Regarding Auroracoin TW exploit (Fix included)

[MatthewLM]

How is this exploitable as a fork attack exactly? The "exploited" chain allows for more blocks at lower difficulty, but the same amount of work goes into those blocks, so even though you have more blocks, you have less work and thus the chain shouldn't be regarded as the main chain by the software. Can anyone explain why this is wrong?

Of-course miners could deliberately try to push the difficulty down and decrease the time between blocks, increasing inflation of coins and the blockchain. Maybe some existing attacks could be made worse by this issue, but not critically so.

Please explain why I'm wrong if anyone can.

[Prominence]

Shall we keep calling it KGW or should we call the updated version: KGW+?

[forzendiablo]

we should call it BCX+ !

[Jilixi]

Should have kept the exploit to himself and only ask people if they want to help kill off some coins. Would benefit everyone in crypto not having to see 20 coins come out each day...

Blackcoin multipool is one way to dump on other coins, exploits like this should be used as well, on as many coins as possible...

[Omnivion]

How is this exploitable as a fork attack exactly? The "exploited" chain allows for more blocks at lower difficulty, but the same amount of work goes into those blocks, so even though you have more blocks, you have less work and thus the chain shouldn't be regarded as the main chain by the software. Can anyone explain why this is wrong?

Of-course miners could deliberately try to push the difficulty down and decrease the time between blocks, increasing inflation of coins and the blockchain. Maybe some existing attacks could be made worse by this issue, but not critically so.

Please explain why I'm wrong if anyone can.

I believe the main chain is the one which is longest, rather than which has the highest sum of work or difficulty.  I'm sure someone can correct me if this is mistaken.

[romang]

This coin is a total waste.

[Cryddit]

Honestly I believe that the proof-of-work is better measured without regard to the difficulty level.

The way difficulty works, you might need some particular number of  leading zeros to make a block.  If the number is thirty, approximately one in a million hashes actually are capable of making a block.  But regardless of what you need to make a block, every hash that *actually has* thirty-one leading zeros is evidence of approximately two million hashes being done, every hash that *actually has* thirty-two leading zeros is evidence of approximately four million hashes having been done, every hash that *actually has* thirty-three leading zeros is evidence of approximately eight million hashes having been done, and so on.

I'm just saying that you can compare like with like in terms of estimating block difficulty.  Pick a target that definitely would have formed a block, regardless of the time, regardless of which branch -- corresponding to the highest of any difficulty for either branch during the time in question, and count the number of blocks with a hash below that target.  Whichever chain has the most such blocks is, as best anyone can tell, the chain that's had the most hashes done in support of it, regardless of where the difficulty level for the chain was set at the time or how many total blocks are in that chain.

[CartmanSPC]

So however asshole you are BCX, you are an asshole in a good way, thank you!

Please I work hard to be a regular asshole, don't paint me in a good light.
~BCX~

I confirm that BCX is an asshole.

It's good to see BCX still around and kicking....and living up to his namesake. Maybe it's me who hasn't been around as much (just now finding out about this) but I miss the days where he would wreak havoc on a regular basis

In the end it's beneficial IMO.

[Nite69]

How is this exploitable as a fork attack exactly? The "exploited" chain allows for more blocks at lower difficulty, but the same amount of work goes into those blocks, so even though you have more blocks, you have less work and thus the chain shouldn't be regarded as the main chain by the software. Can anyone explain why this is wrong?

Of-course miners could deliberately try to push the difficulty down and decrease the time between blocks, increasing inflation of coins and the blockchain. Maybe some existing attacks could be made worse by this issue, but not critically so.

Please explain why I'm wrong if anyone can.

I believe the main chain is the one which is longest, rather than which has the highest sum of work or difficulty.  I'm sure someone can correct me if this is mistaken.

I think saying the 'longest' chain is the valid chain is a misnomer.  Longest implies a length or a count, but if I am not mistaken, the valid chain is the one with the greatest proof-of-work.  In other words, the sum of the difficulty from each block in the chain.  A quick search brings up this link (http://bitcoin.stackexchange.com/questions/17837/longer-fake-block-chain-with-valid-transactions) which suggests what I have just said.

If we think back to science class, it was taught that work was equal to the product of force and distance.  For example, a 100 force by 5 distance results in 500 work, and a 10 force by 50 distance results in 500 work.  Both examples result in the same amount of work being accomplished, but they have arrived at that result from different paths.  This would be comparative to the main Auroracoin chain and BCX's attack chain.  The main chain was solving less blocks at a higher difficulty (the first example), while BCX was solving significantly more blocks at a lower difficulty (the second example).  Eventually, if given enough hashing power and time, BCX would have caught up with the main chain in amount of work done.  

As always, I could be wrong, and point out any mistakes I have made if I am wrong.

WTF? If that is true, then all this hassle is just bullshit. BCX would never have succeeded. Well, there is some source code where to check this.
Also, if it is so, it means all the other alt coins should be safe also.

Edit: As allways, I could have been wrong and you may just have pointed out mistake I have done.. Embarrassing Why didn't point this out earlier?

[Dabs]

WTF? If that is true, then all this hassle is just bullshit. BCX would never have succeeded. Well, there is some source code where to check this.
Also, if it is so, it means all the other alt coins should be safe also.

Is that a challenge? Would you like to find out? You can't be too careful when dealing with money.

I've never lost important files but I always back up and do a check restore on them every now and then. Don't wait for any kind of possible attack to succeed, prevent it from even becoming an issue.

[markm]

How is this exploitable as a fork attack exactly? The "exploited" chain allows for more blocks at lower difficulty, but the same amount of work goes into those blocks, so even though you have more blocks, you have less work and thus the chain shouldn't be regarded as the main chain by the software. Can anyone explain why this is wrong?

Of-course miners could deliberately try to push the difficulty down and decrease the time between blocks, increasing inflation of coins and the blockchain. Maybe some existing attacks could be made worse by this issue, but not critically so.

Please explain why I'm wrong if anyone can.

I believe the main chain is the one which is longest, rather than which has the highest sum of work or difficulty.  I'm sure someone can correct me if this is mistaken.

I think saying the 'longest' chain is the valid chain is a misnomer.  Longest implies a length or a count, but if I am not mistaken, the valid chain is the one with the greatest proof-of-work.  In other words, the sum of the difficulty from each block in the chain.  A quick search brings up this link (http://bitcoin.stackexchange.com/questions/17837/longer-fake-block-chain-with-valid-transactions) which suggests what I have just said.

If we think back to science class, it was taught that work was equal to the product of force and distance.  For example, a 100 force by 5 distance results in 500 work, and a 10 force by 50 distance results in 500 work.  Both examples result in the same amount of work being accomplished, but they have arrived at that result from different paths.  This would be comparative to the main Auroracoin chain and BCX's attack chain.  The main chain was solving less blocks at a higher difficulty (the first example), while BCX was solving significantly more blocks at a lower difficulty (the second example).  Eventually, if given enough hashing power and time, BCX would have caught up with the main chain in amount of work done.  

As always, I could be wrong, and point out any mistakes I have made if I am wrong.

WTF? If that is true, then all this hassle is just bullshit. BCX would never have succeeded. Well, there is some source code where to check this.
Also, if it is so, it means all the other alt coins should be safe also.

Edit: As allways, I could have been wrong and you may just have pointed out mistake I have done.. Embarrassing Why didn't point this out earlier?

Haven't you people been following along? It seems not.

Low difficulty means more chance any one hash gets a block so gets into the blockchain so counts when adding up work.

The higher the difficulty the less chance any one hash happens to get a block so less of the hashes done get into the blockchain to count as work.

So with lots of low difficulty blocks more of the hashes done to get them got into the chain to count as work so the more of the work done to make that chain gets counted when adding up height/length of the chain (the total work). This might also be part of why faster block chains achieve more security in less time; more confirmations (blocks) in the same amount of time is likely to be more actual work counted due to more of the work (hashes) done actually managing to make it into the blockchain.

-MarkM-

[YarkoL]

As always, I could be wrong, and point out any mistakes I have made if I am wrong.

I think that is the correct explanation.
The attack chain has individual blocks of low difficulty, but because it's longer, it has higher sum of difficulty.

Or as the discoverer of this exploit wrote:

That's the whole point, the current network will happily accept chain-of-massive-number-of-low-diff-blocks over chain-of-less-harder-blocks as long as the sum of difficulty of the first is higher and it follows the "rules set in stone" (no invalid tx, generation amount <= calculated amount, difficulty == getNextDifficulty(prevblock), block nTime > median of prev 11 blocks, block nTime can't be more than 2 h in the future, ...).

ArtForz also noted that any asymmetrical algorithm will be vulnerable. Because KGW is designed to deal with multipool problems and abrupt jumps in difficulty that are caused by fast increases in hashrate, it makes increasing diff harder than decreasing it. Because of that, attacker can get a lot of lower difficulty blocks at the cost of few larger difficulty blocks when he jumps back and forth in time.

[Klacik]

This coin is a total waste.

just like your post..

[Nite69]

As always, I could be wrong, and point out any mistakes I have made if I am wrong.

I think that is the correct explanation.
The attack chain has individual blocks of low difficulty, but because it's longer, it has higher sum of difficulty.

Or as the discoverer of this exploit wrote:

That's the whole point, the current network will happily accept chain-of-massive-number-of-low-diff-blocks over chain-of-less-harder-blocks as long as the sum of difficulty of the first is higher and it follows the "rules set in stone" (no invalid tx, generation amount <= calculated amount, difficulty == getNextDifficulty(prevblock), block nTime > median of prev 11 blocks, block nTime can't be more than 2 h in the future, ...).

ArtForz also noted that any asymmetrical algorithm will be vulnerable. Because KGW is designed to deal with multipool problems and abrupt jumps in difficulty that are caused by fast increases in hashrate, it makes increasing diff harder than decreasing it. Because of that, attacker can get a lot of lower difficulty blocks at the cost of few larger difficulty blocks when he jumps back and forth in time.

Hmm.. ok.. so in the end there really is a attack vector (however not so easy I have been thinking)? But that means summing the difficulty is a wrong way to measure the height of a blockchain. There should be a way (some algorithm) to assure a certain blockchain has been done with more work than the other, regardless of are they done with lots of low diff blocks or a few high diff blocks.

It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.

Before I chitchat more bullshit, I guess I have to make some homework and familiarize myself more with the source.. and what block difficulty really relates to.

That's nice link to ArtForz comments. I have been wondering the same; does it need to be symmetric to protect the chain better? I think it is somehow weaker, if it is not, but that's not as big 'hole' than what other issues cause.

And, with symmetric algorithm and one block retarget, you have the problem not being able to calulate with zero or negative timespans. Truly symmetric would approach infinite difficulty when time difference approaches zero.

[ghur]

Yes per our agreement I will pull back the exploit and allow a fix.
I am most definitely a person of my word. The conditions that solve for a solution have been met.

Why does Nite69 say "allow" a fix?

As explained by Nite69 I am gaining on the chain with a current running KGW TW. In order to prevent me from gaining and over taking the current AUR blockchain AUR needs 25X my mining power at a minimum, something the miners have proven they have little interest in doing. As such, it is just a matter of time before the TW catches up and is in full implementation.

In order to deploy the "fix" a new client will need to be released and another hard fork implemented. If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.

Nite69 is very correct, I have no real desire to destroy AUR as initially I was only going to run a test for a few hundred blocks. The concesion by the AUR development is sufficient for me. Understand this is enabled by KGW and was not a vulnerability till KGW was implemented. All coins that deploy KGW are vulnerable.


~BCX~

So, there still isn't a new Auroracoin release, nor has the fix shown up on git...

When can we expect the fireworks?

[Zulandio]

I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins... 

This of course is just a conspiracy theory and not based on any facts.

[ghur]

I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins... 

This of course is just a conspiracy theory and not based on any facts.

Yeah.. good luck with that. That's not how it works.

[MatthewLM]

Hmm.. ok.. so in the end there really is a attack vector (however not so easy I have been thinking)? But that means summing the difficulty is a wrong way to measure the height of a blockchain. There should be a way (some algorithm) to assure a certain blockchain has been done with more work than the other, regardless of are they done with lots of low diff blocks or a few high diff blocks.

It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.

The main chain is calculated by total work done already. If it wasn't, this would actually open a vulnerability in Bitcoin. Unless you can trick the software into calculating more work at a lower difficulty I do not see how this is a critical issue. No one has explains why my logic is wrong yet. It's not critical that coins update KGW. The best any coin can do to increase security is to have a higher and well distributed hashrate.

[sonysasankan]

I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins... 

This of course is just a conspiracy theory and not based on any facts.

Yeah.. good luck with that. That's not how it works.

LOL.... some people just don't get how decentralization works

[ghostlander]

That's the whole point, the current network will happily accept chain-of-massive-number-of-low-diff-blocks over chain-of-less-harder-blocks as long as the sum of difficulty of the first is higher and it follows the "rules set in stone" (no invalid tx, generation amount <= calculated amount, difficulty == getNextDifficulty(prevblock), block nTime > median of prev 11 blocks, block nTime can't be more than 2 h in the future, ...).

ArtForz also noted that any asymmetrical algorithm will be vulnerable. Because KGW is designed to deal with multipool problems and abrupt jumps in difficulty that are caused by fast increases in hashrate, it makes increasing diff harder than decreasing it. Because of that, attacker can get a lot of lower difficulty blocks at the cost of few larger difficulty blocks when he jumps back and forth in time.

Hmm.. ok.. so in the end there really is a attack vector (however not so easy I have been thinking)? But that means summing the difficulty is a wrong way to measure the height of a blockchain. There should be a way (some algorithm) to assure a certain blockchain has been done with more work than the other, regardless of are they done with lots of low diff blocks or a few high diff blocks.

It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.

Before I chitchat more bullshit, I guess I have to make some homework and familiarize myself more with the source.. and what block difficulty really relates to.

That's nice link to ArtForz comments. I have been wondering the same; does it need to be symmetric to protect the chain better? I think it is somehow weaker, if it is not, but that's not as big 'hole' than what other issues cause.

In order to succeed, an attacker needs to put more hash power into his chain than the other miners can supply. Their pools may be DDoS'ed or they may just autoswitch to a more profitable coin. There are also checkpoints, either hard coded or synchronised. No matter how much cumulative difficulty or trust score you have on a forked chain, it always fails against a checkpoint. KGW is just an overcomplicated solution with no difficulty limiting. This is what needs to be fixed actually.

And, with symmetric algorithm and one block retarget, you have the problem not being able to calulate with zero or negative timespans. Truly symmetric would approach infinite difficulty when time difference approaches zero.

A long averaging window can be used even for every block retargets. There are no zero or negative time spans.