[ANN] Counterparty Protocol CFD Exploit - Cash out any CFD's

nutildah

legendary

Activity: 3010

Merit: 8114

Quote from: open82buy on August 02, 2014, 10:05:36 PM

Quote from: nutildah on July 31, 2014, 10:18:18 PM

If you create a Counterwallet bitcoin address and PM it to me I will send you some free tokens to play around with. Unfortunately you will still need a little bit of your own BTC if you want to trade them.

This is really funny coming from a TROLL

I guess you don't mind it if I post the private messages you've been sending me then and then all can see what a troll you are.

Real original threat there silly guy:

Quote from: ?? on ??

I guess you don't mind it if I post the private messages you've been sending me then.

The message I am referring to is the one where you threatened to head-butt me over your perception that I was costing you money. We both agreed already that this was not the case yet you continue to hound me... Why?

open82buy

hero member

Activity: 695

Merit: 500

Quote from: nutildah on July 31, 2014, 10:18:18 PM

If you create a Counterwallet bitcoin address and PM it to me I will send you some free tokens to play around with. Unfortunately you will still need a little bit of your own BTC if you want to trade them.

This is really funny coming from a TROLL

I guess you don't mind it if I post the private messages you've been sending me then and then all can see what a troll you are.

halicarton

sr. member

Activity: 402

Merit: 250

They have several issues they are alway working on! Just waiting for it. Grin

nutildah

legendary

Activity: 3010

Merit: 8114

Quote from: halicarton on July 31, 2014, 10:11:20 PM

I was too poor to invest . But still want some coins .

If you create a Counterwallet bitcoin address and PM it to me I will send you some free tokens to play around with. Unfortunately you will still need a little bit of your own BTC if you want to trade them.

halicarton

sr. member

Activity: 402

Merit: 250

I was too poor to invest . But still want some coins .

nutildah

legendary

Activity: 3010

Merit: 8114

Quote from: Fernandez on July 31, 2014, 09:08:56 AM

This has gone silent for some time. Have this been solved? I hope the developers come to a compromise, hate to see this nice innovation suffering.

Fixing any flaws is best for us all.

They have several other issues they are currently working on, some more pertinent than this one.

This is a 100% novel, free product for anybody to use that offers a bunch of revolutionary new services that have never been implemented in software design before. I don't think its right to expect perfection from it, now or ever.

Yes, this sounds like a problem that needs to be solved.

No, it is not central to the core of Counterparty and is easily avoidable.

Fernandez

legendary

Activity: 1008

Merit: 1000

This has gone silent for some time. Have this been solved? I hope the developers come to a compromise, hate to see this nice innovation suffering.

Fixing any flaws is best for us all.

porqupine

full member

Activity: 214

Merit: 101

I wrote up a Technical Analysis of the exploit: https://xcpfeeds.info/cfd_exploit/

porqupine

full member

Activity: 214

Merit: 101

Quote from: cityglut on July 25, 2014, 06:13:10 AM

And now that I've accidentally bumped this thread I hope the people that read the whole thing can see that the problem isn't an "exploit" so much as a coding flaw.

It's an exploitable coding flaw. Any unmatched CFD can be stolen - see https://github.com/porqup1ne/cfd_camper

I will be posting a technical paper with descriptions of the exploit and the original bug later as promised.

nutildah

legendary

Activity: 3010

Merit: 8114

And now that I've accidentally bumped this thread I hope the people that read the whole thing can see that the problem isn't an "exploit" so much as a coding flaw.

nutildah

legendary

Activity: 3010

Merit: 8114

Quote from: Fernandez on July 25, 2014, 08:10:45 AM

Quote from: statdude on July 24, 2014, 05:27:03 PM

Makes no sense why he wouldn't listen to you and really reduces my interest in XCP for a lead dev to do that.

Sad day for XCP.

Sad day indeed, I rate XCP highly,. I am still hoping that sanity will prevail and the devs can get back together. Lead dev ignoring potential flaws is a serious case for concern, maybe we will hear from him soon why.

There's more going on behind the scene if you're interested:

https://bitcointalksearch.org/topic/m.8016900

Fernandez

legendary

Activity: 1008

Merit: 1000

Quote from: statdude on July 24, 2014, 05:27:03 PM

Makes no sense why he wouldn't listen to you and really reduces my interest in XCP for a lead dev to do that.

Sad day for XCP.

Sad day indeed, I rate XCP highly,. I am still hoping that sanity will prevail and the devs can get back together. Lead dev ignoring potential flaws is a serious case for concern, maybe we will hear from him soon why.

nutildah

legendary

Activity: 3010

Merit: 8114

Quote from: porqupine on July 25, 2014, 07:17:25 AM

It's like an order on an Exchange that can be split into smaller blocks - so that someone betting 1000 XCP - should be able to split to match with 10XCP, 100XCP etc. so they can get filled - if they needed to get matched exactly it would probably make the entire system useless.

Okay so by placing the order of 1000 the bear is assuring that he has an additional 1000 XCP to throw down for escrow in case the order gets completely filled. And its not that he has 100:1 leverage and the bull doesnt...

If the delta runs the other way (-1) then the bull gets 11 and the bear gets 9.99, meaning the system eats a cost of the amount equal to the original example.

Unless there's something else I'm not seeing, yes you're right, the proportionality of the payouts seems off. Does your fix suggest removing "wager_quantity" denomination?

I hope you're not trying to match orders with different leverages. You can't assign them the same delta if you are.

CFDs arent legal in my country and I never heard about them until today so please excuse my ignorance.

porqupine

full member

Activity: 214

Merit: 101

Quote from: nutildah on July 25, 2014, 05:54:35 AM

Sorry for the dumb question but how is the BEAR allowed to bet 1,000 on 10 escrow while the BULL isn't?

Wouldn't the BULL want to employ the same leverage as the BEAR?

If they did, then the calculation would add up to 20.

delta = (initial_value - value) * leverage * config.UNIT

bear_credit = bear_escrow + (delta * Fraction(bear_escrow,
bear_wager_quantity))
bull_credit = (escrow_less_fee - bear_escrow) - (delta *
Fraction(bull_escrow, bull_wager_quantity))

delta= 1
bear_escrow(10) + ( delta(1) * (bear_escrow(10)/bear_wager_quantity(1000))
10.01
bull_credit = (escrow(20) - bear_escrow(10)) - (delta(1) *
(bull_escrow(10)/bull_wager(1000)) = 9.99

9.99 + 10.01 = 20

It's like an order on an Exchange that can be split into smaller blocks - so that someone betting 1000 XCP - should be able to split to match with 10XCP, 100XCP etc. so they can get filled - if they needed to get matched exactly it would probably make the entire system useless.

nutildah

legendary

Activity: 3010

Merit: 8114

Sorry for the dumb question but how is the BEAR allowed to bet 1,000 on 10 escrow while the BULL isn't?

Wouldn't the BULL want to employ the same leverage as the BEAR?

If they did, then the calculation would add up to 20.

delta = (initial_value - value) * leverage * config.UNIT

bear_credit = bear_escrow + (delta * Fraction(bear_escrow,
bear_wager_quantity))
bull_credit = (escrow_less_fee - bear_escrow) - (delta *
Fraction(bull_escrow, bull_wager_quantity))

delta= 1
bear_escrow(10) + ( delta(1) * (bear_escrow(10)/bear_wager_quantity(1000))
10.01
bull_credit = (escrow(20) - bear_escrow(10)) - (delta(1) *
(bull_escrow(10)/bull_wager(1000)) = 9.99

9.99 + 10.01 = 20

porqupine

full member

Activity: 214

Merit: 101

Here is the Reddit thread.

http://www.reddit.com/r/counterparty/comments/2bmlg6/ann_counterparty_exploit_public_disclosure/

ReRunRod

full member

Activity: 168

Merit: 100

Quote from: porqupine on July 24, 2014, 05:47:44 PM

One of my many issues opened (closed instantly):
https://github.com/CounterpartyXCP/counterpartyd/issues/189

PhantomPhreak opens an issue:
https://github.com/CounterpartyXCP/counterpartyd/issues/191
With a proposed fix:
https://github.com/CounterpartyXCP/counterpartyd/commit/0229f63008fdbdd2d363d96646136e16a1006bd4

Here is my email writing out the basic arithmetic. The funny thing is I basically wrote it out before he posted that issue with a broken "fix".

Quote

If you're not going to listen to my explanations than please test your
solutions yourself - before posting them.

One more time though - the math is not working again:
delta = (initial_value - value) * leverage * config.UNIT

bear_credit = bear_escrow + (delta * Fraction(bear_escrow,
bear_wager_quantity))
bull_credit = (escrow_less_fee - bear_escrow) - (delta *
Fraction(bull_escrow, bull_wager_quantity))

delta= 1
bear_escrow(10) + ( delta(1) * (bear_escrow(10)/bear_wager_quantity(1000))
10.01
bull_credit = (escrow(20) - bear_escrow(10)) - (delta(1) *
(bull_escrow(10)/bull_wager(10)) = 9

Notice it was a total of 20 (the wager) - but out of escrow comes only 19.01 - .99 just disappear!

Quote

What I'm saying is overall is leverages don't match - more so let's assume
you always take the first leverage (or Fraction ratio) and default the
bull to the second one (to fix the sanity error).

I make a bet:
10/10 (wager-counterwager)
if matched with 10/10 (wager-counterwager):
movement per price delta = 1:1
if matched with a 10 from 1000/1000 (wager-countergwager):
movement per price delta = 1/100

result: No user control over the bet movement.

And it's not like this is the only problem with CFD's, this whole business
of monkey patching, and ignoring the what's happening and the purpose of
these instruments is just absurd.

Thank you very much for what you are doing!! Will try to keep this thread up top for people to read!

ReRunRod

full member

Activity: 168

Merit: 100

Cash out now before it falls!!!!

porqupine

full member

Activity: 214

Merit: 101

One of my many issues opened (closed instantly):
https://github.com/CounterpartyXCP/counterpartyd/issues/189

PhantomPhreak opens an issue:
https://github.com/CounterpartyXCP/counterpartyd/issues/191
With a proposed fix:
https://github.com/CounterpartyXCP/counterpartyd/commit/0229f63008fdbdd2d363d96646136e16a1006bd4

Here is my email writing out the basic arithmetic. The funny thing is I basically wrote it out before he posted that issue with a broken "fix".

Quote

If you're not going to listen to my explanations than please test your
solutions yourself - before posting them.

One more time though - the math is not working again:
delta = (initial_value - value) * leverage * config.UNIT

bear_credit = bear_escrow + (delta * Fraction(bear_escrow,
bear_wager_quantity))
bull_credit = (escrow_less_fee - bear_escrow) - (delta *
Fraction(bull_escrow, bull_wager_quantity))

delta= 1
bear_escrow(10) + ( delta(1) * (bear_escrow(10)/bear_wager_quantity(1000))
10.01
bull_credit = (escrow(20) - bear_escrow(10)) - (delta(1) *
(bull_escrow(10)/bull_wager(10)) = 9

Notice it was a total of 20 (the wager) - but out of escrow comes only 19.01 - .99 just disappear!

Quote

What I'm saying is overall is leverages don't match - more so let's assume
you always take the first leverage (or Fraction ratio) and default the
bull to the second one (to fix the sanity error).

I make a bet:
10/10 (wager-counterwager)
if matched with 10/10 (wager-counterwager):
movement per price delta = 1:1
if matched with a 10 from 1000/1000 (wager-countergwager):
movement per price delta = 1/100

result: No user control over the bet movement.

And it's not like this is the only problem with CFD's, this whole business
of monkey patching, and ignoring the what's happening and the purpose of
these instruments is just absurd.

SirEGB

member

Activity: 142

Merit: 10

The only reason to avoid listening is because the dev needs to cash out before it gets exploited. I never took an interest in Counterparty but considering the dev would act so immaturely when a fellow community is trying to help strengthen the system makes me not want to look into XCP even more.

Topic: [ANN] Counterparty Protocol CFD Exploit - Cash out any CFD's (Read 3419 times)