Pages:
Author

Topic: [ANN][XCN] Cryptonite - NEW Thread | 1st mini-blockchain coin | Bounties! - page 96. (Read 215807 times)

newbie
Activity: 31
Merit: 0
Ok guys now the main pool and many exchanges have updated to the new version I feel it's safe to release more information about exactly what happened.

Unfortunately it looks like btc38 is going to remove XCN based on that announcement. Btc38 were the ones who first realized something was wrong because they had a suspiciously high number of XCN in their exchange wallet. They notified us there was something wrong a few days ago and I coded up a blockchain analyzer to look for anything suspicious. I discovered that an attacker found a way to create transactions with outputs larger than the inputs, allowing the attacker to essentially create free coins. The first example of the attack can be seen in this block: http://xcn-explorer.selektion21.de/?b=1007085

They were able to generate a negative fee value because of an integer overflow bug, making it possible to have outputs larger than the input value. Obviously there were checks for integer overflows in place but some integers which should have been unsigned were left signed in the worst place possible, either intentionally or by simple mistake, by the original dev. It looks like the attacker spent most of the smaller outputs and left the massive outputs alone, the latest version should block those massive balances but I calculated they were able to get away with around 260 million XCN from the smaller outputs.

We gave btc38 and other exchanges a list of the addresses used by the attacker so they may have been able to freeze some of the attackers funds, based on my analysis it doesn't seem like there's a whole lot of transactions stemming off from the bad transactions. I also want to make it clear this bug has nothing to do with the mini-blockchain technology, the bug in the code was pretty obvious and quite easy to fix just by making some signed integers unsigned. Look at the latest changes on pallas's github to see exactly what we did to prevent this happening again.

In a few days I will release the source code for an XCN blockchain analyzer that I made to find the issue, it should also be useful for building an explorer that works efficiently. I will also release the javascript code I wrote some time ago for creating raw transactions and signing them, which I used to make sure our fix worked and should also be useful for creating a web wallet. Hopefully we can move past this even without too much issue, I was hoping our quick fix would be enough for btc38 not to drop XCN but I cannot blame them for being spooked by this, especially with the new laws in China.

The following is a list of blocks where the exploit was detected:

1007085, 1009490, 1035837, 1044220, 1052967, 1073572, 1103770, 1119219, 1139944, 1171685, 1188258, 1232798, 1246249, 1255968, 1271558, 1274983, 1278864, 1279894, 1281781, 1284716, 1286093, 1288597, 1290084, 1291824, 1294633, 1297819, 1298379, 1300671, 1302547, 1320111, 1320830, 1322596, 1323220, 1350726, 1360510, 1363161, 1364581, 1366301, 1366351, 1367675, 1369704, 1371786, 1373205, 1375144, 1377644

I talked to pallas  had problems with xcn, but he did not believe it

How do you deal with these problems now?
full member
Activity: 140
Merit: 100
I wonder if this is an opportunity to buy.  Cool

that would be great (if we had an exchange)  Cool

i hope the best to this coin and team.

Still hodling like a pro

We still have 3 exchanges: bx, nova and bter.
And bter is hong kong based, maybe will not be influenced by PBoC ban.
Bittrex or poloniex will be great, yobit can be a good start.
If @bitfreak! is back on the team, sky is the limit.
hero member
Activity: 968
Merit: 624
Still a manic miner
I wonder if this is an opportunity to buy.  Cool

that would be great (if we had an exchange)  Cool

i hope the best to this coin and team.

Still hodling like a pro
sr. member
Activity: 546
Merit: 257
Have you found the Yellow Sign?
I wonder if this is an opportunity to buy.  Cool
legendary
Activity: 1176
Merit: 1015
Maybe people will think that xcn is in a bad moment now.

It is but who isn't?

One thing is for sure, there will be some good buying opportunities ;-)

Again, thanks pallas and bitfreak (and btc38 too for reporting this)!

From btc38 website: "warning:It's rather risky to trade crypto-currencies. Please invest by what you are able to afford."
legendary
Activity: 2716
Merit: 1094
Black Belt Developer
Maybe people will think that xcn is in a bad moment now.
But if you look from a different perspective you will see that this is probably not the case: the coin recently got many stability fixes and speedups, bitfreak is back to help me with coin development, we had external contributions to the code and new services, etc.
As soon as we sort out the exchanges situation together, things will look much better.
We value code and honesty of the people who work on the coin more than the current price. And, besides, price will go down and will go up again.
I think that the current price is not that much important: what really matters is the potential of the coin, what price it will be able to reach in the future.
legendary
Activity: 1176
Merit: 1015
I cannot really remember what was happening at that time but I don't think there was any active development on Cryptonite in that period and the block explorer was down, which is probably why it went unnoticed. I doubt the exploit had anything to do with wallet problems, the wallet has always been fairly buggy until recently, but many of those stability issues have been solved over the last few months.

Ok, thanks bitfreak and pallas for solving this problem so fast, 260 millions may be gone but for every seller there is always a buyer too.

I hope in xcn's case code really is the law...
legendary
Activity: 1536
Merit: 1000
electronic [r]evolution
The first example of the attack can be seen in this block: http://xcn-explorer.selektion21.de/?b=1007085

That block was mined late June, did this exploit have something to do with wallet problems during summer? I mean there were speculations about bad nodes and stuff like that?

About chinese exchanges, they are all going to close down. Not sure how many of those are going to have a new life somewhere else than in mainland china but it's safe to say that btc38 and bter are going to be closed soon.
I cannot really remember what was happening at that time but I don't think there was any active development on Cryptonite in that period and the block explorer was down, which is probably why it went unnoticed. I doubt the exploit had anything to do with wallet problems, the wallet has always been fairly buggy until recently, but many of those stability issues have been solved over the last few months.
legendary
Activity: 1176
Merit: 1015
The first example of the attack can be seen in this block: http://xcn-explorer.selektion21.de/?b=1007085

That block was mined late June, did this exploit have something to do with wallet problems during summer? I mean there were speculations about bad nodes and stuff like that?

About chinese exchanges, they are all going to close down. Not sure how many of those are going to have a new life somewhere else than in mainland china but it's safe to say that btc38 and bter are going to be closed soon.

legendary
Activity: 2716
Merit: 1094
Black Belt Developer
Dumped whole month of mining at least have to pay electricity burned

Sorry for your choice, you will miss the price increase which will inevitably happen when we get back into a bigger exchange like poloniex or bittrex.
legendary
Activity: 2716
Merit: 1094
Black Belt Developer
meeeh this coins is just done...if u wanna safe coin algorit, its bether to start with new coin and new hipe P.
2many problems with this coin...trust is just lost...

I don't agree. XCN has unique features and is now more stable than ever. Plus, I find that the long history of the coin (almost 4 years) is a big plus, not a deficiency.
If you like pump and dump coins, which are abandoned after a couple months, then yes, you are better with another coin.
legendary
Activity: 1901
Merit: 1024
Dumped whole month of mining at least have to pay electricity burned
newbie
Activity: 40
Merit: 0
meeeh this coins is just done...if u wanna safe coin algorit, its bether to start with new coin and new hipe P.
2many problems with this coin...trust is just lost...

Valid point.
newbie
Activity: 40
Merit: 0
Many of those 260m probably sold in btc38.
That's explains dumps of past days.
What you guys wanna do about that?

And any of you tried to withdraw xcn in btc38?
I can't do that . When I press withdraw bottom page goes to btc withdraw not xcn.



We provided the exchanges with the offending addresses. What they do I don't know nor can force them to do anything.

Could a burn address be created and get the exchanges to send locked coins to it?

This address is still showing astronomical amounts of coins???

CVPaxGgsteGgucAnzmA7EeTj5hzaLCfb7o


That's btc38 address. We can't block it because it contains funds of honest users as well.

Not block it, get them to send the known "fake / stolen " coins to a know burn address and take them out of circulation.
full member
Activity: 247
Merit: 100
meeeh this coins is just done...if u wanna safe coin algorit, its bether to start with new coin and new hipe P.
2many problems with this coin...trust is just lost...
legendary
Activity: 2716
Merit: 1094
Black Belt Developer
Many of those 260m probably sold in btc38.
That's explains dumps of past days.
What you guys wanna do about that?

And any of you tried to withdraw xcn in btc38?
I can't do that . When I press withdraw bottom page goes to btc withdraw not xcn.



We provided the exchanges with the offending addresses. What they do I don't know nor can force them to do anything.

Could a burn address be created and get the exchanges to send locked coins to it?

This address is still showing astronomical amounts of coins???

CVPaxGgsteGgucAnzmA7EeTj5hzaLCfb7o


That's btc38 address. We can't block it because it contains funds of honest users as well.
newbie
Activity: 40
Merit: 0
Many of those 260m probably sold in btc38.
That's explains dumps of past days.
What you guys wanna do about that?

And any of you tried to withdraw xcn in btc38?
I can't do that . When I press withdraw bottom page goes to btc withdraw not xcn.



We provided the exchanges with the offending addresses. What they do I don't know nor can force them to do anything.

Could a burn address be created and get the exchanges to send locked coins to it?

This address is still showing astronomical amounts of coins???

CVPaxGgsteGgucAnzmA7EeTj5hzaLCfb7o
legendary
Activity: 2716
Merit: 1094
Black Belt Developer
Many of those 260m probably sold in btc38.
That's explains dumps of past days.
What you guys wanna do about that?

And any of you tried to withdraw xcn in btc38?
I can't do that . When I press withdraw bottom page goes to btc withdraw not xcn.



We provided the exchanges with the offending addresses. What they do I don't know nor can force them to do anything.
member
Activity: 196
Merit: 15
Many of those 260m probably sold in btc38.
That's explains dumps of past days.
What you guys wanna do about that?

And any of you tried to withdraw xcn in btc38?
I can't do that . When I press withdraw bottom page goes to btc withdraw not xcn.

legendary
Activity: 2716
Merit: 1094
Black Belt Developer
1) It looks like the attacker spent most of the smaller outputs and left the massive outputs alone, the latest version should block those massive balances but I calculated they were able to get away with around 260 million XCN from the smaller outputs.
2) I also want to make it clear this bug has nothing to do with the mini-blockchain technology, the bug in the code was pretty obvious and quite easy to fix just by making some signed integers unsigned. Look at the latest changes on pallas's github to see exactly what we did to prevent this happening again.
1) 260ml is much. Even at 100satishi price.
2) It's not a good sign that "obvious" bugs are corrected with such price. Sad

1) as we said, that's the ceiling and we don't know how much of those funds are really accessible by the hacker, the real amount may be much less.
2) it's obvious when you know what it is :-) bitfreak had to create a blockchain analysis tool from scratch to detect the problematic blocks, then we had to find which bug in the code permitted such wrong blocks/transactions, then we had to fix it, then we had to make a tool to create raw transactions on testnet to see if the hole was in fact closed, etc. etc.
Pages:
Jump to: