual though you're ignorant about many things SolidCoin

Such condescending attitude. Seems like you are also ignorant about many things SolidCoin.

Btw, Litecoin has a track record of 2 years of trojan free releases. Take that! We were in private beta for almost 2 years.