[PPC] [DISCLOSURE] Stake Generation Vulnerability

tacotime

legendary

Activity: 1484

Merit: 1005

Quote from: Jutarul on April 04, 2013, 06:46:08 PM

That's a fallacy. The absence of bad news is not good news. You have to investigate other factors as well. Eg there is almost no incentive right now to do proper research. Thus it progresses slowly. Before full design documents have been published or reverse engineered, the security level is unknown.

I'll echo this. PPCoin has made sweeping changes to the Bitcoin protocol and it's hard to really tell what will work and won't work in the long run. One of the great things about Bitcoin was its simplicity in the protocol used to generate the network. However, with PPCoin, a number of complexities have been added and it's unknown how well they will pan out in the long term.

Jutarul

donator

Activity: 994

Merit: 1000

Quote from: mr_random on April 04, 2013, 04:59:46 PM

Quote from: Jutarul on April 04, 2013, 04:36:09 PM

Quote from: matt608 on April 04, 2013, 04:33:52 PM

Quote from: Sunny King on January 07, 2013, 12:55:49 AM

Quote from: Jutarul on January 05, 2013, 10:40:27 AM

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?

The 0.3 upgrade introduced some changes. However, no serious security analysis of the new code has been published yet.

Empirically though it's been 3 months and is standing up well to stress testing. PPCoin is proving itself just like Bitcoin had too...

That's a fallacy. The absence of bad news is not good news. You have to investigate other factors as well. Eg there is almost no incentive right now to do proper research. Thus it progresses slowly. Before full design documents have been published or reverse engineered, the security level is unknown.

punin

hero member

Activity: 560

Merit: 500

Quote from: Sunny King on April 04, 2013, 05:09:59 PM

Quote from: punin on April 04, 2013, 05:02:06 PM

Actually, my friend lost over 50k in apparently incorrect stake generation. Sunny King has been notified of this potential bug.

https://bitcointalksearch.org/topic/m.1736759

That fixed it! Yay! Thank you!

Sunny King

legendary

Activity: 1205

Merit: 1010

Quote from: punin on April 04, 2013, 05:02:06 PM

Actually, my friend lost over 50k in apparently incorrect stake generation. Sunny King has been notified of this potential bug.

https://bitcointalksearch.org/topic/m.1736759

punin

hero member

Activity: 560

Merit: 500

Actually, my friend lost over 50k in apparently incorrect stake generation. Sunny King has been notified of this potential bug.

mr_random

legendary

Activity: 1260

Merit: 1001

Quote from: Jutarul on April 04, 2013, 04:36:09 PM

Quote from: matt608 on April 04, 2013, 04:33:52 PM

Quote from: Sunny King on January 07, 2013, 12:55:49 AM

Quote from: Jutarul on January 05, 2013, 10:40:27 AM

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?

The 0.3 upgrade introduced some changes. However, no serious security analysis of the new code has been published yet.

Empirically though it's been 3 months and is standing up well to stress testing. PPCoin is proving itself just like Bitcoin had too...

Jutarul

donator

Activity: 994

Merit: 1000

Quote from: matt608 on April 04, 2013, 04:33:52 PM

Quote from: Sunny King on January 07, 2013, 12:55:49 AM

Quote from: Jutarul on January 05, 2013, 10:40:27 AM

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?

The 0.3 upgrade introduced some changes. However, no serious security analysis of the new code has been published yet.

matt608

hero member

Activity: 882

Merit: 1000

Quote from: Sunny King on January 07, 2013, 12:55:49 AM

Quote from: Jutarul on January 05, 2013, 10:40:27 AM

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Has any progress been made with this?

Sunny King

legendary

Activity: 1205

Merit: 1010

Quote from: Jutarul on January 05, 2013, 10:40:27 AM

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

The protocol upgrade involves replacing the proof-of-stake difficulty as the hash modifier for proof-of-stake (we call it stake modifier). The new stake modifier is 64 bit and derived from about 9 days worth of blocks after the coin generating the stake. When I get some time over next week I would talk a bit more about how it works.

Jutarul

donator

Activity: 994

Merit: 1000

(bump) Please feel free to post the details for the planned fix when ready, given you appreciate any external review.

Bendur

member

Activity: 60

Merit: 10

Who actually does the dev for this? Is it just Sunny King?

ripper234

legendary

Activity: 1358

Merit: 1003

Ron Gross

Quote from: Gavin Andresen on December 22, 2012, 09:05:45 AM

Quote from: Sunny King on December 21, 2012, 02:09:38 PM

We will accelerate the development schedule for this fix so stay tuned. I will give an update in my weekly update later this week on the progress of the release.

There are several smart people here who would tell you if your fix will work or not, if you listen to them.

Peer review is not perfect, but is much better than assuming that you will always come up with the best solution.

+1

Gavin Andresen

legendary

Activity: 1652

Merit: 2216

Chief Scientist

Quote from: Sunny King on December 21, 2012, 02:09:38 PM

We will accelerate the development schedule for this fix so stay tuned. I will give an update in my weekly update later this week on the progress of the release.

There are several smart people here who would tell you if your fix will work or not, if you listen to them.

Peer review is not perfect, but is much better than assuming that you will always come up with the best solution.

doublec

legendary

Activity: 1078

Merit: 1005

Quote from: Jutarul on December 21, 2012, 08:07:59 PM

However, until then I consider the design of this currency unfinished, which makes me think whether a 1 year testnet approach would have been the more responsible decision.

PPC should be considered a test currency. As I say on my exchange:

Quote

The PPCoin network seems to be experimental. It uses a different approach to blockchain security than Bitcoin. This exchange makes no guarantee that the PPCoin network will remain viable or secure in the long term.

Even if the developers released it as a '1 year testnet' coin I'm sure you'd find speculators jumping on it. And probably even continuing with it after the year. Much like when Solidcoin 1 shut down some people kept it going. One a coin is out in the wild, it's a real coin. One way of preventing this for a true '1 year testnet approach' might be to reset the blockchain reguarly. Hard to do on a chain that requires coin age though. The regular chain resets on bitcoin's testnet seem to stop it being used as a currency pretty effectively.

sangaman

sr. member

Activity: 342

Merit: 250

+1 to the real test as well

I did not consider the fact that the developers announcing the vulnerability might lead to people to exploiting it. However, given the fact that it's mostly nullified by the checkpoints and we're in an informal "test" period, I would have liked to have known about it when it was discovered.

Anyway Sunny King and company good luck solving the problem and I do hope you can come up with a satisfactory solution soon.

smoothie

legendary

Activity: 2492

Merit: 1473

LEALANA Bitcoin Grim Reaper

Quote from: dreamwatcher on December 21, 2012, 09:33:57 PM

Come on guys, is the rhetoric really necessary?

A bug and possible exploit was found in a coin a few months old, using a new concept (POS) that had been discussed but never implemented before.
Did you honestly think there would be no bugs along the way?

Bitcoin has had its share of bugs and exploits https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.
I cite this not as a criticism to Bitcoin, but to show that every software project can have bugs and exploits.
Yet I do not hear things like "The white paper would have been laughed at" directed at Bitcoin.

We do not know what Sunny or the developers knew or did not know ahead of time. It is easy to be a Monday mourning quarterback, but quite a different story to be in the game.

I do understand the desire to be given a little time to explore the vulnerability before releasing it to the public. I am not advocating secrecy, but give a developer a little time to attempt a fix before every person with malicious intent tries to form an exploit from what is now public information. I have messaged Sunny before about various things with PPC and he has been nothing but professional and responsive to me.

The real test is to see what Sunny and the developers do about this bug in both speed and effectiveness.

Until then, relax a bit, it is a vulnerability that cannot practically be exploited at the moment.

+1

dreamwatcher

legendary

Activity: 1064

Merit: 1000

Come on guys, is the rhetoric really necessary?

A bug and possible exploit was found in a coin a few months old, using a new concept (POS) that had been discussed but never implemented before.
Did you honestly think there would be no bugs along the way?

Bitcoin has had its share of bugs and exploits https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.
I cite this not as a criticism to Bitcoin, but to show that every software project can have bugs and exploits.
Yet I do not hear things like "The white paper would have been laughed at" directed at Bitcoin.

We do not know what Sunny or the developers knew or did not know ahead of time. It is easy to be a Monday mourning quarterback, but quite a different story to be in the game.

I do understand the desire to be given a little time to explore the vulnerability before releasing it to the public. I am not advocating secrecy, but give a developer a little time to attempt a fix before every person with malicious intent tries to form an exploit from what is now public information. I have messaged Sunny before about various things with PPC and he has been nothing but professional and responsive to me.

The real test is to see what Sunny and the developers do about this bug in both speed and effectiveness.

Until then, relax a bit, it is a vulnerability that cannot practically be exploited at the moment.

sangaman

sr. member

Activity: 342

Merit: 250

Quote from: Deprived on December 21, 2012, 08:41:12 PM

Well at least we can now see why no proper white-paper was published - everyone would have laughed at it.

This is a bit like making an "energy-efficient" version of a bit-coin miner - by modifying it so it only checks 5 hashes per second. Then praying noone looks at the source-code and decides to increase the number of hashes checked (or uses a different miner).

Well this vulnerability doesn't allow for a sustainable attack without having a huge % of coins, so it's not exactly like that.

I'd just like to know what the design is for a fix - supposedly there is one - and when we can expect it to be implemented.

Deprived

hero member

Activity: 532

Merit: 500

Well at least we can now see why no proper white-paper was published - everyone would have laughed at it.

This is a bit like making an "energy-efficient" version of a bit-coin miner - by modifying it so it only checks 5 hashes per second. Then praying noone looks at the source-code and decides to increase the number of hashes checked (or uses a different miner).

sangaman

sr. member

Activity: 342

Merit: 250

Thanks Jut for your alertness and for sharing a detailed breakdown of the issue in a public forum. It's definitely something that should be in the public domain and you deserve credit and gratitude for using your discovery to inform others rather than keep it to yourself. I think you're under no obligation to report vulnerabilities to the PPCoin developers; in fact you're under no obligation to report it at all and it's admirable that you did.

I too want to see a POS coin succeed and at the moment PPCoin seems like the best hope.

I don't think that post you quoted from Sunny King though is dishonest - I don't think he's implying that there are no known vulnerabilities. Although it does seem a bit odd that Sunny King hasn't mentioned this vulnerability and its implications in one of the weekly updates if he's known about it for a while. I don't expect perfect code but I would like there to be more transparency. For example, if we'd known about this earlier we could have known to wait for extra confirmations for important transactions at least until the vulnerability is patched.

Topic: [PPC] [DISCLOSURE] Stake Generation Vulnerability (Read 16706 times)