Author

Topic: [ANN][IMPORTANT] Vulnerability in stratum-mining - Fix your pools ASAP (Read 2329 times)

legendary
Activity: 2072
Merit: 1001
Patch is working flawlessly on our pool (solving a block every 3 hours)

thank you.

since i implemented it I have only had an orphan. so naturally i worry. i did have a block with no .pyc file created due to a permission problem
so that meant it was probably working fine based on my understanding of python and .pyc files.

But good to hear this from you.
newbie
Activity: 38
Merit: 0
Patch is working flawlessly on our pool (solving a block every 3 hours)
hero member
Activity: 938
Merit: 1000
www.multipool.us
Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully
using the new code change.  This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.)

My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block
in that condition.

So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations?

Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix.

But not litecoin.

I just did some googling. That .pyc file is sorta created for the next time the program is ran. Everything is in memory anyway so if it cannot
create it no big deal. It just has to do it again next time it is ran...

No, not litecoin, but it's almost the same exact codebase so I don't see why it shouldn't.  We are averaging about 2 days per litecoin block at the moment.
legendary
Activity: 2072
Merit: 1001
Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully
using the new code change.  This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.)

My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block
in that condition.

So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations?

Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix.

But not litecoin.

I just did some googling. That .pyc file is sorta created for the next time the program is ran. Everything is in memory anyway so if it cannot
create it no big deal. It just has to do it again next time it is ran...
hero member
Activity: 938
Merit: 1000
www.multipool.us
Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully
using the new code change.  This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.)

My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block
in that condition.

So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations?

Yes my pool has found blocks on mnc, wdc and sxc since I implemented the fix.
legendary
Activity: 2072
Merit: 1001
Well i checked my change i made last night this morning. Due to my files being owned by root and I run stratum as a different user it
did not create the .pyc file. So I chown'd the directory and restarted the daemon. So the block the pool found last night was not fully
using the new code change.  This time the .pyc file was created. (I rarely use python. I use php, perl, and C more then python.)

My question is if python cannot create the .pyc file does the application simply run anyway without it? Because the pool did find a block
in that condition.

So can anyone confirm, after the change, did your pool find a block to verify the code did not disrupt normal operations?
hero member
Activity: 1395
Merit: 505
Does this impact p2pool or only push pools ?
full member
Activity: 196
Merit: 100
This is huge.

I lost out about $100 over 3 days because of this - it has hit two major pools I know for sure because of the drops in earnings I saw first hand - both give-me-ltc and we-mine-ltc.

I moved miners to Coinotron and all my earnings shot right back up to estimates.  I will be staying on Coinotron until the above mentioned pools want to announce how they are going to compensate miners that were stolen from.

To be clear though - this is NOT a problem with Litecoin - it is problem with certain pools.
hero member
Activity: 938
Merit: 1000
www.multipool.us
hero member
Activity: 938
Merit: 1000
www.multipool.us
Per the following post (https://forum.litecoin.net/index.php/topic,4002.0.html) on the litecoin forums, a few pools have reportedly been attacked by miners exploiting this vulnerability.

The vulnerability in the viperaus fork of stratum-mining (and possibly others) allows miners to submit extremely low difficulty shares that will be considered valid by the pool because the difficulty calculation is off by a factor of 2^16 (65536).

Thanks to Skyfall on the Litecoin forums for posting the patch:

Quote
Change line 145 (If you're using viperaus):
https://github.com/viperaus/stratum-mining/blob/master/lib/template_registry.py#L145

Code: [Select]
Code:
diff1 = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000

TO this:

Code: [Select]
Code:
diff1 = 0x0000ffff00000000000000000000000000000000000000000000000000000000

Jump to: