Gridcoin: verification of BOINC authenticity

There was a discussion in the Curecoin thread about Gridcoin. Yeah it does look like hijacking, but this is not the point.

The concept of Gridcoin is that you get higher mining rewards if you are running research projects using the application BOINC.

Some people pointed out you could exploit Gridcoin by using a modified client and not running BOINC at all though. Having checked the source code, I agree: there is just a function checking for some stuff, like the md5 of the BOINC executable, but this could be modified to return anything you want.
The source code can be found here: https://github.com/gridcoin/Gridcoin-master/blob/master/src/boinc/boinc/modUtilization.vb
Check the function VerifyBoincAuthenticity().

The developer of Gridcoin stepped in and answered this:
https://bitcointalksearch.org/topic/m.3560465

Quote

Gridcoin's hard-coded block reward is pretty easily exploitable,
a quick change in the way the code detects BOINC would give max coins every time a block is mined.

--> In the first release this may have been possible to exploit
using a fraudulent client, and each block may have passed the test to trick other nodes into accepting those blocks.

Since then we have designed a new protocol and expanded the spec
to store the boinchash information in the block header itself
and as you may know, each block header and its merkle root is hashed and related to prior blocks.

This seems rather off to me. No matter what you do with the md5 hash, the hash is still retrieved by the Gridcoin client, which can be easily modified given that we have the source. No matter what the protocol is, it can only work using what the client sends...?

I was surprised to see the other users seemed convinced by this explanation.

Did I miss something? Is there any way the other nodes of the network can actually make sure the block header hasn't been faked?

Topic: Gridcoin: verification of BOINC authenticity (Read 552 times)