Regarding Auroracoin TW exploit (Fix included)

[Zulandio]

I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins... 

This of course is just a conspiracy theory and not based on any facts.

Yeah.. good luck with that. That's not how it works.

LOL.... some people just don't get how decentralization works

Pretty sure that's how it would work in the US. Now that it has a label of property it's like any other property and the law states personal property destruction etc. Decentralization has nothing to do with what I'm talking about. Cyber crimes are still cyber crimes anywhere you live on the planet and off it for that matter. Just like Gox has to answer to it's US customers. Crypto may be decentralized but the law is not. I could be wrong about this but so could you. Nobody really knows for sure what courts will rule. But I feel like a lawsuit or criminal charge in this area is on the horizon.

[btcdrak]

I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins... 

This of course is just a conspiracy theory and not based on any facts.

Yeah.. good luck with that. That's not how it works.

LOL.... some people just don't get how decentralization works

Pretty sure that's how it would work in the US. Now that it has a label of property it's like any other property and the law states personal property destruction etc. Decentralization has nothing to do with what I'm talking about. Cyber crimes are still cyber crimes anywhere you live on the planet and off it for that matter. Just like Gox has to answer to it's US customers. Crypto may be decentralized but the law is not. I could be wrong about this but so could you. Nobody really knows for sure what courts will rule. But I feel like a lawsuit or criminal charge in this area is on the horizon.

You are probably correct here. US, EU and UK all have laws which make it illegal to cause malicious damage to computer systems and computer networks. You can be sure, if the amounts of money involved warranted it, the police could and would probably get involved. Whether that can be applied to decentralized blockchains which actually have a "voting" mechanism to decide which chain is valid or not, would be a matter for the police to decide. It's certainly not clear cut in this case (by virtue of the fact the coins have a chain voting mechanism, proving malicious intent would be difficult I think).

That being said, I support making it hard for shitcoins to survive because frankly, it's far worse for people to release coins they have no idea how to maintain and thus endangering all their users. Not to mention all the scams that are being executed by shitcoin creators...

[defaced]

Hmm.. ok.. so in the end there really is a attack vector (however not so easy I have been thinking)? But that means summing the difficulty is a wrong way to measure the height of a blockchain. There should be a way (some algorithm) to assure a certain blockchain has been done with more work than the other, regardless of are they done with lots of low diff blocks or a few high diff blocks.

It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.

The main chain is calculated by total work done already. If it wasn't, this would actually open a vulnerability in Bitcoin. Unless you can trick the software into calculating more work at a lower difficulty I do not see how this is a critical issue. No one has explains why my logic is wrong yet. It's not critical that coins update KGW. The best any coin can do to increase security is to have a higher and well distributed hashrate.

this

[sonysasankan]

I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins... 

This of course is just a conspiracy theory and not based on any facts.

Yeah.. good luck with that. That's not how it works.

LOL.... some people just don't get how decentralization works

Pretty sure that's how it would work in the US. Now that it has a label of property it's like any other property and the law states personal property destruction etc. Decentralization has nothing to do with what I'm talking about. Cyber crimes are still cyber crimes anywhere you live on the planet and off it for that matter. Just like Gox has to answer to it's US customers. Crypto may be decentralized but the law is not. I could be wrong about this but so could you. Nobody really knows for sure what courts will rule. But I feel like a lawsuit or criminal charge in this area is on the horizon.

You are probably correct here. US, EU and UK all have laws which make it illegal to cause malicious damage to computer systems and computer networks. You can be sure, if the amounts of money involved warranted it, the police could and would probably get involved. Whether that can be applied to decentralized blockchains which actually have a "voting" mechanism to decide which chain is valid or not, would be a matter for the police to decide. It's certainly not clear cut in this case (by virtue of the fact the coins have a chain voting mechanism, proving malicious intent would be difficult I think).

That being said, I support making it hard for shitcoins to survive because frankly, it's far worse for people to release coins they have no idea how to maintain and thus endangering all their users. Not to mention all the scams that are being executed by shitcoin creators...

For any law to take effect, there needs to be jurisdiction. If I sit in Afghanistan and access a a network of computers in US and format them, that needs to be illegal in Afghanistan for me to be charged with a crime. Moreover there needs to be a complaint, friendly ties between the two govt, and enough volume/damage to warrant an Interpol case.  I believe shooting down a shitcoin's blockchain does not fall into that category 

Then there is the anonymity and decentralization issue. Crypto addresses are not tied to a physical location or person and there is no "court order" that you hand to someone to spill the beans of sorts. No way to prove anyone did anything here, neither is there any way to prove you lost fiat money.

BCX could be Morgan Freeman sitting in a cafe looking at Batman for all you know 

[Cryddit]

Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison.

If someone owned coins that had a higher value than they were actually worth, because of misrepresentations or in spite of flaws in the implementation, and the coins have become less valuable due to a correction precipitated by the exposure of this misrepresentation or flaw, that person joins the ranks of the millions of people who owned houses whose value was artificially inflated due to misrepresentations during the mortgage meltdown.  When the misrepresentations were exposed, the market corrected and the houses became less valuable.  Sucks to be them, but they're not getting that money back.

To blame BCX here here is the equivalent of blaming the people who exposed the fraud for the lost value of the homes.  It isn't their fault the mortgages were fraudulent.  And it isn't BCX's fault that somebody was misrepresenting a blockchain they hadn't secured as trustworthy.  Sucks to be the bagholder, but you were the victim of fraud, not vandalism, and if anybody deserves to go to jail, it's the people who made the fraudulent claims in the first place. 

Heck, if you consider anyone who destroys the value of coins, through an otherwise legal action, to be a criminal, you might as well try to prosecute the IRS for declaring that cryptocurrencies are property and subject to capital gains taxes. I predict you wouldn't get very far with that either.

[dE_logics]

Ok, this DOES sound like an April fool's joke. The patch does not apply.

Code:

patching file src/main.cpp
Hunk #1 FAILED at 886.
patch: **** malformed patch at line 31: +

[ghostlander]

The main chain is calculated by total work done already. If it wasn't, this would actually open a vulnerability in Bitcoin. Unless you can trick the software into calculating more work at a lower difficulty I do not see how this is a critical issue. No one has explains why my logic is wrong yet. It's not critical that coins update KGW. The best any coin can do to increase security is to have a higher and well distributed hashrate.

this

What is to prevent me from creating a chain of greater proof-of-work comprised of lower difficulty blocks?  If I'm following protocol, nothing.  I more than likely don't need anywhere close to a majority of the hashing power since I am manipulating time.

Time warps can decrease or increase difficulty, but they cannot make you more hash power than you have actually. You still need 50%+ of the network hash rate.

[MatthewLM]

Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.

[ghur]

Time warps can decrease or increase difficulty, but they cannot make you more hash power than you have actually. You still need 50%+ of the network hash rate.

No, the point of the time warp attack is that you don't need more than 50% of the network hashrate to execute the attack.
With that much hashing power you can always attack the chain, regardless of how the coin adjusts difficulty.

[btcdrak]

Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.

If you can drive the difficulty down you can generate a longer chain regardless of the power of the rest of the network. You could do this in isolation and then rejoin the main network and force a reorg. The exploit is very serious and if you pull it off, you can wreak havoc. Checkpoints wont help since you can rinse and repeat over and over and that much disruption to the network is simply a game over for the coin.

[Nite69]

Now some puzzle for all you: What is a tricky hole this one fixes? Well I could be wrong, maybe this is just my imagination, but I think there was a funny attack vector. Please confirm or bust! (BCX, this is a special challenge for you!):

Code:

-               if (PastRateActualSeconds < 0) { PastRateActualSeconds = 0; }
+               if (BlockReading->nHeight > XXXXX) // HARD Fork block number
+                       if (PastRateActualSeconds < 1) { PastRateActualSeconds = 1; }
+               } else {
+                       if (PastRateActualSeconds < 0) { PastRateActualSeconds = 0; }
+               }

[MatthewLM]

The main chain is not selected by "the longer chain". This is a myth which has been around for a long time. It is completely false. The main chain is selected by the amount of calculated work in the chain. You can produce loads of low difficulty blocks, but the total work will be stochastically (probabilistically) related to the total number of hashes done. You still need to do more work, meaning you need majority hashpower to catch up, whatever the difficulty is.

People need to understand this before going around shouting that there is an exploit with KGW that allows for blockchain forks. There is no need for pandemonium.

If there is a real exploit please explain how it works. No one has explained a real exploit yet.

[MatthewLM]

51% attacks exist with or without KGW. You can't say KGW introduces a new attack if it makes an existing attack worse. Though I fail to see how it makes a 51% attack easier to perform.

[ghostlander]

Time warps can decrease or increase difficulty, but they cannot make you more hash power than you have actually. You still need 50%+ of the network hash rate.

No, the point of the time warp attack is that you don't need more than 50% of the network hashrate to execute the attack.
With that much hashing power you can always attack the chain, regardless of how the coin adjusts difficulty.

It seems the original point of time warp attack as explained by ArtForz over 2 years ago has been missed by you. No matter how you play this game, you have to follow the rules and cumulative difficulty is one of them. You can mine at a lower difficulty or even attempt to double spend, but you still need to catch up with the original chain. It's up to your skills how to do that. In fact, time warps have never been a real problem for Bitcoin or Litecoin even though the latter addressed one of the issues in their code. This trouble is for those new "fast" coins and their developers who hardly understand what they're doing. Finally, ability to execute an attack doesn't imply ability to benefit from it.

[Lamarth]

Nite69, I think you're fixing a difficulty freeze hole - it's possible to spike difficulty up to an unlimited value if you have the following pattern
Block time A
Block time B (much larger than A)
... Many Blocks with time < B ...
Block time B + dx

Difficulty is raised by a factor of (found blocks * target time per block / dx). Now you need 70(ish) blocks in the middle, not sure how far forward you can stick a time stamp, but you don't need to be the source of those 72 blocks. e.g. you could predict when a multipool was about to hit and then try to set your attack block B. Finally, you close with the B + dx, a microsecond (or less) after B, and can start trying at any time after there are enough in the middle.

I'd like a difficulty 21 billion times higher, kkthx. Although, I'd say you're only limiting it to 21,000 times higher, or 73 days for the next block, if such an attack is performed, so I'm not convinced if this is what you were going for after all.

[coinoisgreat]

Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.

Would you like to back that statement up and offer your coin as a sacrificial lamb?


~BCX~

where is the evidence that you even attacked aur. it seems most these people here don't agree with you so i think most of our coins are probably safe.

[coinoisgreat]

Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.

Would you like to back that statement up and offer your coin as a sacrificial lamb?


~BCX~

where is the evidence that you even attacked aur. it seems most these people here don't agree with you so i think most of our coins are probably safe.

I see you hide behind a new registered account today with a single post while making that "bold" statement. Shows real confidence doesn't it.

All you and your fellow "devs" are whining about is that you paid someone to create a basic shitcoin clone and lack the technical ability to update it LOL

Maybe I really do need to kill a few to convince the masses.

Since you're so sure it's not possible, don't be a wanker, volunteer your coin!


~BCX~

if i was actually in charge of a coin i would be all about it. im not though. the guy with the charity coin doesn't seem to think that the flaw is such a big deal so why should i? so far we haven't seen any evidence that anyone has the know how to attack a coin like you talk about. especially since aur is still here and you gave a "pass" to the charity guy.

[vilgem]

I looked at the diff file you proposed very thoroughly. And I must conclude that your fix is nothing more but a bullshit. The only thing your fix does - it protects PastRateActualSeconds varibale in a way that it is always >= 1 (second). Old code assumed it was always >= 0. You probably cared about PastRateAdjustmentRatio variable which is equal to 1 if PastRateActualSeconds happens to be 0. But the point is that it never happens. KGW takes at least PastBlocksMin and at most PastBlocksMax blocks into the calculation. You will never have PastRateActualSeconds == 0 except for the case if your blockchain has only one block.

[Nite69]

I looked at the diff file you proposed very thoroughly. And I must conclude that your fix is nothing more but a bullshit. The only thing your fix does - it protects PastRateActualSeconds varibale in a way that it is always >= 1 (second). Old code assumed it was always >= 0. You probably cared about PastRateAdjustmentRatio variable which is equal to 1 if PastRateActualSeconds happens to be 0. But the point is that it never happens. KGW takes at least PastBlocksMin and at most PastBlocksMax blocks into the calculation. You will never have PastRateActualSeconds == 0 except for the case if your blockchain has only one block.

You have misunderstood the fix. There are 2 fixes and the one you are referring fixes another attack vector.

The fix to usual TW attack (which BCX was planning was to use) was to use LatestBlockTime instead of BlockLastSolved->GetBlockTime() to count the timespan. Without this one can timetravel back without diff rise, with this the benefit attacker gets by travellin past is lost.

The another fix (preventing PastRateActualSeconds to go to 0) takes care of another attack vector. Here is a short explanation of the attack:
1. generate a block 2 weeks to the future. You cannot publish it, it is not on current time window.
2. Start generating blocks with the same timestamp (ie the moment 2 weeks in the future)

See what would happen: after there is PastBlocksMax blocks in the private chain, *the diff would not change* at all!

That would mean you have 2 weeks to generate blocks with 0 difficulty. With decent hashrate, you easily get 1 block in a second. In 2 weeks you get 1209600 blocks.

When that 2 weeks has passed, what would happen to the blockchain, if you suddenly publish 1209600 perfectly valid blocks? The whole network would be doing nothing but checking those 1209600 blocks... and finding nothing wrong with them. That would be the end of the coin.

You will never have PastRateActualSeconds == 0 except for the case if your blockchain has only one block.

Thats not true. You can generate blocks with the same timestamp. Or is there something that would prevent it (I have not read all the code, it might be prevented somewhere) ? If there is, then this attack vector was already closed and this part was not necessary.

EDIT: Actually, it *is* prevented somewhere else. One can generate only 5 blocks with the same timestamp. So this #2 fix is not necessary to prevent that attack vector, it is already closed elsewhere. However that means the whole if clauses are never true, ie they are itself worthless. But leaving them as they were would keep there an unecessary dependancy between the code blocks, so it is nevertheless better to change it. Also, the main fix is #1, which has been confirmed to work.

Code:

    // Check timestamp against prev
    if (GetBlockTime() <= pindexPrev->GetMedianTimePast())
        return error("AcceptBlock() : block's timestamp is too early");

[travwill]

USDe has updated its KGW code to close the potential exploit gaps - thanks to users in this discussion for assistance in the solution.