Pages:
Author

Topic: Nxt source code flaw reports - page 18. (Read 113380 times)

legendary
Activity: 2142
Merit: 1010
Newbie
January 14, 2014, 01:28:15 AM
Are you saying that you can't verify 25% of signatures? Isn't that a pretty serious issue?

It was already reported.
newbie
Activity: 26
Merit: 0
January 14, 2014, 01:04:59 AM
someone can generate a block in legit way and try to modify some bytes so that it has block_id = 0,  as pushBlock only check blocks.get(block.getId()) != null where it does = null, the next generated block will override genesis block in analyze()
Code:
if (previousBlock == 0) {

lastBlock = GENESIS_BLOCK_ID;
blocks.put(lastBlock, this);
baseTarget = initialBaseTarget;
cumulativeDifficulty = BigInteger.ZERO;

Account.addAccount(CREATOR_ID);

}
sr. member
Activity: 299
Merit: 250
January 13, 2014, 06:33:57 PM
Good. We'll get some bitcoins to set a reward for Nxt crypto algo audit. Yes, bitcoins, not nxts, coz if the algo is flawed nxts won't be worth a lot Grin.

@CfB, have the developers considered switching to Ed25519 instead?
I think it could easily be deployed (i.e, require all txes + blocks > 40k block to have new sig).

There are many advantages.
First one being it's much better verified and tested than current sing+verify.
Second one is probably speed (although I haven't tested), as computations in Edward's form should be easier.

Do u have fast java implementation?

I came across this: http://crypto.stackexchange.com/questions/12743/is-curve25519-java-secure. So it seems like curve25519 doesn't natively support signing. I'm curious as to why it was chosen?
sr. member
Activity: 299
Merit: 250
January 13, 2014, 05:58:49 PM

In this case, let's say B is malicious and wants to replace A(1, 2, 2) with a different block. In this case, B(1, 2, 10) does not chain to the last block in A so it is put in as a future block. The two possible chains for A are:
A.1: { (0, 1, 1), (1, 2, 2), (2, 3, 3) }
A.2: { (0, 1, 1), (1, 2, 10) }

Since A.2 has a higher difficulty, it will be chosen. As far as I can tell, I don't see anything preventing a malicious attacker from manipulating cumulative difficulty scores in order to get blocks dropped.

Maybe I haven't slept enough, but I think you're right, but...

This would imply two things:
  • He would have to be generator of (1,2,10) - ok he can predict that
  • but he would also have to be generator of (1,2,2) (coz verify generation signature would't pass)

so basically he would invalidate his own block...

This would also work if B was manipulated to have both new chaining blocks and future blocks, e.g.
B: { (0, 1, 1), (1, 2, 2), (2, 3, 3), (3, 4, 4), (1, 2, 10) }

In effect, this would keep transactions (B(3, 4, 4) in the example completely hidden from A.

Or am I missing something?

I think this is good example, that those situations (adding to end of chain AND invalidating tail of chain) are (or rather should, as they are not now)
mutually exclusive cases...


So, isn't this something that can be taken advantage of by a large account holder? The largest account holder right now has 70M NXT, which means that he should be able to forge 7% of blocks. At this rate, it seems very possible that he can generate two blocks within the block height of 720 that clients look at when syncing. (Not to mention that this could also be exploited if there was collusion by among some of the top account holders).


I don't think anyone has replied to this yet.
sr. member
Activity: 299
Merit: 250
January 13, 2014, 05:56:11 PM
But I'd be very interested in hearing why the unverifiability happens and to see numbers on how often that happens.

Sometimes verification faces a situation similar to

Code:
X * 0 == Y * 0

In this case it's impossible to make sure that X == Y.

It happens ~ each 4th time.

Are you saying that you can't verify 25% of signatures? Isn't that a pretty serious issue?
legendary
Activity: 2142
Merit: 1010
Newbie
January 13, 2014, 04:24:33 PM
Not a fatal flaw, but something to think about.

What you do is forge /every/ chain, keep every alt chain you have. Forge on it and wait until you can forge on everything, even after you get a block. And then spam those out because theres a small chance they could become the longest

You don't get penalized in transparent forging, because you forge on everything. You get a block, your forge time in 2 minutes. At 90 seconds, someone else forgers you ignore this, and forge at 2 minutes as if you didn't receive.
now there are two chains, the longest, and one thats off by only 30 seconds, you receive both. but the 30 second longer one is advantageous to you, because it gives you a lower forging time, so you forge on it.
as soon as you can (even if you have received other blocks for it).and so on and so forth, creating an incentive to create exponential alt chains and process non-longest chains.

If this can happen, then the network would under a lot of pressure.

Regards
j0b and ZjP

Sounds like multiverse concept. We already have coins and anticoins, superposition of transactions lost in limbo, event horizon that limits rate of the transactions, time warp of transparent forging...
hero member
Activity: 687
Merit: 500
January 13, 2014, 04:22:40 PM
Edit:  A little friendly reminder...   Wink    Hey ricot and BloodyRookie... you need to take a look quick!

I think that was related to the block id flaw.
sr. member
Activity: 379
Merit: 250
January 13, 2014, 04:06:50 PM
Congrats guys!  Can we get a summary on what flaws are left to be uncovered?

Each flaw has a small description. Here r SHA256 hashes of these descriptions:

bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward
888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward
f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward

The flaws must be reported before the 3rd of April, after that date they can be revealed at any moment.

Well, I guess it's appropriate that the fatal flaw is the last to be discovered.


It sounds like bcnxt knows the fatal flaw according to his wording.
legendary
Activity: 1470
Merit: 1004
January 13, 2014, 04:04:16 PM
Congrats guys!  Can we get a summary on what flaws are left to be uncovered?

Each flaw has a small description. Here r SHA256 hashes of these descriptions:

bd34c891e9e3df9ea8b8eafc4dc3edc129f81365d42bf204ea58271e320f3ce5 - 1K reward
888f278c773d39b8334a651d84ee78871bd0e5d45e09be8fdb190ba1b2969530 - 10K reward
f5236644f4306699bb0fa90a905afe2454683c0aad6995e4433d712e2fdb257c - 100K reward

The flaws must be reported before the 3rd of April, after that date they can be revealed at any moment.

Well, I guess it's appropriate that the fatal flaw is the last to be discovered.
hero member
Activity: 687
Merit: 500
January 13, 2014, 04:02:50 PM
Account number is in my sig.
legendary
Activity: 2142
Merit: 1010
Newbie
January 13, 2014, 03:47:12 PM
Congrats guys!  Can we get a summary on what flaws are left to be uncovered?

The fatal flaw with 100K reward. It will kill a copy-coin in a day, an old computer is enough for the attack.
legendary
Activity: 1470
Merit: 1004
January 13, 2014, 03:44:02 PM
When generating a block, you have 2 signatures that could go wrong.
One is the generationSignature, which is calculated from the previousBlock, so there is no chance in changing it when it fails. (i.e. 25% invalid block).
The other one is the blockSignature. Currently, this is only generated once and contains a hash of e.g. all the transactions. If that signature fails in NRS, the client will just output invalid block and don't continue to try.
If Bob isn't using NRS, he could generate the blockSignature again with different data, i.e. different transactions. It's relatively easy to find a payload that will generate a valid hash.
Bob could then transmit the perfectly fine block, which NRS would have not enabled him to do. So he got an advantage by not using the default client.

Well, u and BloodyRookie explained 99% of the serious flaw. I think u both should get 1'000 NXT. Post ur account.

@BloodyRookie: Post ur Nxt account, plz.


PS: The description of the serious flaw is:

Code:
An incorrect block signature is not recalculated. This gives ability to use less than 50% of the stake to attack the network.

Congrats guys!  Can we get a summary on what flaws are left to be uncovered?
legendary
Activity: 2142
Merit: 1010
Newbie
January 13, 2014, 03:30:34 PM
looks like a needless if-block

Code:
for (i = 32; i--!=0; ) {
if (i==0) {
i=0;
}

or does it have any purpose? At least a place for a breakpoint ... Smiley


U should ask the author of the code.
newbie
Activity: 50
Merit: 0
January 13, 2014, 03:30:21 PM
When generating a block, you have 2 signatures that could go wrong.
One is the generationSignature, which is calculated from the previousBlock, so there is no chance in changing it when it fails. (i.e. 25% invalid block).
The other one is the blockSignature. Currently, this is only generated once and contains a hash of e.g. all the transactions. If that signature fails in NRS, the client will just output invalid block and don't continue to try.
If Bob isn't using NRS, he could generate the blockSignature again with different data, i.e. different transactions. It's relatively easy to find a payload that will generate a valid hash.
Bob could then transmit the perfectly fine block, which NRS would have not enabled him to do. So he got an advantage by not using the default client.

Well, u and BloodyRookie explained 99% of the serious flaw. I think u both should get 1'000 NXT. Post ur account.

@BloodyRookie: Post ur Nxt account, plz.


PS: The description of the serious flaw is:

Code:
An incorrect block signature is not recalculated. This gives ability to use less than 50% of the stake to attack the network.

Congrats  Grin
I was so close to find out this flaw, but you were faster. Well even if I detected no flaw, it gave me a really good understanding of NXT works.  Smiley Time to invest some more money in NXT I guess.  Cheesy
hero member
Activity: 834
Merit: 524
Nxt NEM
January 13, 2014, 03:27:41 PM
looks like a needless if-block

Code:
for (i = 32; i--!=0; ) {
if (i==0) {
i=0;
}

or does it have any purpose? At least a place for a breakpoint ... Smiley


full member
Activity: 137
Merit: 100
January 13, 2014, 03:15:51 PM
Well done rico and bloodyrookie Smiley
legendary
Activity: 2142
Merit: 1010
Newbie
January 13, 2014, 03:14:29 PM
So... was this related to the found flaws?

thnx   Smiley

No
legendary
Activity: 2142
Merit: 1010
Newbie
January 13, 2014, 03:08:11 PM
Now onwards to th 100k one... Killing a copy-coin in a day...
Do we have a supercomputer available for the job? Wink

No. Wink

5 y.o. computer is enough.
newbie
Activity: 56
Merit: 0
January 13, 2014, 03:07:07 PM
Now onwards to the 100k one... Killing a copy-coin in a day...
Do we have a supercomputer available for the job? Wink

[edit]
Was any discussion in that thread somewhere close to that bug or haven't we touched that at all yet?
newbie
Activity: 56
Merit: 0
January 13, 2014, 03:05:45 PM
Thanks! And congrats to BloodyRookie Smiley

Account is the same as always... Wink
Pages:
Jump to: