Regarding Auroracoin TW exploit (Fix included)

[Nite69]

It is April Fools day today, but this is no april fool trick. I believe BCX stands behind his words, even on April Fools day.

The exploit BCX has found in KGW implememtation is real and, I believe, he is most likely attacking with the exploit just now. However, we have also found a fix to it which will close the case. BCX has confirmed that the fix, when effective, will prevent using the exploit.

Since we are in a kind of stalemate we have agreed to settle down. Continuing this battle is worthless and would only cause harm to all participants. The fix is not yet effective and it is quite likely much damage would be caused if attack would get to the end. Also we all have achieved what we were after; BCX has made his point clear and the coin will be fixed. From the beginning, no one, not even BCX has wanted to destroy the coin.

BCX, do you agree? Is this an agreement?

EDIT: Here is the fix, feel free to update your coins. just change the hard fork block number

Code:

diff --git a/src/main.cpp b/src/main.cpp
index fd881d1..7687d3a 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -886,7 +886,7 @@ unsigned int static GravityWell(const CBlockIndex* pindexLast, const CBlock *pbl
        double                          EventHorizonDeviationSlow;
       
     if (BlockLastSolved == NULL || BlockLastSolved->nHeight == 0 || (uint64)BlockLastSolved->nHeight < PastBlocksMin) { return bnProofOfWorkLimit.GetCompact
-       
+       int64 LatestBlockTime = BlockLastSolved->GetBlockTime();
        for (unsigned int i = 1; BlockReading && BlockReading->nHeight > 0; i++) {
                if (PastBlocksMax > 0 && i > PastBlocksMax) { break; }
                PastBlocksMass++;
@@ -895,10 +895,14 @@ unsigned int static GravityWell(const CBlockIndex* pindexLast, const CBlock *pbl
                else            { PastDifficultyAverage = ((CBigNum().SetCompact(BlockReading->nBits) - PastDifficultyAveragePrev) / i) + PastDifficultyAvera
                PastDifficultyAveragePrev = PastDifficultyAverage;
               
-               PastRateActualSeconds                   = BlockLastSolved->GetBlockTime() - BlockReading->GetBlockTime();
+               if (LatestBlockTime < BlockReading->GetBlockTime()) {
+                       if (BlockReading->nHeight > XXXXX) // HARD Fork block number
+                               LatestBlockTime = BlockReading->GetBlockTime();
+               }
+               PastRateActualSeconds                   = LatestBlockTime - BlockReading->GetBlockTime();
                PastRateTargetSeconds                   = TargetBlocksSpacingSeconds * PastBlocksMass;
                PastRateAdjustmentRatio                 = double(1);
-               if (PastRateActualSeconds < 0) { PastRateActualSeconds = 0; }
+               if (BlockReading->nHeight > XXXXX) { // HARD Fork block number
+                       if (PastRateActualSeconds < 1) { PastRateActualSeconds = 1; }
+               } else {
+                       if (PastRateActualSeconds < 0) { PastRateActualSeconds = 0; }
+               }
                if (PastRateActualSeconds != 0 && PastRateTargetSeconds != 0) {
                PastRateAdjustmentRatio                 = double(PastRateTargetSeconds) / double(PastRateActualSeconds);
                }

Edit2: small modification for the fix
Edit3: added a missing an opening curly bracket, ty Cannacoin!

[1714280694]

1714280694

[1714280694]

1714280694

[1714280694]

1714280694

[lphelps]

why is this even fucking being discussed in such detail over AUR?!? What is it with AUR that is attracting so much attention on whether or not it will be hacked and crashed?!?

I see no other discussions about this regarding other alt-coins.

It's almost as if because of the nature of AUR, there are certain individuals that are hellbent in destroying it before it gains any kind of popularity.

Just leave it the fuck alone and let it die on it's own if it's a scam. Why the hell is there a concerted effort in trying to make it crash and burn???

[illodin]

Every coin that uses KGW should apply the fix as well asap right?

Any idea if digishield or dgw (version2) are susceptible to the same exploit?

[balduro]

Every coin that uses KGW should apply the fix as well asap right?

Any idea if digishield or dgw (version2) are susceptible to the same exploit?

Every coin using 1 block retargeting should take note. BCX has correctly identified an attack vector that an attacker (like himself) with enough resources could exploit. We will indeed have to make appropriate changes in light of this.

[Nite69]

Every coin that uses KGW should apply the fix as well asap right?

Yes, I think so.

Any idea if digishield or dgw (version2) are susceptible to the same exploit?

Have not yet dig too deeply on it, but:
Digishield: not the same, but possibly similar. KGW counts a lot of blocks to calculate adjustment, digishield only one, so it quite different. In KGW, attacker can 'jump over' the block in the future, which is not possible with only 1 block. Not yet sure, but there might be another TW exploit: Can you generate 2 blocks with dT less than 2xtarget so difficulty won't rise? If you generate block with dT 0, you get diff +25%, if I calculated correctly. next question: can you generate a block with -25% difficulty with less than 2*timespan? I think you get only -12.5% with 2 blocks time, so this hole is not open :-). But not sure if there are others.
 Edit: this is dogecoin digishiel, don't know others..

DGW: possibly, quick peek reveals no fix, but it might be there, have to make deeper look at it to be sure.

[markm]

A particularly cute aspect of the attack is that it seems the higher the difficulty of the legitimate blockchain the more leverage (effective multiplying of hash power) the attacker enjoys.

That is not to say that a higher difficulty blockchain is easier to attack, necessarily, but merely that the fraction of the main chain's hashpower the attacker needs seems likely to shrink as the difficulty of the main chain grows.

Just how much the attack can lower the effective difficulty the attacker can enjoy would also effect this ratio though. If the attacker cannot keep the difficulty on their attack chain really really low they would not get as much advantage as they could if they could keep it minimised/minimal.

The advantage seems to be due to the chance of a hash being lucky enough to get into the blockchain.

The attacker makes more blocks, of lower difficulty, than the main chain.

The lower difficulty means each hash has a higher chance of getting a block thus getting into the chain thus counting toward the total "work" of the chain.

The higher the difficulty of the main chain blocks, the less chance any particular individual hash anyone does on it will get a block thus get into the chain, so less of the hashes it does count as "work" for purposes of checking which chain has the most "work".

-MarkM-

[ElMariachi]

Yes per our agreement I will pull back the exploit and allow a fix.

Respect.

[WompRat]

Yeah, congratulations to all on settling this with a bit of maturity and dignity.  It is a little bit of an anti climax though - maybe we can have a poll on who to hate on next. 

[markm]

Great.

So back to "why single out Aurora?"

Are there any other chains using that gravity well that enough people actually care about and/or have as many innocents standing to be scammed as in the case of Aurora?

Aurora seems like a good choice for this object-lesson since the innocent citizens of Iceland were involved.

All the other coins that use the gravity well and similarly vulnerable difficulty-adjustments might have been more deserving of being trashed, and less deserving of getting to see some other coin serve as the object-lesson, but hey, how many of them will even actually bother with the fix, maybe having already dumped their pre-mine and moved on to create more scams?

-MarkM-

[gadado]

Yes per our agreement I will pull back the exploit and allow a fix.

As explained by Nite69 I am gaining on the chain with a current running KGW TW.

If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.

So after month of  posting we end up seeing absolut nothing from you?

Don't get me wrong.. I don't judge what you planed to do.. I don't care... ( although I am  a BIG AUR bag holder since 1 or 2 days: I mined 0.5 AUR hurray!! )

No..but I would like to see a proof of your chain or something in any way or form because I want to know if it was indeed technical possible and not theoretical nature only and I want to see if you had the skills to do so. You talked a bit too selfconfident toward the end to really still believe it's more than just you talking.

[markm]

Yes per our agreement I will pull back the exploit and allow a fix.

As explained by Nite69 I am gaining on the chain with a current running KGW TW.

If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.

So after month of  posting we end up seeing absolut nothing from you?

Don't get me wrong.. I don't judge what you planed to do.. I don't care... ( although I am  a BIG AUR bag holder since 1 or 2 days: I mined 0.5 AUR hurray!! )

No..but I would like to see a proof of your chain or something in any way or form because I want to know if it was indeed technical possible and not theoretical nature only and I want to see if you had the skills to do so. You talked a bit too selfconfident toward the end to really still believe it's more than just you talking.

Well hopefully some coin that still uses the gravity well and still has a pathetically feeble hashrate will be discovered so that a demonstration of a successful attack can still be done...

Can anyone suggest any worthy candidates?

-MarkM-

[LTEX]

Yes per our agreement I will pull back the exploit and allow a fix.
I am most definitely a person of my word. The conditions that solve for a solution have been met.

Why does Nite69 say "allow" a fix?

As explained by Nite69 I am gaining on the chain with a current running KGW TW. In order to prevent me from gaining and over taking the current AUR blockchain AUR needs 25X my mining power at a minimum, something the miners have proven they have little interest in doing. As such, it is just a matter of time before the TW catches up and is in full implementation.

In order to deploy the "fix" a new client will need to be released and another hard fork implemented. If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.

Nite69 is very correct, I have no real desire to destroy AUR as initially I was only going to run a test for a few hundred blocks. The concesion by the AUR development is sufficient for me. Understand this is enabled by KGW and was not a vulnerability till KGW was implemented. All coins that deploy KGW are vulnerable.


~BCX~

In all fairness, despite all clashes we had over this, I have to acknowledge you are being sensible and mature in the end. For that I thank you!

[count_cyrpto]

Yes per our agreement I will pull back the exploit and allow a fix.

Respect.

I think a whole new crop of newbies have now been indoctrinated to the legend that is BCX. There is also an interesting correlation with success of coins that have worked with BCX on security. Litecoin and Namecoin are both here today because of BCX intervention in the their infancy. Auroracoin just turned a huge corner towards success IMHO.

The conspiracy theorist in me is saying that this was the plan all along.

In other words, Aur isn't a scam at all. This was just a way of getting the developers to fix a security flaw before "they" decided to be invested. In essence, they killed two birds with one stone (drove the price down and addressed an exploit.)

Well done. 

[gadado]

Did you read the post by Balduro, the founder and Nite69, the developer brought on by the Auroracoin Team? The exploit is live and is working or else I can assure you an agreement would not have been reached. I am satisfied with the agreement and you as an investor should be satisfied with that.

Of note also, it appears that Balduro is actually delivering the Air Drop as promised. I cannot 100% verify that yet and the method he used screams scam. However I am not above admitting mistakes and it is certainly appearing that Balduro has made the all time mother of implementing the right idea with the wrong execution!

More to come on this as I dig deeper.


~BCX~

I am not an investor. If I believed in Aurora I had mined it from the start.. but I thought that it is so obvious to anyone that it's a concept to make the dev rich that no one will mine or buy it. I guess I was wrong at that.

I am more into other coins and didn't read up what the Aurora dev posted.
I can check however then this are just 3 ppl for me that say it is so which has not much more value to me except there are some data and that's what I had liked to see. I am curious of such things.

[Nite69]

Yes per our agreement I will pull back the exploit and allow a fix.
I am most definitely a person of my word. The conditions that solve for a solution have been met.

Why does Nite69 say "allow" a fix?

As explained by Nite69 I am gaining on the chain with a current running KGW TW. In order to prevent me from gaining and over taking the current AUR blockchain AUR needs 25X my mining power at a minimum, something the miners have proven they have little interest in doing. As such, it is just a matter of time before the TW catches up and is in full implementation.

In order to deploy the "fix" a new client will need to be released and another hard fork implemented. If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.

Nite69 is very correct, I have no real desire to destroy AUR as initially I was only going to run a test for a few hundred blocks. The concesion by the AUR development is sufficient for me. Understand this is enabled by KGW and was not a vulnerability till KGW was implemented. All coins that deploy KGW are vulnerable.


~BCX~

BCX, in the tecnical point of view; you are perfectly right. The algorithm implementation calculating the difficulty adjustments allow you to use your hashing power to generate a competing blockchain which would win the official blockchain. There is no doubt of that.

But the technical point of view is not the only one. The foundation of all cryptocurrencies is an agreement of all nodes to follow certain rules, which ends up in the possibility to agree about the generation and transaction of the currencies. The implementation of that agreement is the algorithms behind the currency.

This is also one protetion of the coins; if majority of the nodes agrees not to choose a hostile chain, they really can do it, they can reject it, regardless of the hashing power behind it. Technically this rejection would be accomplished by publishing a checkpoint from the official chain and all nodes accepting it. I'm not sure if it would have happened on this case, but I want to believe so. If this community values the coin enought, they will also protect it against all threats.

There is also no doubt, that a succesfull attack like that would in any case cause a lot of damage. But my opinion is, it likely would not have destroyed the coin.

However, this case also emphasizes the importance of the strength of the algorithms behind the coin. Those algorithms are the agreement and they should be tested all the time. In the end, these tests only strenghten the agreements and also the coin and increase trust to it. So however asshole you are BCX, you are an asshole in a good way, thank you!

[YarkoL]

So however asshole you are BCX, you are an asshole in a good way, thank you!

There's a special term for this kind of individual.

The trickster deity breaks the rules of the gods or nature, sometimes maliciously (for example, Loki) but usually with ultimately positive effects (though the trickster's initial intentions may have been either positive or negative). Often, the bending/breaking of rules takes the form of tricks (e.g. Eris) or thievery.

[micryon]

Good stuff guys.

Glad to see the community coming together on this one..

[Bimmerhead]

Of note also, it appears that Balduro is actually delivering the Air Drop as promised. I cannot 100% verify that yet and the method he used screams scam. However I am not above admitting mistakes and it is certainly appearing that Balduro has made the all time mother of implementing the right idea with the wrong execution!

More to come on this as I dig deeper.


~BCX~

Well I didn't see that one coming.  Kudos to BCX for being the man and admitting his error.

[s4w3d0ff]

Yes per our agreement I will pull back the exploit and allow a fix.
I am most definitely a person of my word. The conditions that solve for a solution have been met.

Why does Nite69 say "allow" a fix?

As explained by Nite69 I am gaining on the chain with a current running KGW TW. In order to prevent me from gaining and over taking the current AUR blockchain AUR needs 25X my mining power at a minimum, something the miners have proven they have little interest in doing. As such, it is just a matter of time before the TW catches up and is in full implementation.

In order to deploy the "fix" a new client will need to be released and another hard fork implemented. If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.

Nite69 is very correct, I have no real desire to destroy AUR as initially I was only going to run a test for a few hundred blocks. The concesion by the AUR development is sufficient for me. Understand this is enabled by KGW and was not a vulnerability till KGW was implemented. All coins that deploy KGW are vulnerable.


~BCX~

BCX, in the tecnical point of view; you are perfectly right. The algorithm implementation calculating the difficulty adjustments allow you to use your hashing power to generate a competing blockchain which would win the official blockchain. There is no doubt of that.

But the technical point of view is not the only one. The foundation of all cryptocurrencies is an agreement of all nodes to follow certain rules, which ends up in the possibility to agree about the generation and transaction of the currencies. The implementation of that agreement is the algorithms behind the currency.

This is also one protetion of the coins; if majority of the nodes agrees not to choose a hostile chain, they really can do it, they can reject it, regardless of the hashing power behind it. Technically this rejection would be accomplished by publishing a checkpoint from the official chain and all nodes accepting it. I'm not sure if it would have happened on this case, but I want to believe so. If this community values the coin enought, they will also protect it against all threats.

There is also no doubt, that a succesfull attack like that would in any case cause a lot of damage. But my opinion is, it likely would not have destroyed the coin.

However, this case also emphasizes the importance of the strength of the algorithms behind the coin. Those algorithms are the agreement and they should be tested all the time. In the end, these tests only strenghten the agreements and also the coin and increase trust to it. So however asshole you are BCX, you are an asshole in a good way, thank you!

This has been a well known exploit ever since KGW was starting to get popular, I was lucky with my coin and was notified of this exploit early so that I could make a hasty update and stop it from happening. I am surprised that NO ONE in the AUR knew about the exploit and/or said anything until BCX implemented the TW. Even Darkcoin saw it coming and made a supposed "fix".

[CHAOSiTEC]

Yes per our agreement I will pull back the exploit and allow a fix.
I am most definitely a person of my word. The conditions that solve for a solution have been met.

Why does Nite69 say "allow" a fix?

As explained by Nite69 I am gaining on the chain with a current running KGW TW. In order to prevent me from gaining and over taking the current AUR blockchain AUR needs 25X my mining power at a minimum, something the miners have proven they have little interest in doing. As such, it is just a matter of time before the TW catches up and is in full implementation.

In order to deploy the "fix" a new client will need to be released and another hard fork implemented. If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.

Nite69 is very correct, I have no real desire to destroy AUR as initially I was only going to run a test for a few hundred blocks. The concesion by the AUR development is sufficient for me. Understand this is enabled by KGW and was not a vulnerability till KGW was implemented. All coins that deploy KGW are vulnerable.


~BCX~

BCX, in the tecnical point of view; you are perfectly right. The algorithm implementation calculating the difficulty adjustments allow you to use your hashing power to generate a competing blockchain which would win the official blockchain. There is no doubt of that.

But the technical point of view is not the only one. The foundation of all cryptocurrencies is an agreement of all nodes to follow certain rules, which ends up in the possibility to agree about the generation and transaction of the currencies. The implementation of that agreement is the algorithms behind the currency.

This is also one protetion of the coins; if majority of the nodes agrees not to choose a hostile chain, they really can do it, they can reject it, regardless of the hashing power behind it. Technically this rejection would be accomplished by publishing a checkpoint from the official chain and all nodes accepting it. I'm not sure if it would have happened on this case, but I want to believe so. If this community values the coin enought, they will also protect it against all threats.

There is also no doubt, that a succesfull attack like that would in any case cause a lot of damage. But my opinion is, it likely would not have destroyed the coin.

However, this case also emphasizes the importance of the strength of the algorithms behind the coin. Those algorithms are the agreement and they should be tested all the time. In the end, these tests only strenghten the agreements and also the coin and increase trust to it. So however asshole you are BCX, you are an asshole in a good way, thank you!

This has been a well known exploit ever since KGW was starting to get popular, I was lucky with my coin and was notified of this exploit early so that I could make a hasty update and stop it from happening. I am surprised that NO ONE in the AUR knew about the exploit and/or said anything until BCX implemented the TW. Even Darkcoin saw it coming and made a supposed "fix".

the principles or kgw was used, but the code was rewritten with new algorithms to make it react better to incoming changes regarding block generation time. also the potential attack vector of time delution was automatically fixed in what became dgw