dE_logics (OP)
|
|
July 22, 2014, 10:09:03 AM |
|
Why have an urge to kill other peoples coins. Unless the coin was built for a scam, I see no reason why anyone would want to destroy someone else's work.
There's profit in killing a popular coin with low difficulty. You can double spend.
|
|
|
|
Starlightbreaker
Legendary
Offline
Activity: 1764
Merit: 1006
|
|
July 22, 2014, 05:30:56 PM Last edit: September 15, 2016, 10:42:13 AM by Starlightbreaker |
|
Why have an urge to kill other peoples coins. Unless the coin was built for a scam, I see no reason why anyone would want to destroy someone else's work.
for teh lulz.
|
|
|
|
almightyruler
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
July 24, 2014, 12:22:06 PM |
|
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.
|
|
|
|
testcoin
|
|
July 24, 2014, 02:27:49 PM |
|
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.
I'd be glad to know more details about this issue. Would you mind to share some info with me perhaps via PM if you prefer? There are so many coins with low PoS difficulty. Therefore even there's no easy permanent fix, we better come together to find a way to at least minimize the possible impacts it may arise
|
|
|
|
ilostcoins
|
|
July 25, 2014, 01:19:15 AM |
|
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.
If trouble awaits with certain kinds of coins, it would be nice to be informed about it. Don't you think serious hackers who perform real attacks are far more likely to already know or be able to figure it out on their own than normal users/investors, and hence giving more information about it here is more likely to benefit normal users than real attackers?
|
LTC: LSyqwk4YbhBRtkrUy8NRdKXFoUcgVpu8Qb NVC: 4HtynfYVyRYo6yM8BTAqyNYwqiucfoPqFW TAG id: 4313 CMC: CAHrzqveVm9UxGm7PZtT4uj6su4suxKzZv YAC: Y9m5S7M24sdkjdwxnA9GZpPez6k6EqUjUt
|
|
|
almightyruler
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
July 25, 2014, 02:26:15 AM |
|
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.
If trouble awaits with certain kinds of coins, it would be nice to be informed about it. Don't you think serious hackers who perform real attacks are far more likely to already know or be able to figure it out on their own than normal users/investors, and hence giving more information about it here is more likely to benefit normal users than real attackers? I agree with your sentiment, but in practice if there is no possible fix (or way to protect yourself) then revealing details will just accelerate the 'mischief.' As mentioned I have discussed it with Sunny King but I think he's more concerned about looking after his own coin, and PPC currently has sufficient strength for it to be an irrelevant issue. In hindsight, I probably shouldn't have posted anything at all.
|
|
|
|
Coinler
|
|
July 26, 2014, 09:15:07 PM |
|
Since I'm not a developer nor a hacker I cant modify wallets to do such an attack, but here's the concept, which may not be right, but crackers may try.
We're going to exploit low PoS difficulty and prominently it's low for even 100% PoS coins. Like for mintcoin it's 0.243, even for popular and old coins like PPC, the difficulty is 10.
First let me explain the significance of difficult in PoS which's very much similar to difficulty in PoW. But don't assume low PoS difficulty means higher rate of returns. Each block gives the miner variable rewards depending on the current difficulty which predicts the probability of the coins to mint a PoS block. A low difficulty means the coins will easily be able to mint PoS blocks, since the number of PoS blocks generated by coins are frequent, the block reward will drop cause the interest rate is capped. In other words, when difficulty is low, the coins will have to wait less to generate a block reward, i.e. the coin will have less age so the block reward will be low. Similarly if the difficulty is high the block reward will increase cause the probability of the coins to make a PoS block will be less, so PoS blocks generated by the coins will be less but the interest rate has to be maintained at 20%; so to compensate for the lower block rate, the block reward will increase.
In PoS, when a node receives a number of coins all in 1 transaction (call this transaction X and the no. of coins in the transaction as A), all of these coins will be used to mine a block. The more the no. of coins in X, the higher the chance of hitting a block. The older transaction X goes the higher the chance of hitting a block. For coins which were received in another transaction (apart from X, call this transaction Z) but to the same address will try to mine a block separately from Z; the wallet will use Y along with X independently to mine blocks.
Suppose the probably of mining a block for X is within x days, after mining, the coin age renews to 0, making it ineligible to mine a block till it's old enough to mine blocks again.
We're going to compare the set of coins X which were received with in a single transaction to a no. of transactions the size of each being 1 coin, but the no. of transactions is such that it results in A no. of coins (i.e. A no. of transactions). This mean for each of these coins, the wallet will try to generate a block using them separately. Let's call this set of coins Y.
The probability of one coin to generate a block is x/A (since X has A no. of coins); for all of A no. of coins used together, the probability to generate a block is (x/A)*A = x. So Y has the same probability to generate a block as compared to X. Once a block has been mined, the age of the single coin used to mine a block becomes 0 and it comes ineligible for mining, but all other coins are still eligible for mining. Now the probability of Y to generate another block is (x/A)*(A-1) which is almost x (call this changing value y, i.e. y is the current mining power of Y after a no. of coins's age has been reduce to 0). Depending on the size of A, the this value of y will almost be the same as x for (x/A)*(A-1), (x/A)*(A-2), (x/A)*(A-3)... (x/A)*(A-100). The larger the value of A, the closer is the mining power to x as a single coin will be less significant for a large value of A.
So Y has lot more power to generate blocks as compared to X with the same no. of coins. The attacker with possession of Y can wait for an attack till the coins become older which yields better probability of blocks.
In a 51% attack, you need exactly that. You try to fork the block chain and try to make the forked chain longer than the main chain and once that happens all valid transactions in those chains will be lost (double spending). So when it comes to hashing power, PoS is more vulnerable to PoW.
It's a fallacy that you need most of the coins in a PoS coin to attack it; it all depends on the difficulty. You can do an attack even if you have less than 1% of the coins. It's all on the difficulty.
If you do a mindless criticism (criticizing me without any reason or calling the whole text gibberish without stating a reason), realize that it's clear that you own a huge stake in a 100% PoS crypto and are planning to dump it at a pump which this article may reduce the probability of (if it is true).
If you don't believe me, very well. I got no issues, but I'm always open for constructive discussion. As of attackers, they may try this and succeed while you believe this's a lie.
just seeking clarification here. but would this "theoretical exploit" still apply if a coin had a low inflation? such as 1-5%? meaning.. not 100%POS?
|
|
|
|
dE_logics (OP)
|
|
August 01, 2014, 12:55:04 PM |
|
There's a flaw in the way the Bitcoin protocol distributes objects which can be used cause mischief with a PoS (and hybrid PoS/PoW) coin that has low PoS difficulty. I won't go into further detail, other than to say I have discussed it at length with Sunny King and for a popular coin like PPC is unlikely to be possible, but for the quieter coins it is of more concern. I can't see any easy way to fix it.
If trouble awaits with certain kinds of coins, it would be nice to be informed about it. Don't you think serious hackers who perform real attacks are far more likely to already know or be able to figure it out on their own than normal users/investors, and hence giving more information about it here is more likely to benefit normal users than real attackers? There are hardly any successful PoS coins. Especially the ones which have been mined. There's more profit in finding vulnerabilities in Microsoft software and selling/exploiting them for botnets.
|
|
|
|
dE_logics (OP)
|
|
August 01, 2014, 12:56:11 PM |
|
Since I'm not a developer nor a hacker I cant modify wallets to do such an attack, but here's the concept, which may not be right, but crackers may try.
We're going to exploit low PoS difficulty and prominently it's low for even 100% PoS coins. Like for mintcoin it's 0.243, even for popular and old coins like PPC, the difficulty is 10.
First let me explain the significance of difficult in PoS which's very much similar to difficulty in PoW. But don't assume low PoS difficulty means higher rate of returns. Each block gives the miner variable rewards depending on the current difficulty which predicts the probability of the coins to mint a PoS block. A low difficulty means the coins will easily be able to mint PoS blocks, since the number of PoS blocks generated by coins are frequent, the block reward will drop cause the interest rate is capped. In other words, when difficulty is low, the coins will have to wait less to generate a block reward, i.e. the coin will have less age so the block reward will be low. Similarly if the difficulty is high the block reward will increase cause the probability of the coins to make a PoS block will be less, so PoS blocks generated by the coins will be less but the interest rate has to be maintained at 20%; so to compensate for the lower block rate, the block reward will increase.
In PoS, when a node receives a number of coins all in 1 transaction (call this transaction X and the no. of coins in the transaction as A), all of these coins will be used to mine a block. The more the no. of coins in X, the higher the chance of hitting a block. The older transaction X goes the higher the chance of hitting a block. For coins which were received in another transaction (apart from X, call this transaction Z) but to the same address will try to mine a block separately from Z; the wallet will use Y along with X independently to mine blocks.
Suppose the probably of mining a block for X is within x days, after mining, the coin age renews to 0, making it ineligible to mine a block till it's old enough to mine blocks again.
We're going to compare the set of coins X which were received with in a single transaction to a no. of transactions the size of each being 1 coin, but the no. of transactions is such that it results in A no. of coins (i.e. A no. of transactions). This mean for each of these coins, the wallet will try to generate a block using them separately. Let's call this set of coins Y.
The probability of one coin to generate a block is x/A (since X has A no. of coins); for all of A no. of coins used together, the probability to generate a block is (x/A)*A = x. So Y has the same probability to generate a block as compared to X. Once a block has been mined, the age of the single coin used to mine a block becomes 0 and it comes ineligible for mining, but all other coins are still eligible for mining. Now the probability of Y to generate another block is (x/A)*(A-1) which is almost x (call this changing value y, i.e. y is the current mining power of Y after a no. of coins's age has been reduce to 0). Depending on the size of A, the this value of y will almost be the same as x for (x/A)*(A-1), (x/A)*(A-2), (x/A)*(A-3)... (x/A)*(A-100). The larger the value of A, the closer is the mining power to x as a single coin will be less significant for a large value of A.
So Y has lot more power to generate blocks as compared to X with the same no. of coins. The attacker with possession of Y can wait for an attack till the coins become older which yields better probability of blocks.
In a 51% attack, you need exactly that. You try to fork the block chain and try to make the forked chain longer than the main chain and once that happens all valid transactions in those chains will be lost (double spending). So when it comes to hashing power, PoS is more vulnerable to PoW.
It's a fallacy that you need most of the coins in a PoS coin to attack it; it all depends on the difficulty. You can do an attack even if you have less than 1% of the coins. It's all on the difficulty.
If you do a mindless criticism (criticizing me without any reason or calling the whole text gibberish without stating a reason), realize that it's clear that you own a huge stake in a 100% PoS crypto and are planning to dump it at a pump which this article may reduce the probability of (if it is true).
If you don't believe me, very well. I got no issues, but I'm always open for constructive discussion. As of attackers, they may try this and succeed while you believe this's a lie.
just seeking clarification here. but would this "theoretical exploit" still apply if a coin had a low inflation? such as 1-5%? meaning.. not 100%POS? Yes, but to a limited extent. The more the PoS block, the more insecurity will be added.
|
|
|
|
djm34
Legendary
Offline
Activity: 1400
Merit: 1050
|
|
August 01, 2014, 01:16:14 PM |
|
you don't need to kill PoS coins, they die on their own...
|
djm34 facebook pageBTC: 1NENYmxwZGHsKFmyjTc5WferTn5VTFb7Ze Pledge for neoscrypt ccminer to that address: 16UoC4DmTz2pvhFvcfTQrzkPTrXkWijzXw
|
|
|
danbi
|
|
August 08, 2014, 09:50:46 AM |
|
For 0.01 TX fee, the attack will be made just 1% more expensive.
So it doesn't matter.
It does matter. The 0.01 PPC tx fee will dramatically limit your attack power. You have to pay 0.01PPC tx fee for each smaller unit of PPC when you divide each PPC into smaller unit of PPC, so you can't divide one PPC into unlimited smaller unit of PPC. That comes out as 1% overhead. 0.01/1*100 = 1% You cant stake mine with balance under 1 coin, so that's the minimum you need to split. You can't assume the minimum would be adequate. You may need to subdivide into millions of separate transactions to provide enough leverage for this to work. And then whether it will work depends on the specific implementation of proof of stake you're talking about. Assume? It's the reality. In PPcoin (and in most PoS cryptos), you're not eligible for PoS mining if the coin's quantity is less than 1. They attacker may use 2 even, but there's no point in doing that. Do you have code references to support this claim? It is amazing how little people know about the PoS mechanics off ppcoin and descendants. It is true, that some coins are very poorly configured, but let me give you an example and ask you to re-play your attack logic there. The current version of Diamond, has minimum stake time of 7 days and maximum stake time of 30 days. It also has a combine threshold of 100. What those numbers mean is this: 1. You DMD can't stake while younger than 7 days. 2. If your DMD happen to stake between 7 and 30 days (because of sheer luck, or because of too much coin age), it will be subject to splitting. The amount plus reward will be split in two almost equal pieces. 3. If your DMD happens to stake, when it is older than 30 days - for example, you kept your wallet locked for way too long, or the amounts are too small they can't be lucky enough -- then the amount is not split. Instead, the combining routine is invoked. What it does, is find other DMD amounts older than 30 days, and combining them all untill they all are not over the combine threshold (100) in this case. Then all these amounts stake together and create one new amount or around 100 DMD + reward. Now, say you have 10,000 amounts of 1 DMD which you let age enough and you hope could help you create such an attack. Tough luck... If they are all aged over 30 days, when they start to stake, each of the stakes will group 100 of them into one amount. You will end up with 100 stake events, instead of 10,000 as you had hoped. Caveat emptor. Are you still convinced this "attack" could succeed? If you want something like this to succeed, you need big piles of coins, large number of them, sitting with PoS disabled for a very long time, in order to be able to execute an attack like this. Which brings us back to the original PoS claims... more or less. To PoS coin developers/maintainers: You guys should look at this line in your code: int64 nCombineThreshold = GetProofOfWorkReward(GetLastBlockIndex(pindexBest, false)->nBits) / 3; This thing is usually improper. You are confused by the "do not touch this, we invented it right" comments around it, but in fact, what it does is limit the combine threshold to 1/3 of your PoW reward. You disabled PoW, perhaps, or reduced it's reward too much? The nCombineThreshold sets the upper limit of how big a pile of coins PoS will create for older coins. You want this to work! Mostly because the endless splitting that is done by PoS otherwise will create too small coin piles to stake often. Using Coin Control for this task is pretty much pathetic -- it is already built in your PoS code, use it. You might want to thank me, or not ;-)
|
BTC: 15cJkRupKAkGr6sTxj1Uzb6uHbvuRyK1GL DMD: dJZEqNcjiUiMMd8DKBFS9oMWtArAD2GCHr
|
|
|
dE_logics (OP)
|
|
August 08, 2014, 05:18:37 PM |
|
For 0.01 TX fee, the attack will be made just 1% more expensive.
So it doesn't matter.
It does matter. The 0.01 PPC tx fee will dramatically limit your attack power. You have to pay 0.01PPC tx fee for each smaller unit of PPC when you divide each PPC into smaller unit of PPC, so you can't divide one PPC into unlimited smaller unit of PPC. That comes out as 1% overhead. 0.01/1*100 = 1% You cant stake mine with balance under 1 coin, so that's the minimum you need to split. You can't assume the minimum would be adequate. You may need to subdivide into millions of separate transactions to provide enough leverage for this to work. And then whether it will work depends on the specific implementation of proof of stake you're talking about. Assume? It's the reality. In PPcoin (and in most PoS cryptos), you're not eligible for PoS mining if the coin's quantity is less than 1. They attacker may use 2 even, but there's no point in doing that. Do you have code references to support this claim? It is amazing how little people know about the PoS mechanics off ppcoin and descendants. It is true, that some coins are very poorly configured, but let me give you an example and ask you to re-play your attack logic there. The current version of Diamond, has minimum stake time of 7 days and maximum stake time of 30 days. It also has a combine threshold of 100. What those numbers mean is this: 1. You DMD can't stake while younger than 7 days. 2. If your DMD happen to stake between 7 and 30 days (because of sheer luck, or because of too much coin age), it will be subject to splitting. The amount plus reward will be split in two almost equal pieces. 3. If your DMD happens to stake, when it is older than 30 days - for example, you kept your wallet locked for way too long, or the amounts are too small they can't be lucky enough -- then the amount is not split. Instead, the combining routine is invoked. What it does, is find other DMD amounts older than 30 days, and combining them all untill they all are not over the combine threshold (100) in this case. Then all these amounts stake together and create one new amount or around 100 DMD + reward. Now, say you have 10,000 amounts of 1 DMD which you let age enough and you hope could help you create such an attack. Tough luck... If they are all aged over 30 days, when they start to stake, each of the stakes will group 100 of them into one amount. You will end up with 100 stake events, instead of 10,000 as you had hoped. Caveat emptor. Are you still convinced this "attack" could succeed? If you want something like this to succeed, you need big piles of coins, large number of them, sitting with PoS disabled for a very long time, in order to be able to execute an attack like this. Which brings us back to the original PoS claims... more or less. To PoS coin developers/maintainers: You guys should look at this line in your code: int64 nCombineThreshold = GetProofOfWorkReward(GetLastBlockIndex(pindexBest, false)->nBits) / 3; This thing is usually improper. You are confused by the "do not touch this, we invented it right" comments around it, but in fact, what it does is limit the combine threshold to 1/3 of your PoW reward. You disabled PoW, perhaps, or reduced it's reward too much? The nCombineThreshold sets the upper limit of how big a pile of coins PoS will create for older coins. You want this to work! Mostly because the endless splitting that is done by PoS otherwise will create too small coin piles to stake often. Using Coin Control for this task is pretty much pathetic -- it is already built in your PoS code, use it. You might want to thank me, or not ;-) I would only like to answer the other half of your post -- the others being too rudimentary to answer (please ponder on your own). The coin control you're talking about can be easily disabled. It doesn't break the protocol and there's no way to know if the stake was generated by a single person or not.
|
|
|
|
danbi
|
|
August 12, 2014, 03:05:06 PM |
|
That part was not really for you.
So you have a bunch of small amounts you wish to stake. How do you manage to guess the stake modifiers to be able to create these PoS blocks in a row?
The "probability" formula in most coins is this:
int64 nTimeWeight = min((int64)nTimeTx - txPrev.nTime, (int64)nStakeMaxAge) - nStakeMinAge; CBigNum bnCoinDayWeight = CBigNum(nValueIn) * nTimeWeight / COIN / (24 * 60 * 60);
(in some coins it's re-arranged, in some this code is refactored partially into a function -- but it is essentially the same everywhere).
This code is very easy to decipher. The time weight is the difference between the coin age, capped at nStakeMaxAge (reference 90 days) minus nStakeMinAge (reference 30 days). Of course, before doing this calculation nStakeMinAge is checked etc so it cannot come negative.
Then, with a simple calculation, you get a weight in coins*days. Given the above reference numbers, your 'staking chance' ranges between 30 and 90 coin*days for a 1 coin amount. The rest is pure luck, random numbers.
There used to be bug in the protocol, fixed in v0.3 -- that permitted coin stake to be burned in high pace and then, your suggestion to burn smaller amounts makes sense. But that bug has been fixed long ago.
Also, in your invention, you claim that "Each block gives the miner variable rewards depending on the current difficulty" -- which is essentially not true, at least for most PoS coins. The 'difficulty' in PoS is merely multiplied with coin*age to produce your chance to participate in PoS. The PoS reward is strictly dependent on coin*age*interest and 'difficulty' is nowhere in that calculation.
The PoS 'difficulty' is used to pace the creation of PoS blocks (too). Which essentially means, that if you ever succeed to make your too many small amounts stake in a row, you will need to be able to find good enough hashes to prove you solved the difficulty part.
|
BTC: 15cJkRupKAkGr6sTxj1Uzb6uHbvuRyK1GL DMD: dJZEqNcjiUiMMd8DKBFS9oMWtArAD2GCHr
|
|
|
dE_logics (OP)
|
|
August 12, 2014, 04:03:03 PM Last edit: August 13, 2014, 05:37:38 PM by dE_logics |
|
Then, with a simple calculation, you get a weight in coins*days. Given the above reference numbers, your 'staking chance' ranges between 30 and 90 coin*days for a 1 coin amount. The rest is pure luck, random numbers.
Yeah, see that's exactly what I said. The probability of a single coin staking is 1/x (where x is your calculated coin weight). So the probability of a million coins is 1,000,000/x. From what I understand what you say, as per your logic, a graphs card should never be able to mine any coin and a single core CPU is infinite times after than the GPU when it comes to mining. Cause if a graphics chip has 1500 stream processes; each core will have negligible hash rate, so the probability of a core to mine a block is negligible. In fact, by this I've uncovered another vulnerability using this calculator. As the no. of coins increases, the probability of hitting a block does not increase linearly; it decreases. So the network difficulty is lower. But if you've split your stake, the probability of staking a block will increase linearly, cause each coin has it's own instance. It's stake is calculated separately. That means the network hash rate of genuine PoS miners will lower, helping the attacker more. Also, in your invention, you claim that "Each block gives the miner variable rewards depending on the current difficulty" -- which is essentially not true, at least for most PoS coins. The 'difficulty' in PoS is merely multiplied with coin*age to produce your chance to participate in PoS. The PoS reward is strictly dependent on coin*age*interest and 'difficulty' is nowhere in that calculation. Difficulty=coin*age coin = Difficulty/age PoS reward = coin*age*interest PoS reward = Difficulty*interest Similarly if the difficulty is high the block reward will increase cause...<snip> As I said, rudimentary question. I'm not answering any of these rudimentary questions in the future. I'll just put a notice and link this this conversation. Please you should know high school mathematics to understand this vulnerability. And of course have some common sense (to understand what's a 51% attack in the 1st first place).
|
|
|
|
dE_logics (OP)
|
|
August 13, 2014, 03:15:53 PM |
|
Updated top post with new vulnerabilities.
|
|
|
|
danbi
|
|
August 14, 2014, 08:14:02 AM |
|
Just a hint: as you further split your coins, the computational effort to search them all becomes non-trivial.
Otherwise, I will leave you to live in your fork of mathematics, high or higher and logic.
|
BTC: 15cJkRupKAkGr6sTxj1Uzb6uHbvuRyK1GL DMD: dJZEqNcjiUiMMd8DKBFS9oMWtArAD2GCHr
|
|
|
|