Pages:
Author

Topic: Nxt source code flaw reports - page 30. (Read 113369 times)

hero member
Activity: 739
Merit: 500
January 08, 2014, 04:45:53 PM
Could you elaborate that? I've run a simulation over the hole blockchain (like every transaction did before is a game play), and the winning odds are 50/50. You could also write me a PM I am not sure if it is the right place to discuss that here.

Thank you CfB!  Wink

ricot has just explained it.

Yes, i see the problem now. So it is better to wait for at least one confirmation right now. Anyway cool feature: Makes the assignment of bets to payments easier. But it would be really nice if it possible to improve that feature.

Maybe we could include T2 (that has T1 as ref transaction) only in a block if T1 is confirmed + the creator of the block, in which T1 got confirmed, is not equal to the sender or recipient of T2 or T1? So in the rare case when the recipient/sender of the block generates it, T2 waits for the next block. Could this solve the issue?

We are also developing some games for Nxt, and I was counting on referencedTransactions for instant bets.
How about if we make a rule in the game to invalidate (or delay, if with transparent mining we can predict who will forge next) every bet from the forger of the next block? That would make it safe?
newbie
Activity: 56
Merit: 0
January 08, 2014, 04:44:45 PM
I really don't understand u or u don't understand me. The 2 chains (one with original block and the other with my corrupted block) have the same length and the same cumulative difficulty. It's just one transaction that is missing in one block. That doesn't change the length of the chain.

Next block will reference only one of ur blocks. Another will become orphaned.

First block chain:
.....<--> block i <--> block i+1 <--> block i+2 <--> ..... <--> block n = last Block

Second block chein:
.....<--> block i <--> corrupted block i+1 <--> block i+2 <--> ... <--> block n = last block

Same length, same difficulty, no way to distinguish. Clients will accept both chains and they don't even know that one transaction is missing.
BTW,  "Cunicula attack" and "Finney attack" are not related to that IMO.

block i+2 contains a hash for block i+1, so if you change any bit in i+1, the original i+2 will not fit anymore...
hero member
Activity: 687
Merit: 500
January 08, 2014, 04:42:23 PM
I really don't understand u or u don't understand me. The 2 chains (one with original block and the other with my corrupted block) have the same length and the same cumulative difficulty. It's just one transaction that is missing in one block. That doesn't change the length of the chain.

Next block will reference only one of ur blocks. Another will become orphaned.

First block chain:
.....<--> block i <--> block i+1 <--> block i+2 <--> ..... <--> block n = last Block

Second block chein:
.....<--> block i <--> corrupted block i+1 <--> block i+2 <--> ... <--> block n = last block

Same length, same difficulty, no way to distinguish. Clients will accept both chains and they don't even know that one transaction is missing.
BTW,  "Cunicula attack" and "Finney attack" are not related to that IMO.
newbie
Activity: 56
Merit: 0
January 08, 2014, 04:41:20 PM
Did I forget anything? Wink

OOM is fixed in new versions.

I'll add a limit for blockchain downloading time, will this fix the attack?

That still wasn't any of the 3 announced bugs? You know that this means, that there are lots and lots more exploits in your code, if we find 4(ish) bugs and none of them is one of the 3 injected ones...

Quote
It's useful for other applications.
can you give an example?

Quote
Could this solve the issue?
why would you have to send the money from the account with which you fork? Wink
newbie
Activity: 50
Merit: 0
January 08, 2014, 04:39:04 PM
Could you elaborate that? I've run a simulation over the hole blockchain (like every transaction did before is a game play), and the winning odds are 50/50. You could also write me a PM I am not sure if it is the right place to discuss that here.

Thank you CfB!  Wink

ricot has just explained it.

Yes, i see the problem now. So it is better to wait for at least one confirmation right now. Anyway cool feature: Makes the assignment of bets to payments easier. But it would be really nice if it possible to improve that feature.

Maybe we could include T2 (that has T1 as ref transaction) only in a block if T1 is confirmed + the creator of the block, in which T1 got confirmed, is not equal to the sender or recipient of T2 or T1? So in the rare case when the recipient/sender of the block generates it, T2 waits for the next block. Could this solve the issue?
legendary
Activity: 2142
Merit: 1010
Newbie
January 08, 2014, 04:38:01 PM
hmm, then that feature is quite useless...

It's useful for other applications.


can we improve it somehow? any ideas?

U can't do (near) instant payments for gambling using this feature.
legendary
Activity: 2142
Merit: 1010
Newbie
January 08, 2014, 04:35:27 PM
Could you elaborate that? I've run a simulation over the hole blockchain (like every transaction did before is a game play), and the winning odds are 50/50. You could also write me a PM I am not sure if it is the right place to discuss that here.

Thank you CfB!  Wink

ricot has just explained it.
legendary
Activity: 2142
Merit: 1010
Newbie
January 08, 2014, 04:34:20 PM
Did I forget anything? Wink

OOM is fixed in new versions.

I'll add a limit for blockchain downloading time, will this fix the attack?
newbie
Activity: 56
Merit: 0
January 08, 2014, 04:34:13 PM
At first we waited for one confirmation, before the dice gets rolled, now we use referencedTransactions for that. I love NXT!  Smiley

U should NOT do that. Coz if someone sees that he will forge next block, he can make a bet and invalidate the betting transaction if loses. It's like re-rolling a die.

Yes I see. Thats why I asked earlier this day how referencedTransactions work. And I love it! NXT has such great features that BTC is all missing!

This lowers ur odds to win. If u let to bet 50/50 then actual odds will be 25/75 (or 33/67, not sure).

Ah, right, you can cancel the transaction as soon as you know that you didn't win and you forged the block with the transaction... hmm, then that feature is quite useless...
can we improve it somehow? any ideas?
newbie
Activity: 50
Merit: 0
January 08, 2014, 04:32:20 PM
At first we waited for one confirmation, before the dice gets rolled, now we use referencedTransactions for that. I love NXT!  Smiley

U should NOT do that. Coz if someone sees that he will forge next block, he can make a bet and invalidate the betting transaction if loses. It's like re-rolling a die.

Yes I see. Thats why I asked earlier this day how referencedTransactions work. And I love it! NXT has such great features that BTC is all missing!

This lowers ur odds to win. If u let to bet 50/50 then actual odds will be 25/75 (or 33/67, not sure).

Could you elaborate that? I've run a simulation over the hole blockchain (like every transaction did before is a game play), and the winning odds are 50/50. You could also write me a PM I am not sure if it is the right place to discuss that here.

Thank you CfB!  Wink
legendary
Activity: 2142
Merit: 1010
Newbie
January 08, 2014, 04:29:09 PM
At first we waited for one confirmation, before the dice gets rolled, now we use referencedTransactions for that. I love NXT!  Smiley

U should NOT do that. Coz if someone sees that he will forge next block, he can make a bet and invalidate the betting transaction if loses. It's like re-rolling a die.

Yes I see. Thats why I asked earlier this day how referencedTransactions work. And I love it! NXT has such great features that BTC is all missing!

This lowers ur odds to win. If u let to bet 50/50 then actual odds will be 25/75 (or 33/67, not sure).
newbie
Activity: 56
Merit: 0
January 08, 2014, 04:28:56 PM
Ok, another attack vector, but this time, it'll take it's sweet time to do it Smiley

We setup a hallmarked server and wait for a getCumulativeDifficulty request...
When we get one, we answer with a higher value than is currently possible, so that the other client gets interested in our blocks.
We send the list of milestone blocks and block ids in a way that the commonBlockIdis one of the most recent blocks the client has. (But that step is just for giggles Wink)
He'll ask us then for our nextBlocks, and we take our sweet time (what's the timeout? 5s?) and then send a big bunch of... well, no, we just send a single block. a bogus one, the block isn't checked at that point, it's just put into futureBlocks. Then the client asks us again for nextBlocks and we repeat the same procedure.
We now have a low bandwidth "permanent" connection with the client. The client will not start another getCumulativeDifficulty request, because that starts only a second after our "captured" thread ends... So the ways for a client to receive a new block from the network are limited to 2 ways:
- via a processBlock call coming in from another peer
- via us, because if we send a block that appends nicely onto the client's last block (which he already told us by giving us his commonBlockId), that will just get added after being checked
That means: Clients without hallmarks or behind firewalls can only get new blocks from us. Smiley
Now we have to do something to interfere with the other hallmarked servers... they still have the possibility to get a block thru another peer's processBlock call.
However, that call has a flaw (which I already outlined a few days ago), in that it only accepts blocks that nicely fit onto the current blockchain.
So we have the block generation of the non-hallmarked part of the network completely under our control and the rest of the network can't resolve forks anymore, because every block that comes thru processBlock (or us) and fits, is kept. So after a while, the network will nicely diverge and we can send everyone a block that possibly fits onto his blockchain, because if it fits, the client will take it, if it doesn't fit, it just gets added to futureBlocks.
Now suppose, we have to shutdown our server, or the required bandwidth is a bit on the high side and we want to get rid of a few nodes without them being able to get back to a proper chain...
The thread that does the blockchain scanning is started with scheduleWithFixedDelay. Let's get the JDK description of that function:
Quote
Creates and executes a periodic action that becomes enabled first after the given initial delay, and subsequently with the given delay between the termination of one execution and the commencement of the next. If any execution of the task encounters an exception, subsequent executions are suppressed.
Aha! we can kill the thread for good, if we cause an exception! (and we only kill that blockchain getting thread, the other ones will still be alive)
well, there is a big try {...}catch(Exception e){} around it, so what could we possibly use? Well, how about something that can't be catched... Who watched the thread closely? Wink I mentioned it before...
An OutOfMemoryError. This is an uncatchable exception and will cause the thread to die and no-one will start it again.
So let's see where we can generate that...
If we give a client a block that fits onto it's blockchain [if(block.previousBlock==lastBlock)], we directly allocate [ByteBuffer.allocate(BLOCK_HEADER_LENGTH+block.payloadLength);], so we just make sure that our payloadLength is set to INT_MAX-BLOCK_HEADER_LENGTH and the client will very likely fail because it can't find 2GB of contiguous memory anywhere within the JVM. But you might say: If someone started the server with a lot more ram!
Well, actually, there's a second way, also outlined by me a few pages earlier: you have to generate a proper looking block that just has the number of transactions modified, because that is also used for an allocation without a prior sanity check. So you can allocate 16GB of contiguous memory, which with near certainty will fail on any current server, no matter how the JVM is setup.
So if we wait long enough, we can take over the block distribution of the network with minimal ressources, because as soon as a peer asks us only once for blocks, we've got him hooked. and at that point, the network can't deal with forks anymore, which happen quite often, but it still looks ok on first sight, because we can feed all clients with some nice looking blocks from each other, so groups of clients will be in the same blockchain but there will be many blockchains existing in parallel.
And if we do that long enough, they won't find to gether again even if we're gone because they only sync 720 blocks back.

That's quite a nice attack, right? No spamming, no DOSing, not even too visible, Smiley
Did I forget anything? Wink
legendary
Activity: 2142
Merit: 1010
Newbie
January 08, 2014, 04:26:30 PM
I really don't understand u or u don't understand me. The 2 chains (one with original block and the other with my corrupted block) have the same length and the same cumulative difficulty. It's just one transaction that is missing in one block. That doesn't change the length of the chain.

Next block will reference only one of ur blocks. Another will become orphaned.
newbie
Activity: 50
Merit: 0
January 08, 2014, 04:26:13 PM
At first we waited for one confirmation, before the dice gets rolled, now we use referencedTransactions for that. I love NXT!  Smiley

U should NOT do that. Coz if someone sees that he will forge next block, he can make a bet and invalidate the betting transaction if loses. It's like re-rolling a die.

Yes I see. Thats why I asked earlier this day how referencedTransactions work. And I love it! NXT has such great features that BTC is all missing!
newbie
Activity: 50
Merit: 0
January 08, 2014, 04:25:04 PM
Huh
I have a question regarding referencedTransactions. ReferencedTransactions are used so that a transaction gets only confirmed when the other transaction is already confirmed.

Okay, lets say I am creating a transaction T2 which has T1 as referencedTransaction. T1 is in the latest block, so T2 gets confirmed in the next block. What if the block in which T1 is in a fork chain and gets orphaned later? T1 gets added to the unconfirmedTransaction list. Now it could be that the deadline is expired and the transaction gets lost. T2 is in the main chain and is confirmed. So the referencedTransaction scheme does not work in that case?

If the block with T1 is orphaned then the block with T2 is orphaned too.

FYI, this is actually how Satoshi Dice sends semi-instant payouts.  They include your payment as part of the reward-- if you try to double-spend, their transaction back to you is invalidated, when your transaction is invalidated.  Likewised, if your TX ends up in an orphaned block, their payment will subsequently be part of an orphaned chain.

So... semi-instant transactions are possible under certain circumstances.

Actually, one of my small "test the waters using NXT in a service"-projects is using that form for instant payments... works like a charm so far Smiley
https://nxtschrodinger.appspot.com if you want to check it out Wink

Me too www.nxtdice.com  Grin
At first we waited for one confirmation, before the dice gets rolled, now we use referencedTransactions for that. I love NXT!  Smiley

Want to play to support the game but saw nothing in the link ?

Lol, typo in the url.. Guess its time to go to bed.  Grin
http://www.thenxtdice.com
hero member
Activity: 687
Merit: 500
January 08, 2014, 04:24:36 PM
I really don't understand u or u don't understand me. The 2 chains (one with original block and the other with my corrupted block) have the same length and the same cumulative difficulty. It's just one transaction that is missing in one block. That doesn't change the length of the chain.
legendary
Activity: 2142
Merit: 1010
Newbie
January 08, 2014, 04:24:11 PM
At first we waited for one confirmation, before the dice gets rolled, now we use referencedTransactions for that. I love NXT!  Smiley

U should NOT do that. Coz if someone sees that he will forge next block, he can make a bet and invalidate the betting transaction if loses. It's like re-rolling a die.
sr. member
Activity: 602
Merit: 268
Internet of Value
January 08, 2014, 04:23:00 PM
Huh
I have a question regarding referencedTransactions. ReferencedTransactions are used so that a transaction gets only confirmed when the other transaction is already confirmed.

Okay, lets say I am creating a transaction T2 which has T1 as referencedTransaction. T1 is in the latest block, so T2 gets confirmed in the next block. What if the block in which T1 is in a fork chain and gets orphaned later? T1 gets added to the unconfirmedTransaction list. Now it could be that the deadline is expired and the transaction gets lost. T2 is in the main chain and is confirmed. So the referencedTransaction scheme does not work in that case?

If the block with T1 is orphaned then the block with T2 is orphaned too.

FYI, this is actually how Satoshi Dice sends semi-instant payouts.  They include your payment as part of the reward-- if you try to double-spend, their transaction back to you is invalidated, when your transaction is invalidated.  Likewised, if your TX ends up in an orphaned block, their payment will subsequently be part of an orphaned chain.

So... semi-instant transactions are possible under certain circumstances.

Actually, one of my small "test the waters using NXT in a service"-projects is using that form for instant payments... works like a charm so far Smiley
https://nxtschrodinger.appspot.com if you want to check it out Wink

Me too www.nxtdice.com  Grin
At first we waited for one confirmation, before the dice gets rolled, now we use referencedTransactions for that. I love NXT!  Smiley

Want to play to support the game but saw nothing in the link ?
legendary
Activity: 2142
Merit: 1010
Newbie
January 08, 2014, 04:20:29 PM
Well, i can wait until I corrupt the block. And by what means do peers decide which block is the real one?

Longest chain wins.
newbie
Activity: 50
Merit: 0
January 08, 2014, 04:16:06 PM
 Huh
I have a question regarding referencedTransactions. ReferencedTransactions are used so that a transaction gets only confirmed when the other transaction is already confirmed.

Okay, lets say I am creating a transaction T2 which has T1 as referencedTransaction. T1 is in the latest block, so T2 gets confirmed in the next block. What if the block in which T1 is in a fork chain and gets orphaned later? T1 gets added to the unconfirmedTransaction list. Now it could be that the deadline is expired and the transaction gets lost. T2 is in the main chain and is confirmed. So the referencedTransaction scheme does not work in that case?

If the block with T1 is orphaned then the block with T2 is orphaned too.

FYI, this is actually how Satoshi Dice sends semi-instant payouts.  They include your payment as part of the reward-- if you try to double-spend, their transaction back to you is invalidated, when your transaction is invalidated.  Likewised, if your TX ends up in an orphaned block, their payment will subsequently be part of an orphaned chain.

So... semi-instant transactions are possible under certain circumstances.

Actually, one of my small "test the waters using NXT in a service"-projects is using that form for instant payments... works like a charm so far Smiley
https://nxtschrodinger.appspot.com if you want to check it out Wink

Me too www.thenxtdice.com  Grin
At first we waited for one confirmation, before the dice gets rolled, now we use referencedTransactions for that. I love NXT!  Smiley
Pages:
Jump to: