Author

Topic: FaucetBOX.com Discussion - page 150. (Read 237020 times)

legendary
Activity: 1988
Merit: 1007
July 09, 2015, 01:27:02 AM
It does lead to the question, though... why are later transactions still coming through? The one from the 7th should have more "weight" as it's older, and should go through before the new ones from FaucetBox, being that they both paid the same (relative amount of) fees.

Take this transaction as an example:
https://btc.blockr.io/tx/info/03d6e645fba49e07f3a4d8f173dce3ae590a5e0b06f28b367e29d7e64926019d
has 0.00339447 BTC fee for 15164 bytes, and it's almost 6% of what was actually transfered to users (0.05664565 BTC).
So the fee is ~0.0002260 BTC/kB

Another one is:
https://blockchain.info/tx/1d8e35cbcad0c7814fde8c0e775259107e5adc32900263d9cc1358626a0ecb0b
0.0052392 BTC fee for 17561 bytes, so it's ~0.00030819 BTC/kB

Now example that didn't get through:
https://www.biteasy.com/blockchain/transactions/e9ee41881cb7d38308ac80bb204b55da3877d7b64084872b7d78a4fc9aa9747e
0.00194831 BTC fee for 17426 bytes, so it's ~0.00011460 BTC/kB.

What matters is the fee/kB and you can see that we increased fees ~2-3x.

This is definitely an interesting situation. I'm guessing if worst comes to worst, you can just re-broadcast it or revert things back (add the funds back to each address to be sent out again once everyone's new transaction is ready) though.

We continuously rebroadcast it. We would rather avoid reverting it though, as it could get messy. What's more plausible is that we'll just send double-spends with increased fees. Does anyone know a tool that'll make that easier? I don't want to mess around with raw transactions by hand Smiley

Increased fees definitely make a difference -- I wasn't aware that you changed them, Smiley.

So essentially, right now the weight is still growing, and "should" be a priority soon. Hopefully.
legendary
Activity: 971
Merit: 1000
July 09, 2015, 01:17:13 AM
It does lead to the question, though... why are later transactions still coming through? The one from the 7th should have more "weight" as it's older, and should go through before the new ones from FaucetBox, being that they both paid the same (relative amount of) fees.

Take this transaction as an example:
https://btc.blockr.io/tx/info/03d6e645fba49e07f3a4d8f173dce3ae590a5e0b06f28b367e29d7e64926019d
has 0.00339447 BTC fee for 15164 bytes, and it's almost 6% of what was actually transfered to users (0.05664565 BTC).
So the fee is ~0.0002260 BTC/kB

Another one is:
https://blockchain.info/tx/1d8e35cbcad0c7814fde8c0e775259107e5adc32900263d9cc1358626a0ecb0b
0.0052392 BTC fee for 17561 bytes, so it's ~0.00030819 BTC/kB

Now example that didn't get through:
https://www.biteasy.com/blockchain/transactions/e9ee41881cb7d38308ac80bb204b55da3877d7b64084872b7d78a4fc9aa9747e
0.00194831 BTC fee for 17426 bytes, so it's ~0.00011460 BTC/kB.

What matters is the fee/kB and you can see that we increased fees ~2-3x.

This is definitely an interesting situation. I'm guessing if worst comes to worst, you can just re-broadcast it or revert things back (add the funds back to each address to be sent out again once everyone's new transaction is ready) though.

We continuously rebroadcast it. We would rather avoid reverting it though, as it could get messy. What's more plausible is that we'll just send double-spends with increased fees. Does anyone know a tool that'll make that easier? I don't want to mess around with raw transactions by hand Smiley
legendary
Activity: 1988
Merit: 1007
July 09, 2015, 01:03:00 AM
I don't know why I did not received my payout for 7/7, even the payout for 8/7 is already received few hours ago.
Any 1 have the same issue above too Huh

It was already mentioned in this thread. It's because of the spam attack on Bitcoin network: https://www.reddit.com/r/Bitcoin/comments/3cfext/bitcoin_under_attack/ . It should get confirmed as soon as the number of unconfirmed transactions drops to something sane: https://blockchain.info/unconfirmed-transactions .

It looks like it was actually blocked. Here's an example of my personal transaction coming from FaucetBox:

https://blockchain.info/tx/e9ee41881cb7d38308ac80bb204b55da3877d7b64084872b7d78a4fc9aa9747e/359

I'm wondering if this isn't a bigger issue than just it being lagged... according to BlockChain, it's blocked because it has too many outputs and the server rejects it.

I believe that's not related, it was happening since the beginning of FaucetBOX.com (only that earlier Blockchain.info simply showed 'Transaction not found' message) and it looks like it's Blockchain.info's not-standard behavior. Other nodes relay our transactions just fine, while Blockchain.info only acknowledges our transactions after they're included in block.

Ahhh, interesting! I did notice that the transaction was already pending to the wallet it's going to, and other explorers (like blockr.io) show it fine, just figured maybe Blockchain's error was a bit more verbose than most of these others.

It does lead to the question, though... why are later transactions still coming through? The one from the 7th should have more "weight" as it's older, and should go through before the new ones from FaucetBox, being that they both paid the same (relative amount of) fees.

This is definitely an interesting situation. I'm guessing if worst comes to worst, you can just re-broadcast it or revert things back (add the funds back to each address to be sent out again once everyone's new transaction is ready) though.
legendary
Activity: 971
Merit: 1000
July 09, 2015, 12:59:20 AM
I don't know why I did not received my payout for 7/7, even the payout for 8/7 is already received few hours ago.
Any 1 have the same issue above too Huh

It was already mentioned in this thread. It's because of the spam attack on Bitcoin network: https://www.reddit.com/r/Bitcoin/comments/3cfext/bitcoin_under_attack/ . It should get confirmed as soon as the number of unconfirmed transactions drops to something sane: https://blockchain.info/unconfirmed-transactions .

It looks like it was actually blocked. Here's an example of my personal transaction coming from FaucetBox:

https://blockchain.info/tx/e9ee41881cb7d38308ac80bb204b55da3877d7b64084872b7d78a4fc9aa9747e/359

I'm wondering if this isn't a bigger issue than just it being lagged... according to BlockChain, it's blocked because it has too many outputs and the server rejects it.

I believe that's not related, it was happening since the beginning of FaucetBOX.com (only that earlier Blockchain.info simply showed 'Transaction not found' message) and it looks like it's Blockchain.info's not-standard behavior. Other nodes relay our transactions just fine, while Blockchain.info only acknowledges our transactions after they're included in block.
legendary
Activity: 1988
Merit: 1007
July 09, 2015, 12:38:23 AM
I don't know why I did not received my payout for 7/7, even the payout for 8/7 is already received few hours ago.
Any 1 have the same issue above too Huh

It was already mentioned in this thread. It's because of the spam attack on Bitcoin network: https://www.reddit.com/r/Bitcoin/comments/3cfext/bitcoin_under_attack/ . It should get confirmed as soon as the number of unconfirmed transactions drops to something sane: https://blockchain.info/unconfirmed-transactions .

It looks like it was actually blocked. Here's an example of my personal transaction coming from FaucetBox:

https://blockchain.info/tx/e9ee41881cb7d38308ac80bb204b55da3877d7b64084872b7d78a4fc9aa9747e/359

I'm wondering if this isn't a bigger issue than just it being lagged... according to BlockChain, it's blocked because it has too many outputs and the server rejects it.
legendary
Activity: 971
Merit: 1000
July 08, 2015, 11:19:13 PM
I don't know why I did not received my payout for 7/7, even the payout for 8/7 is already received few hours ago.
Any 1 have the same issue above too Huh

It was already mentioned in this thread. It's because of the spam attack on Bitcoin network: https://www.reddit.com/r/Bitcoin/comments/3cfext/bitcoin_under_attack/ . It should get confirmed as soon as the number of unconfirmed transactions drops to something sane: https://blockchain.info/unconfirmed-transactions .
member
Activity: 70
Merit: 10
★YoBit.Net★ 200+ Coins Exchange & Dice
July 08, 2015, 09:44:17 PM
I don't know why I did not received my payout for 7/7, even the payout for 8/7 is already received few hours ago.
Any 1 have the same issue above too Huh
member
Activity: 129
Merit: 10
International Digital Asset Platform
July 08, 2015, 09:36:20 PM
Why I can't login in my admin panel on FaucetBox? (manage faucets)
When login, I can see a white page.. Huh
hero member
Activity: 1092
Merit: 501
July 08, 2015, 08:56:48 PM
Do all these faucets use script customized by RaphaelM again?

EDIT: looks like they do. Well...:

https://bitcointalksearch.org/topic/m.11504183
https://twitter.com/MakingMoneybtc/status/605329412251369472

LOL funny if it is Raphael script there is a bug but one of faucetbox script don't have a bug yeah right. Kazaldure is too funny anyway glad I am done with him and passed on my faucet using his script to my techs who sees it is not worth it running them
full member
Activity: 182
Merit: 100
July 08, 2015, 08:48:06 PM
Login does not work on FaucetBox at the moment. After inserting the credentials , I get redirected to a blank screen.

Hope it gets fixed soon. Smiley

same here
hero member
Activity: 504
Merit: 500
July 08, 2015, 05:49:52 PM
Login does not work on FaucetBox at the moment. After inserting the credentials , I get redirected to a blank screen.

Hope it gets fixed soon. Smiley

I just went to the old thread, to post that. I forgot there was a new thread. Hope this gets fixed soon. But I'm glad it wasn't just me, lol.
full member
Activity: 186
Merit: 100
July 08, 2015, 05:24:14 PM
Login does not work on FaucetBox at the moment. After inserting the credentials , I get redirected to a blank screen.

Hope it gets fixed soon. Smiley
newbie
Activity: 14
Merit: 0
July 08, 2015, 03:49:55 PM

I myself wouldn't trust referer headers as they could be fabricated.

While I didn't trust them too for FaucetBOX.com, how could they be fabricated in context of CSRF? If I were to attack you using CSRF I wouldn't be able to force your browser to fake the referrer.

You are right. Referer check seems to be good enough to protect against CSRF. However there's ways to get in control of someone's browser and then spoof the headers(is XSS + CSRF possible?). Also what about HTTPS or if someone's browser doesn't send the referer headers (guess 99% do but still)? That would be considered as an attack.

BTW Do you guys support p2sh for litecoin yet?

If you control someone's browser, why bother with CSRF? You can just attack directly Smiley. HTTPS isn't a problem, referrer will be correct on the site itself and possibly not set/empty when coming from other sites (then one just assumes it's invalid). If someone's browser doesn't send headers, too bad. It's not perfect solution, it's just easiest. You should generate a token, save it in session, add it as hidden input in form and compare it on request. But that require more changes, while referrer check will be sufficient for most.

Still no P2SH for Litecoin yet. No ETA either.

Touche Smiley I tried to come up with something but shot myself in the leg instead.
legendary
Activity: 971
Merit: 1000
July 08, 2015, 03:26:33 PM

I myself wouldn't trust referer headers as they could be fabricated.

While I didn't trust them too for FaucetBOX.com, how could they be fabricated in context of CSRF? If I were to attack you using CSRF I wouldn't be able to force your browser to fake the referrer.

You are right. Referer check seems to be good enough to protect against CSRF. However there's ways to get in control of someone's browser and then spoof the headers(is XSS + CSRF possible?). Also what about HTTPS or if someone's browser doesn't send the referer headers (guess 99% do but still)? That would be considered as an attack.

BTW Do you guys support p2sh for litecoin yet?

If you control someone's browser, why bother with CSRF? You can just attack directly Smiley. HTTPS isn't a problem, referrer will be correct on the site itself and possibly not set/empty when coming from other sites (then one just assumes it's invalid). If someone's browser doesn't send headers, too bad. It's not perfect solution, it's just easiest. You should generate a token, save it in session, add it as hidden input in form and compare it on request. But that require more changes, while referrer check will be sufficient for most.

Still no P2SH for Litecoin yet. No ETA either.
newbie
Activity: 14
Merit: 0
July 08, 2015, 03:22:13 PM

I myself wouldn't trust referer headers as they could be fabricated.

While I didn't trust them too for FaucetBOX.com, how could they be fabricated in context of CSRF? If I were to attack you using CSRF I wouldn't be able to force your browser to fake the referrer.

You are right. Referer check seems to be good enough to protect against CSRF. However there's ways to get in control of someone's browser and then spoof the headers(is XSS + CSRF possible?). Also what about HTTPS or if someone's browser doesn't send the referer headers (guess 99% do but still)? That would be considered as an attack.

BTW Do you guys support p2sh for litecoin yet?
legendary
Activity: 971
Merit: 1000
July 08, 2015, 01:31:23 PM
We are experiencing issues with transaction confirmations due to the recent change in Bitcoin network fees. We're working on it, but transactions can take a long time to confirm for now.
This sucks. I want this test/attack to be over with.

It's more because of the new floating fees than the stress test, which I think is long gone now.

EDIT: I know see that it's happening again: https://www.reddit.com/r/Bitcoin/comments/3ck5z9/80000_unconfirmed_transactions_right_now/ . Also here: https://bitcoinfees.github.io/#3h . Does anyone knows anything more about it?

I myself wouldn't trust referer headers as they could be fabricated.

While I didn't trust them too for FaucetBOX.com, how could they be fabricated in context of CSRF? If I were to attack you using CSRF I wouldn't be able to force your browser to fake the referrer.
newbie
Activity: 14
Merit: 0
July 08, 2015, 11:57:14 AM
Either way, it seems pretty easy to implement. Just checking against the referrer and returning to the homepage if it was found to be elsewhere should be sufficient.
Something like this maybe:
Code:
if($_SERVER['HTTP_REFERER'] != 'http://yoursitewhatever.com'){
header('Location: /');
}
Once the form has submitted (~line 1138 on index.php).

I'm not that good with PHP, but I think that
Code:
header('Location: /');
won't end the script. So it will send the coins either way and only redirect to main page after that.
Code:
header('Location: /'); die();
should work though.

As soon as that header hits, the page forwards, so there's no need for closing out the PHP connection -- it's done by default. Even if you have other code after that, it will stop parsing at that line.

I myself wouldn't trust referer headers as they could be fabricated.

Even with your code changes (such as escaping strings), there are many vulnerabilities still open. I'm actually somewhat surprised something as important as dealing with people's finances (in the sense that the script has access to the wallet's funds) is even using SQLi, much less in a very unsecure method. real_escape_string only prevents a small portion of injections from being possible, and if you really want to use that route, you should fix all of them.
As I said, the best way to do it without completely changing the DB software would be to use prepared statements, though that would still leave the script open to some forms of injection. What would you suggest to fix it?

I think PDO would do just fine. That plus validating the input (which in this case is only a wallet address) with base58 encoding/decoding (if anyones interested I can provide a simple script).

Anyway, you're doing a great job guys! Keep it up.
hero member
Activity: 686
Merit: 500
July 08, 2015, 11:50:42 AM
We are experiencing issues with transaction confirmations due to the recent change in Bitcoin network fees. We're working on it, but transactions can take a long time to confirm for now.
This sucks. I want this test/attack to be over with.
legendary
Activity: 971
Merit: 1000
July 08, 2015, 11:02:36 AM
We are experiencing issues with transaction confirmations due to the recent change in Bitcoin network fees. We're working on it, but transactions can take a long time to confirm for now.
legendary
Activity: 2352
Merit: 1268
In Memory of Zepher
July 08, 2015, 06:15:53 AM
Even with your code changes (such as escaping strings), there are many vulnerabilities still open. I'm actually somewhat surprised something as important as dealing with people's finances (in the sense that the script has access to the wallet's funds) is even using SQLi, much less in a very unsecure method. real_escape_string only prevents a small portion of injections from being possible, and if you really want to use that route, you should fix all of them.
As I said, the best way to do it without completely changing the DB software would be to use prepared statements, though that would still leave the script open to some forms of injection. What would you suggest to fix it?
Jump to: