Technical analysis of the EliteCoin heist

[ocminer]

Hey guys,

since nobody is replying in the Thread concerning my questions, I'm starting a new thread here.

Usually I'm checking coins b4 adding them to suprnova, at least i'm doing some preliminary checks (no virus, "bad" code, no code where the first block is like 500.000 coins while the coinsupply is only 50.000 .. etc). I tried to do that on Elite too, but the "usual" places where moved into other files, so I skipped it and since I saw other "big" pools on it I did not think anything bad as they're also supposed to do checks, don't they ? (no, i will not do that again, don't worry )

However, the next morning I saw coinsupply tripled and on bittrex coins were dumped for about 20 BTC which made me look again and its weird..

I've set up an Block Explorer on a old machine as I could not find any online (its hell slow, please bear with me ):
http://blocks.suprnova.cc:2750/

The source is here:
https://github.com/dimecoinco/elitecoin (thx to rikkejohn)

The first block pays out 20.000 to one address:
http://blocks.suprnova.cc:2750/block/00000ef54a645ff81b0d06b5fa10c2e0c4cbfd1af6448cc8747978fae96e6722

But this 20.000 payout is not reflected in the money supply, can someone point me to the place in the code where this is surpressed ?

When we take a closer look at some suspicious blocks, you see this address again:
http://blocks.suprnova.cc:2750/address/dMFkHRK1WRFVQLBvozBeKYAWfaAFQUsy1y

Especially Block 3448 and 4338 (which straaaange numbers ) pay 20.000 AGAIN to the dev's address  .. The source is ALSO the dev's address so this is basically a double spent (or a double generation?):

http://blocks.suprnova.cc:2750/block/000000000025fe115ebd4ca762e1525c9889b3b9dbff29c6bb3c685bf953323a

(I dont know why 1000 coins go to the other address)

At block 4338 these coins get moved (probably to bittrex or so):
http://blocks.suprnova.cc:2750/address/dLvQf3686DgCPZBuHCixK9DBi8CMoeHCDe


Anyone got an idea how actually that worked ?


For that double generation/spend you usually also need a decent pool with large hashrate for this...


Thx !


PS: Oh and stop that shit and fud about bittrex please, you cannot blame the cardealer when you let your car repair by some strange workshop and then your brakes do not work - the only mistake they made - they did add it even though there was no block explorer available, which I hope they won't in the future..

[Shadow_Runner]

I think this coin is dead. I personally have 5 ELITE mined from launch and I think dead coin may be dead.
I know people loose money on it, but nothing gonna happen, if community takes over then it will die very slowly, but no one gonna refund their loss.

[prix]

PS: Oh and stop that shit and fud about bittrex please, you cannot blame the cardealer when you let your car repair by some strange workshop and then your brakes do not work - the only mistake they made - they did add it even though there was no block explorer available, which I hope they won't in the future..

Difficult for them to automatically check for a premine? It only takes about 10 seconds.

[yellowduck2]

U think he will check he think you will check end up nobody check.

[ocminer]

PS: Oh and stop that shit and fud about bittrex please, you cannot blame the cardealer when you let your car repair by some strange workshop and then your brakes do not work - the only mistake they made - they did add it even though there was no block explorer available, which I hope they won't in the future..

Difficult for them to automatically check for a premine? It only takes about 10 seconds.

Not without Explorer

[ocminer]

U think he will check he think you will check end up nobody check.

Yup..  I have learned that too

[yellowduck2]

At least this is a good scam. Developer thought it thoroughly to avoid early detection. Not many scam put much effort into scamming. The laziest scam is IPO ICO. Don't even need to launch coin. People fall for it and this will not be the last coin. I hope we can see some real innovation in scamming. I always love a good scam.

[cryptoangel]

Happens all the time, I told bittrex to check the source code before adding new coins and there reply including there henchmen was. ' it's not our job to check'

The also mentioned that the time involved would mean less coins listed.

[Rage19420]

I think this coin is dead. I personally have 5 ELITE mined from launch and I think dead coin may be dead.
I know people loose money on it, but nothing gonna happen, if community takes over then it will die very slowly, but no one gonna refund their loss.

Market is still open on bittrex and price is going up, and people are still happy trading it.

Makes no sense whatsoever.  

[cassius69]

quit supporting new shitcoins and the problem is solved.

[paradigmflux]

this same type of obfuscation wasn't being done only on elitecoin, let's help find where the code was concealing the coins and then figure out which other shitcoins are shitcoins

[yellowduck2]

quit supporting new shitcoins and the problem is solved.

Not going to happen. Unless....

[sr.machado]

nice job ocminer!

[prix]

PS: Oh and stop that shit and fud about bittrex please, you cannot blame the cardealer when you let your car repair by some strange workshop and then your brakes do not work - the only mistake they made - they did add it even though there was no block explorer available, which I hope they won't in the future..

Difficult for them to automatically check for a premine? It only takes about 10 seconds.

Not without Explorer

They can develop a universal explorer for all coins which support standart bitcoin rpc-methods.
I have simple one, but it's very raw and running from IDE. 250 lines of code, 2-3 hours.
Any developer is not difficult to create it.

If anybody have first version of the wallet i can check it. Maybe the developer applied for something non standard to hide premine.

[ocminer]

PS: Oh and stop that shit and fud about bittrex please, you cannot blame the cardealer when you let your car repair by some strange workshop and then your brakes do not work - the only mistake they made - they did add it even though there was no block explorer available, which I hope they won't in the future..

Difficult for them to automatically check for a premine? It only takes about 10 seconds.

Not without Explorer

They can develop a universal explorer for all coins which support standart bitcoin rpc-methods.
I have simple one, but it's very raw and running from IDE. 250 lines of code, 2-3 hours.
Any developer is not difficult to create it.

If anybody have first version of the wallet i can check it. Maybe the developer applied for something non standard to hide premine.

No, I had no problem importing the Blockchain into a "normal" Abe explorer..

As told already, they made the mistake to not check the coin via explorer, hopefully they won't do it again, but i would not accuse them of scam all the time, there are also a ton of legit coins traded @ bittrex... so calm down... I've also lost some satoshis here as I was mining too.

Back to Topic:

this same type of obfuscation wasn't being done only on elitecoin, let's help find where the code was concealing the coins and then figure out which other shitcoins are shitcoins

Its VERY important to find the "bad" parts of the code so I can add them to my regular expressions when searching for bad code to stop adding such coins to (my) pools... 

[czvezda]

Hey guys,

since nobody is replying in the Thread concerning my questions, I'm starting a new thread here.

Usually I'm checking coins b4 adding them to suprnova, at least i'm doing some preliminary checks (no virus, "bad" code, no code where the first block is like 500.000 coins while the coinsupply is only 50.000 .. etc). I tried to do that on Elite too, but the "usual" places where moved into other files, so I skipped it and since I saw other "big" pools on it I did not think anything bad as they're also supposed to do checks, don't they ? (no, i will not do that again, don't worry )

However, the next morning I saw coinsupply tripled and on bittrex coins were dumped for about 20 BTC which made me look again and its weird..

I've set up an Block Explorer on a old machine as I could not find any online (its hell slow, please bear with me ):
http://blocks.suprnova.cc:2750/

The source is here:
https://github.com/dimecoinco/elitecoin (thx to rikkejohn)

The first block pays out 20.000 to one address:
http://blocks.suprnova.cc:2750/block/00000ef54a645ff81b0d06b5fa10c2e0c4cbfd1af6448cc8747978fae96e6722

But this 20.000 payout is not reflected in the money supply, can someone point me to the place in the code where this is surpressed ?

When we take a closer look at some suspicious blocks, you see this address again:
http://blocks.suprnova.cc:2750/address/dMFkHRK1WRFVQLBvozBeKYAWfaAFQUsy1y

Especially Block 3448 and 4338 (which straaaange numbers ) pay 20.000 AGAIN to the dev's address  .. The source is ALSO the dev's address so this is basically a double spent (or a double generation?):

http://blocks.suprnova.cc:2750/block/000000000025fe115ebd4ca762e1525c9889b3b9dbff29c6bb3c685bf953323a

(I dont know why 1000 coins go to the other address)

At block 4338 these coins get moved (probably to bittrex or so):
http://blocks.suprnova.cc:2750/address/dLvQf3686DgCPZBuHCixK9DBi8CMoeHCDe


Anyone got an idea how actually that worked ?


For that double generation/spend you usually also need a decent pool with large hashrate for this...


Thx !


PS: Oh and stop that shit and fud about bittrex please, you cannot blame the cardealer when you let your car repair by some strange workshop and then your brakes do not work - the only mistake they made - they did add it even though there was no block explorer available, which I hope they won't in the future..

Thanks for setting up the block explorer.
I did some analysis on my own. I don't think that 3448 involved double spending, it was just 1k transfer to another address, one can see 20k out and 19k in to the same premine address
In block 1 premine happened because of this:
https://github.com/dimecoinco/elitecoin/blob/394f19b04a49bf79368c29b7a3b617999f95acb5/src/main.cpp#L1567
i.e. for block 1 checking of coinbase reward was skipped so the dev could mine anything.  
Regarding moneysupply, the "dev" first defined the variable ly:
https://github.com/dimecoinco/elitecoin/blob/394f19b04a49bf79368c29b7a3b617999f95acb5/src/rpcwallet.cpp#L47
and then subtracted it from the actual money supply:
https://github.com/dimecoinco/elitecoin/blob/394f19b04a49bf79368c29b7a3b617999f95acb5/src/rpcwallet.cpp#L94

[ocminer]

Hey guys,

since nobody is replying in the Thread concerning my questions, I'm starting a new thread here.

Usually I'm checking coins b4 adding them to suprnova, at least i'm doing some preliminary checks (no virus, "bad" code, no code where the first block is like 500.000 coins while the coinsupply is only 50.000 .. etc). I tried to do that on Elite too, but the "usual" places where moved into other files, so I skipped it and since I saw other "big" pools on it I did not think anything bad as they're also supposed to do checks, don't they ? (no, i will not do that again, don't worry )

However, the next morning I saw coinsupply tripled and on bittrex coins were dumped for about 20 BTC which made me look again and its weird..

I've set up an Block Explorer on a old machine as I could not find any online (its hell slow, please bear with me ):
http://blocks.suprnova.cc:2750/

The source is here:
https://github.com/dimecoinco/elitecoin (thx to rikkejohn)

The first block pays out 20.000 to one address:
http://blocks.suprnova.cc:2750/block/00000ef54a645ff81b0d06b5fa10c2e0c4cbfd1af6448cc8747978fae96e6722

But this 20.000 payout is not reflected in the money supply, can someone point me to the place in the code where this is surpressed ?

When we take a closer look at some suspicious blocks, you see this address again:
http://blocks.suprnova.cc:2750/address/dMFkHRK1WRFVQLBvozBeKYAWfaAFQUsy1y

Especially Block 3448 and 4338 (which straaaange numbers ) pay 20.000 AGAIN to the dev's address  .. The source is ALSO the dev's address so this is basically a double spent (or a double generation?):

http://blocks.suprnova.cc:2750/block/000000000025fe115ebd4ca762e1525c9889b3b9dbff29c6bb3c685bf953323a

(I dont know why 1000 coins go to the other address)

At block 4338 these coins get moved (probably to bittrex or so):
http://blocks.suprnova.cc:2750/address/dLvQf3686DgCPZBuHCixK9DBi8CMoeHCDe


Anyone got an idea how actually that worked ?


For that double generation/spend you usually also need a decent pool with large hashrate for this...


Thx !


PS: Oh and stop that shit and fud about bittrex please, you cannot blame the cardealer when you let your car repair by some strange workshop and then your brakes do not work - the only mistake they made - they did add it even though there was no block explorer available, which I hope they won't in the future..

Thanks for setting up the block explorer.
I did some analysis on my own. I don't think that 3448 involved double spending, it was just 1k transfer to another address, one can see 20k out and 19k in to the same premine address
In block 1 premine happened because of this:
https://github.com/dimecoinco/elitecoin/blob/394f19b04a49bf79368c29b7a3b617999f95acb5/src/main.cpp#L1567
i.e. for block 1 checking of coinbase reward was skipped so the dev could mine anything.  
Regarding moneysupply, the "dev" first defined the variable ly:
https://github.com/dimecoinco/elitecoin/blob/394f19b04a49bf79368c29b7a3b617999f95acb5/src/rpcwallet.cpp#L47
and then subtracted it from the actual money supply:
https://github.com/dimecoinco/elitecoin/blob/394f19b04a49bf79368c29b7a3b617999f95acb5/src/rpcwallet.cpp#L94

Wow thanks czveda ! You made my day, I totally overlooked that "ly" variable there.. I saw that +1 at the block height and already thought that no checks were performed for block 1 but I missed "ly" totally.

Thank you very much, that explains it pretty much !

[robhimself]

Pretty interesting post, something to look out for when speculating on new altcoins.

[czvezda]

Wow thanks czveda ! You made my day, I totally overlooked that "ly" variable there.. I saw that +1 at the block height and already thought that no checks were performed for block 1 but I missed "ly" totally.

Thank you very much, that explains it pretty much !

np. I was looking at it last night and couldn't figure out initially, it is so easy to misread that "ly" variable. I am not sure that the dev would be caught if he named that variable differently, I doubt that anyone was checking moneysupply function and its output before the dump happened. 

[cassius69]

Pretty interesting post, something to look out for when speculating on new altcoins.

dont do it! there is a strong possibility that the coin is being launched by a group of criminals who keeps doing the same crime.