delete

[drawingthesun]

he may have sent the PM to multiple people...

Correct. Everyone calm down. I am not even 100% sure if the developers haven't already thought of it and have mitigation already in place.

Relax while we work through it. I doubt it will take a long time.

Why bother selling the exploit if you could use it whilst having a short position in Monero?

Or better yet, prove it and steal all the funds, you'll likely make off with far more than 100 bitcoin before the exchanges shut down.

[Hotmetal]

he may have sent the PM to multiple people...

Correct. Everyone calm down. I am not even 100% sure if the developers haven't already thought of it and have mitigation already in place.

Relax while we work through it. I doubt it will take a long time.

Why bother selling the exploit if you could use it whilst having a short position in Monero?

Or better yet, prove it and steal all the funds, you'll likely make off with far more than 100 bitcoin before the exchanges shut down.

Yea right.. And what happens next, fork and rewind back to before the exploit takes place. Fix and /giggle.

[bobbyb]

he may have sent the PM to multiple people...

Correct. Everyone calm down. I am not even 100% sure if the developers haven't already thought of it and have mitigation already in place.

Relax while we work through it. I doubt it will take a long time.

Why bother selling the exploit if you could use it whilst having a short position in Monero?

Or better yet, prove it and steal all the funds, you'll likely make off with far more than 100 bitcoin before the exchanges shut down.

Maybe he doesnt have the resources to use this exploit.

[drawingthesun]

he may have sent the PM to multiple people...

Correct. Everyone calm down. I am not even 100% sure if the developers haven't already thought of it and have mitigation already in place.

Relax while we work through it. I doubt it will take a long time.

Why bother selling the exploit if you could use it whilst having a short position in Monero?

Or better yet, prove it and steal all the funds, you'll likely make off with far more than 100 bitcoin before the exchanges shut down.

Yea right.. And what happens next, fork and rewind back to before the exploit takes place. Fix and /giggle.

Well why does it matter to Anonymint? If he is willing to sell to the highest bidder, then he doesn't care about what happens to Monero.

If there is a flaw, I'd rather know now before putting even more money into Monero.

[drawingthesun]

Maybe he doesnt have the resources to use this exploit.

This is the only legitimate reason that explains why Anonymint needs to sell the exploit to make money, so this indicates that the attack could involve the aggressor having a decent chunk of the total network hashrate.

Note: A decent chunk could be as low as 20%.

[Hotmetal]

Well why does it matter to Anonymint? If he is willing to sell to the highest bidder, then he doesn't care about what happens to Monero.

If there is a flaw, I'd rather know now before putting even more money into Monero.

Well. I can understand why you would want to know but if you're holding onto your XMR in the event that its fake then that is your gamble.
Everyone has had two confirmations of (multiple) flaws. Consider that your BIG notification. Anything crying that happens from here on goes to /dev/null.

When the music stops and you're left without a chair, there's always a different game you can try.

If you're wanting to play this safe: Sell your CN, wait till all this crap is over and then start again. At least that way you're left with BTC with enough buying power to (almost) start where you left off.

[TheFascistMind]

First, I just had the epiphany a few hours ago and I have been multitasking on other things too as you can see by my post history today.

So I could be incorrect, or the developers may have thought of it long ago and already put mitigation in place. So please don't jump to conclusions. I don't want to end up looking like a fool.

It appears to me that what I found can be mitigated to retain anonymity while protecting the wallets, so that makes me wonder whether I found BCX's exploit or not. But the mitigation might be onerous, I and or CN devs will need to spend more analysis time on this.

I don't have the resources to exploit it. And the exploit takes some time to develop. So don't expect anyone attacking any time soon.

My expectation is it is not as big an issue as BCX is saying. If I am correct, we can probably get this wrapped up very soon and continue forward.

I don't think a run on the coin's price would be justified at this time.

I probably did the wrong thing and should have only announced my discovery to the developers, so it could be vetted privately first. But my first reaction was how to short because if a coin killer I could earn a lot more. As I realized there is probably mitigation and also as I realized that to short I would be borrowing from the longs who are deep pocketed, that I couldn't win a shorting battle unless it was a fight to the finish and I have no desire to fight with my friend Risto nor the other developers I would like to work with in the future.

So the wisest action is to sell my insight to them if I am correct. Let them work on mitigation.

Again I could be wrong or making a mountain out of a molehill, and I doubt this is a coin killer. So just relax while I await what CN devs will offer me for my insight.

At least hopefully we can get some closure soon on the BCX exploit.

Edit: I might have enough resources for a part of it but not if it requires a Time Warp attack to double-spend the private keys found, but it would risk too much of the operating capital I need. And my expectations of future profit over the next 6 months are in the 10,000 BTC range, so why should I waste my time on this. I am doing this because of the thrill of finding it. I just want to be compensated something reasonable.

[drawingthesun]

Well why does it matter to Anonymint? If he is willing to sell to the highest bidder, then he doesn't care about what happens to Monero.

If there is a flaw, I'd rather know now before putting even more money into Monero.

Well. I can understand why you would want to know but if you're holding onto your XMR in the event that its fake then that is your gamble.
Everyone has had two confirmations of (multiple) flaws. Consider that your BIG notification. Anything crying that happens from here on goes to /dev/null.

When the music stops and you're left without a chair, there's always a different game you can try.

If you're wanting to play this safe: Sell your CN, wait till all this crap is over and then start again. At least that way you're left with BTC with enough buying power to (almost) start where you left off.

I am only aware of the corrupt block attack that was handled in the most professional manner by the Monero core team.

Also, I am quite comfortable with all my investments and I am not going to sell because of what seems to be FUD. I see no confirmation of major exploits anywhere on this forum.

If I sell some now, I doubt I'll ever be able to buy at this price again, Monero is a strong coin and it's movements most likely will trend upwards. I feel we are now entering the time where most people will start to see the constant FUD for what it seems to be, and that is an attack from all angles. (with the exception of anonymint, he doesn't FUD, but I don't think he has the exploit)

I feel that with each wave of attack and FUD, Monero pulls through stronger and stronger, the corrupt block attack actually worked in our favour, as it was a proving point.

[drawingthesun]

First, I just had the epiphany a few hours ago and I have been multitasking on other things too as you can see by my post history today.

So I could be incorrect, or the developers may have thought of it long ago and already put mitigation in place. So please don't jump to conclusions. I don't want to end up looking like a fool.

It appears to me that what I found can be mitigated to retain anonymity while protecting the wallets, so that makes me wonder whether I found BCX's exploit or not. But the mitigation might be onerous, I and or CN devs will need to spend more analysis time on this.

I don't have the resources to exploit it. And the exploit takes some time to develop. So don't expect anyone attacking any time soon.

My expectation is it is not as big an issue as BCX is saying. If I am correct, we can probably get this wrapped up very soon and continue forward.

I don't think a run on the coin's price would be justified at this time.

I probably did the wrong thing and should have only announced my discovery to the developers, so it could be vetted privately first. But my first reaction was how to short because if a coin killer I could earn a lot more. As I realized there is probably mitigation and also as I realized that to short I would be borrowing from the longs who are deep pocketed, that I couldn't win a shorting battle unless it was a fight to the finish and I have no desire to fight with my friend Risto nor the other developers I would like to work with in the future.

So the wisest action is to sell my insight to them if I am correct. Let them work on mitigation.

Again I could be wrong or making a mountain out of a molehill, and I doubt this is a coin killer. So just relax while I await what CN devs will offer me for my insight.

At least hopefully we can get some closure soon on the BCX exploit.

Thanks for this post Anonymint, you seem to be one of the most reasonable people on this forum, and certainly far more reasonable than I am at times.

Let's see where this goes.

[Oscilson]

he may have sent the PM to multiple people...

Correct. Everyone calm down. I am not even 100% sure if the developers haven't already thought of it and have mitigation already in place.

Relax while we work through it. I doubt it will take a long time.

So we are going to have a mandatory update?

[TheFascistMind]

Nobody is reply to my PMs to confirm they will pay out the bounties offered.

Perhaps they are stalling because try to figure it out themselves so they don't have to pay me anything. Sheesh. You think they wouldn't be such cheapskates and reward a person for trying to help out.

rpietila has replied now.

I want this wrapped up asap. I have other more important work to do.

[Quanttek]

First, I just had the epiphany a few hours ago and I have been multitasking on other things too as you can see by my post history today.

So I could be incorrect, or the developers may have thought of it long ago and already put mitigation in place. So please don't jump to conclusions. I don't want to end up looking like a fool.

It appears to me that what I found can be mitigated to retain anonymity while protecting the wallets, so that makes me wonder whether I found BCX's exploit or not. But the mitigation might be onerous, I and or CN devs will need to spend more analysis time on this.

I don't have the resources to exploit it. And the exploit takes some time to develop. So don't expect anyone attacking any time soon.

My expectation is it is not as big an issue as BCX is saying. If I am correct, we can probably get this wrapped up very soon and continue forward.

I don't think a run on the coin's price would be justified at this time.

I probably did the wrong thing and should have only announced my discovery to the developers, so it could be vetted privately first. But my first reaction was how to short because if a coin killer I could earn a lot more. As I realized there is probably mitigation and also as I realized that to short I would be borrowing from the longs who are deep pocketed, that I couldn't win a shorting battle unless it was a fight to the finish and I have no desire to fight with my friend Risto nor the other developers I would like to work with in the future.

So the wisest action is to sell my insight to them if I am correct. Let them work on mitigation.

Again I could be wrong or making a mountain out of a molehill, and I doubt this is a coin killer. So just relax while I await what CN devs will offer me for my insight.

At least hopefully we can get some closure soon on the BCX exploit.

Edit: I might have enough resources for a part of it but not if it requires a Time Warp attack to double-spend the private keys found, but it would risk too much of the operating capital I need. And my expectations of future profit over the next 6 months are in the 10,000 BTC range, so why should I waste my time on this. I am doing this because of the thrill of finding it. I just want to be compensated something reasonable.

I hope you understand by CN devs, people who are actively developing this technology (the Monero core team and crypto_zoidberg) instead of the shady figures of the original team, who might want to use this exploit to attack XMR and BBR or investors, who invested strongly in competing coins (Brilliantrocket)

note: I am not accusing anyone participating here of malicious activities or the plan to harm anyone else

[rpietila]

Nobody is reply to my PMs to confirm they will pay out the bounties offered.

Perhaps they are stalling because try to figure it out themselves so they don't have to pay me anything. Sheesh. You think they wouldn't be such cheapskates and reward a person for trying to help out.

rpietila has replied now.

I want this wrapped up asap. I have other more important work to do.

The Monero side replied to you in 28 minutes from your sending a PM. Not bad for a decentralized team of 7 devs + me

[iCEBREAKER]

BitcoinEXpress: What is the reason for not disclosing your findings to monero devs? From what I understand you are not looking to sell anything. Why keep it to yourself?

Because attention whore, that's why.

[klee]

BitcoinEXpress: What is the reason for not disclosing your findings to monero devs? From what I understand you are not looking to sell anything. Why keep it to yourself?

Because attention whore, that's why.

Histrionic

[TheFascistMind]

Reduction of anonymity set is confirmed in BCX's exploit, so please stop bagging on BCX. He appears to be legit. I am working with smooth now on mitigation and also whether wallets can be stolen or not. That is a key question.

Appears the CN devs were already aware of some of what I pointed out, but I may have a key insight. Still trying to determine this.

Am busy right now on this. So be patient.

[tacotime]

So far the only thing we've heard talked about is a thereotical attack that we already outlined privately weeks ago and released a paper about:
http://lab.monero.cc/pubs/MRL-0001.pdf

And which we've already been actively developing a protocol to mitigate for the past month.

We're reviewing both our implementation and our theoretical framework, but we're still coming up with nothing.

[rdnkjdi]

Reduction of anonymity set is confirmed in BCX's exploit, so please stop bagging on BCX. He appears to be legit. I am working with smooth now on mitigation and also whether wallets can be stolen or not. That is a key question.

Appears the CN devs were already aware of some of what I pointed out, but I may have a key insight. Still trying to determine this.

Am busy right now on this. So be patient.

can other long term posters confirm if you are or are not anonymint?

[TheFascistMind]

TT, I am trying to determine if the Sybil amplification I outlined was in your paper or not and whether or not that elevates to a much more serious threat.

[tacotime]

TT, I am trying to determine if the Sybil amplification I outlined was in your paper or not and whether or not that elevates to a much more serious threat.

Sure,
Try my python code, which outlines a similar attacker output-saturation attack. This is a worst case scenario, in which the attacker is generating outpoints from the beginning of the chain onwards, and depends on coins not breaking onto different denominations but rather staying the same denomination. So, it's a little contrived. The success of the attacker with totally random output selection of inputs by all users becomes exponentially more difficult for the attacker the later he begins spamming outputs.

Code:

import math
import random

# cryptonote transactions
# mixin = mixin level (outputs mixed in that are not yours)
# mixedIn = outputs by index (simulates ref by hash)
#     these are stored as a list of ints.
# unrevealed = number of revealed outputs mixed in.
#     these are stored as a list of ints.
# this assumes that all outputs are of the same size
# or at least equally mixable (gmaxwell/andytoshi scheme).
class transaction():
    def __init__(self, mixin, mixedIn, unrevealed):
        self.mixin = mixin
        self.mixedIn = mixedIn
        self.unrevealed = unrevealed

    def revealAllOutputs(self):
        while len(self.unrevealed) > 0:
            self.unrevealed.pop()

    # Remove outputs that have been revealed
    def revealOutput(self, outputIndex):
        if(self.unrevealed.count(outputIndex) > 0):
            self.unrevealed.remove(outputIndex)

    # Count number of unrevealed outputs
    def unrevealedOutputs(self):
        return len(self.unrevealed)

class ledger():
    def __init__(self, 
            transactionsTotalPerTrial, 
            numberOfTrials, 
            maximumMixinTested,
            revealPercentage):
        self.transactionsTotalPerTrial = transactionsTotalPerTrial
        self.numberOfTrials = numberOfTrials
        self.mixin = mixin
        self.revealPercentage = revealPercentage
        self.ledger = []
        self.knownRevealedOutputs = []
        
        for numberOfTransactions in range (0, transactionsTotalPerTrial):
            # if there aren't enough elements to list, then
            # just mixin as many elements as possible.
            if len(self.ledger) < self.mixin+1:
                mixedIn = []
                revealed = []

                for i in range(0, len(self.ledger)):
                    mixedIn.append(i)
                    revealed.append(i)

                self.ledger.append(transaction(len(self.ledger), mixedIn, revealed))

            # otherwise, pick some random elements to mix into
            # the ring signature and make a new tx.
            else:
                mixedIn = []
                revealed = []

                for i in range(0, self.mixin):
                    randomOutput = random.randint(0, len(self.ledger)-2)

                    # can't remix existing elements, so find an
                    # output we haven't mixed yet.
                    while (mixedIn.count(randomOutput) > 0):
                        randomOutput = random.randint(0, len(self.ledger)-2)
                    
                    mixedIn.append(randomOutput)
                    revealed.append(randomOutput)
                
                self.ledger.append(transaction(mixin, mixedIn, revealed))

        # choose your outputs to reveal.
        outputsToReveal = []
        for i in range(0, int(revealPercentage * transactionsTotalPerTrial)):
            randomOutput = random.randint(mixin, transactionsTotalPerTrial-1)
            while (outputsToReveal.count(randomOutput) > 0):
                randomOutput = random.randint(mixin, transactionsTotalPerTrial-1)
            outputsToReveal.append(randomOutput)
            
        # reveal the outputs by calling the recursive recursiveReveal 
        # function.
        self.recursiveReveal(outputsToReveal)
        
    def recursiveReveal(self, outputsToReveal):
        while len(outputsToReveal) > 0:
            revealedOutput = outputsToReveal.pop()

            # reveal all outputs for this output.
            self.ledger[revealedOutput].revealAllOutputs()
        
            # if it's been mixed somewhere, remove it
            # from that list.
            for i in range(0, transactionsTotalPerTrial):
                self.ledger[i].revealOutput(revealedOutput)
                
            self.knownRevealedOutputs.append(revealedOutput)
                
        # diff the ledger and outputsToRevealOriginal to uncover any 
        # newly revealed outputs via chain reactions.
        newlyRevealedOutputCount = 0
        newlyRevealedOutputs = []
        for i in range(mixin, transactionsTotalPerTrial):
            if self.ledger[i].unrevealedOutputs() == 0:
                if self.knownRevealedOutputs.count(i) == 0:
                    newlyRevealedOutputs.append(i)
                    newlyRevealedOutputCount += 1
    
        if newlyRevealedOutputCount == 0:
            return
        else:
            self.recursiveReveal(newlyRevealedOutputs)
            
    # count the number of totally revealed outputs and return them.
    def getTotallyRevealedOutputs(self):
        totallyRevealedOutputs = 0
        for i in range(mixin, transactionsTotalPerTrial):
            if self.ledger[i].unrevealedOutputs() == 0:
                totallyRevealedOutputs += 1
        
        return totallyRevealedOutputs

def getVariance(yourList, mean):
    length = float(len(yourList))
    sum = 0.0
	
    while len(yourList) > 0:
        x = yourList.pop()
        xDiffSquared = math.pow(x - mean, 2)
        sum += xDiffSquared

    return (sum / (length - 1))

transactionsTotalPerTrial = 2000
numberOfTrials = 25
maximumMixinTested = 7
revealPercentage = 0.50

# open file to write the results to disk.
f = open("results.txt","w")

f.write("Transactions per trial: " + str(transactionsTotalPerTrial) + "\n")
f.write("Number of trials : " + str(numberOfTrials) + "\n")
f.write("Maximum mixin tested: " + str(maximumMixinTested) + "\n")
f.write("Reveal percentage: " + str(revealPercentage * 100) + "%\n\n")

for mixin in range (1, maximumMixinTested+1):
    f.write("mixin = " + str(mixin) + "\n")

    allTrialResults = []
    
    for trial in range (0, numberOfTrials):
		# ledger is the list of all transactions
        trialLedger = ledger(transactionsTotalPerTrial, 
            numberOfTrials, 
            mixin,
            revealPercentage)
            
        totallyRevealedOutputs = float(trialLedger.getTotallyRevealedOutputs())

        # determine the ratio of revealed outputs.
        revealedOutputRatio = totallyRevealedOutputs / float(transactionsTotalPerTrial)

        # store this ratio.
        f.write(str(revealedOutputRatio) + ", ")
        allTrialResults.append(revealedOutputRatio)

    f.write("\n")
    
    averageOfAllTrials = reduce(lambda x, y: x + y, allTrialResults) / len(allTrialResults)
    varianceAllTrials = getVariance(allTrialResults, averageOfAllTrials)
    revealsFromChainReaction = averageOfAllTrials - revealPercentage
    nonAttackerRevealPercent = revealsFromChainReaction / (1-revealPercentage)
    f.write("Average revealed output ratio: " + str(averageOfAllTrials * 100) + "%\n")
    f.write("Reveals resulting from chain reaction: " + str(revealsFromChainReaction * 100) + "% +/- " + str(varianceAllTrials * 100) + "%\n")
    f.write("Percentage of non-attacker outputs revealed: " + str(nonAttackerRevealPercent * 100) + "%\n\n")

f.close() 

We've known about this for a long time, I'm just wrapping up my work on completing the fix for it now.

There are two other non-trivial de-anonymizing attacks that I'm writing proposals to mitigate now too, can you find them?