so mal wieder ein paar Neuigkeiten....
Hi everyone!
We are Norn Community - a private russian community of blockchain experts.
On 19 Sept.there was a "spam attack" on the Tezos Network, so we decided to clear some things up.
It wasn't really a spam attack, rather us (Norn Community) just testing some tools for working with the Tezos Blockchain and it just so happened to also cause a small stress test of the network. The good news is - we have ABSOLUTELY confirmed the network capacity for 40TPS
You may have also noticed that tzscan.io started acting a bit crazy, which indicates that the main Tezos block-explorer can't quite handle the full Tezos transaction capacity
we're sure the people running it will fix it sometime later.
But this is not the most important thing.
The most interesting is that during testing we found a bug on tzscan.io which allows to run absolutely any code (for example, hidden mining) in the user's browser, passing in the parameters of the transaction string with the code. I think you understand what opportunities for abuse it presents.
We wrote to OCaml (developers of tzscan) a detailed letter describing the bug. The bug was fixed, but we havent even gotten so much as a "thank you" from OCaml
Here is an example:
http://tzscan.io/onsaH7UYytpjWhRZD4j6mngxjv29X5by7C9kuYKxQXxDEhpUjk8 - then click "Yes" in the transaction and see the code. Previously (before fixing bugs), clicking on "Yes" opened a pop-up with the text "Keep money in the bank", which could not be closed.
We're not showing off or anything (well, maybe a little bit)
As we think, there must be some culture - someone helped you to close a serious vulnerability - at least give a shoutout. Sadly, this did not happen. It's sad. But let's draw conclusions
P.S. we here at Norn are very interested in Tezos which is why we are developing various services for detachment.
For example, we have a first-of-its-kind telegram bot for Tezos blockchain (
https://t.me/TezosNotifierBot), which can notify you about various events. Also we are developing a relational database TezosDatabase. These two components will become parts of our analytic service for Tezos.
We also started our own delegate (
http://tezos.norn.fund/).
We would be very much appreciate any support from the Tezos Foundation)
Und nochmal etwas hinterher...
Today's (24 sept.) brief shutdown of the Tezos blockchain for 2 hours was also on Norn Community - sorry about that one.
No, we are not doing it for shits and giggles or some devilish pump and dump schemes (it is pretty funny though). We do want to point out that testing technical compliance with network operation is kind of a big deal and should not be put aside. All we did was make a transaction with a "demo\0" parameter which caused the whole thing to go down for 2 hours.
We are now wondering how could such a small thing wreak so much havoc on a network that has presumably been developed, tested and audited for more than a year.
Here is the transaction that dropped the network:
http://tzscan.io/oobfXKekveVp9WurgVaFov4Gb1B3ePk5E4fzu2US5M8ni9EQHbGWe already posted a bug on hackerone. Let's see how the Tezos Foundation will react to this.
With love, Norn Community
