Pages:
Author

Topic: [PSA] Attention: Security vulnerability in new alt coins! (Read 2339 times)

full member
Activity: 134
Merit: 100
Bump for justice.  Dogecoin released with insane low difficulty did it not?  I wonder how many Dogecoin ended up in the wrong hands at the beginning?
newbie
Activity: 28
Merit: 0
Yes I figured out what you need to do to set the difficulty of the genesis block. It's in the nBits field of the genesis block. If you set the nBits field to bnProofOfWorkLimit.GetCompact() that should ensure that the genesis block and the blocks after it have the difficulty set by bnProofOfWorkLimit. I think anyway. I am not 100% sure.
sr. member
Activity: 308
Merit: 250
FlutterCoin Developer
Nopes.. read my post again..

Ahh gotcha...  I have been trying to modify the starting difficulty for the last few days, and while I've done it, it jacks up everything else LOL.
legendary
Activity: 934
Merit: 1000
Nopes.. read my post again..
sr. member
Activity: 308
Merit: 250
FlutterCoin Developer
So your saying if you change bnProofOfWorkLimit as OP said in he first post, that it will change the starting difficulty?
legendary
Activity: 934
Merit: 1000
Hmmmm... If it's that easy then it's absolutely silly that these copy-pasta clones start at such a ridiculously low difficulty.

Again, if you have knowledge of how to set the initial difficulty higher please share it. The recent flood of clones is obviously being done by amateurs that probably won't figure this out, and yet will release their coins anyway. So do everyone a favour and educate them. Maybe they will listen.

It is quite easy.. unless a retargeting takes place (which is scheduled in the code every so many blocks) the difficulty for a block is simply the difficulty of the block before..

Hence, the starting difficulty depends on the difficulty of the Genesis block..

All the kids here releasing alt-coins barely know how to generate a Genesis block, let alone change it's difficulty..

The bnProofOfWorkLimit is just that; it's the upper (or lower depending how you look at it) limit of the difficulty.

Edit: To further support the above:

Code:
# litecoind getblockhash 0
12a765e31ffd4059bada1e25190f6e98c99d9714d334efa41a195a7e7e04bfe2
# litecoind getblock 12a765e31ffd4059bada1e25190f6e98c99d9714d334efa41a195a7e7e04bfe2
{
...
    "bits" : "1e0ffff0",
    "difficulty" : 0.00024414,
....
}
sr. member
Activity: 308
Merit: 250
FlutterCoin Developer
Please don't show anyone where to make the change - if someone can't figure that out, then they have no business releasing code that they have no real clue how it works

These people are going to create copy-pasta clones anyway. If we don't educate them they will be forever without this knowledge. So I encourage you to explain how to make this modification. I am sick and tired of all these clones starting at retardedly low difficulty.

The tool u mention already exists.. it's called cgminer.. or cpuminer...

you simply start a few daemons with the -connect option. That ensures it only connects to one node (which is also yours).. then you instruct your rigs to mine on your node.. as soon as you have a height > current blockheight you disconnect one daemon and restart it without the -connect option.. Voilá..

And yacoin, yes I think this has been done..

Hmmmm... If it's that easy then it's absolutely silly that these copy-pasta clones start at such a ridiculously low difficulty.

Again, if you have knowledge of how to set the initial difficulty higher please share it. The recent flood of clones is obviously being done by amateurs that probably won't figure this out, and yet will release their coins anyway. So do everyone a favour and educate them. Maybe they will listen.

Its not so simple to change the starting difficulty without screwing up the entire difficulty calculation.  Hence not one coin that I have seen on the scrypt side has ever released a coin with a higher starting difficulty.  I should say I can see to quick and clean way to do it.  But there are other ways...
member
Activity: 112
Merit: 10
Yeah I am mining worldcoin because I am bored. I do not expect it to hit an exchange, nor do I expect to be able to sell it for anything more than pennies if it does.

It would be nice if a coin came along that was a serious distraction from litecoin so litecoin's difficulty would go down though. And these copy-pasta clones are not going to do it.

Not sure if you meant copy-pasta or copy-paste, but I think copy-pasta is brilliant because it really feels like all the new alt's are just trolling us like copy-pasta on 4chan...

"Copy-pasta" clones should be the new official name for coins with nothing new to offer...

yeah nothing new besides credit card like transaction speeds, just like the same old bitcoin and litcoins.
newbie
Activity: 28
Merit: 0
Please don't show anyone where to make the change - if someone can't figure that out, then they have no business releasing code that they have no real clue how it works

These people are going to create copy-pasta clones anyway. If we don't educate them they will be forever without this knowledge. So I encourage you to explain how to make this modification. I am sick and tired of all these clones starting at retardedly low difficulty.

The tool u mention already exists.. it's called cgminer.. or cpuminer...

you simply start a few daemons with the -connect option. That ensures it only connects to one node (which is also yours).. then you instruct your rigs to mine on your node.. as soon as you have a height > current blockheight you disconnect one daemon and restart it without the -connect option.. Voilá..

And yacoin, yes I think this has been done..

Hmmmm... If it's that easy then it's absolutely silly that these copy-pasta clones start at such a ridiculously low difficulty.

Again, if you have knowledge of how to set the initial difficulty higher please share it. The recent flood of clones is obviously being done by amateurs that probably won't figure this out, and yet will release their coins anyway. So do everyone a favour and educate them. Maybe they will listen.
sr. member
Activity: 308
Merit: 250
FlutterCoin Developer
Please don't show anyone where to make the change - if someone can't figure that out, then they have no business releasing code that they have no real clue how it works
sr. member
Activity: 308
Merit: 250
FlutterCoin Developer
While this is probably true, if they started at a difficulty of 1, or .25, and the coin became popular, very quickly, it would be impossible to get coins, and if it was traded, the coin would be unprofitable to mine.  So that means basically anyone without 10 - 30 MH's rigs (for litecoin variants) would get scraps, where as currently with some of the new coins, anyone who sees a release quick enough,m even with minimal hashing power, can scoop up a few thousand coins and possible a nice profit if its traded.  I say something like .025 would be a better start than .25 or 1.

What was Bitcoin's original starting difficulty, anyone know?

What are you talking about...? At difficulty 0.25 with 350 KH/s you should find a block roughly every hour, that is hardly scraps. Coins shouldn't be made with the intention of everyone getting thousands of coins in the first few days so they can hoard them until the coin reaches an exchange and then dump their thousands of coins on the market decreasing the value of the coin instantaneously. Any coin designed to be intentionally pumped and dumped shouldn't bother being released.

Bitcoin's starting difficulty was technically higher than 0.25

Code:
static CBigNum bnProofOfWorkLimit(~uint256(0) >> 30)

that generates a starting scrypt difficulty of ~0.25, every incremental increase doubles the difficulty.

Bitcoin started with:

Code:
static CBigNum bnProofOfWorkLimit(~uint256(0) >> 32)

Please explain how that line of code raises the starting difficulty?
It doesn't.

Exactly
legendary
Activity: 934
Merit: 1000
legendary
Activity: 980
Merit: 1000
While this is probably true, if they started at a difficulty of 1, or .25, and the coin became popular, very quickly, it would be impossible to get coins, and if it was traded, the coin would be unprofitable to mine.  So that means basically anyone without 10 - 30 MH's rigs (for litecoin variants) would get scraps, where as currently with some of the new coins, anyone who sees a release quick enough,m even with minimal hashing power, can scoop up a few thousand coins and possible a nice profit if its traded.  I say something like .025 would be a better start than .25 or 1.

What was Bitcoin's original starting difficulty, anyone know?

What are you talking about...? At difficulty 0.25 with 350 KH/s you should find a block roughly every hour, that is hardly scraps. Coins shouldn't be made with the intention of everyone getting thousands of coins in the first few days so they can hoard them until the coin reaches an exchange and then dump their thousands of coins on the market decreasing the value of the coin instantaneously. Any coin designed to be intentionally pumped and dumped shouldn't bother being released.

Bitcoin's starting difficulty was technically higher than 0.25

Code:
static CBigNum bnProofOfWorkLimit(~uint256(0) >> 30)

that generates a starting scrypt difficulty of ~0.25, every incremental increase doubles the difficulty.

Bitcoin started with:

Code:
static CBigNum bnProofOfWorkLimit(~uint256(0) >> 32)

Please explain how that line of code raises the starting difficulty?
It doesn't.
legendary
Activity: 934
Merit: 1000
The tool u mention already exists.. it's called cgminer.. or cpuminer...

you simply start a few daemons with the -connect option. That ensures it only connects to one node (which is also yours).. then you instruct your rigs to mine on your node.. as soon as you have a height > current blockheight you disconnect one daemon and restart it without the -connect option.. Voilá..

And yacoin, yes I think this has been done..
newbie
Activity: 28
Merit: 0
Well this is good to know!

Do you guys think this might have happened with other coins as well?

If someone does a 51% attack, can it be done without anybody knowing about it ?Smiley
sr. member
Activity: 308
Merit: 250
FlutterCoin Developer
While this is probably true, if they started at a difficulty of 1, or .25, and the coin became popular, very quickly, it would be impossible to get coins, and if it was traded, the coin would be unprofitable to mine.  So that means basically anyone without 10 - 30 MH's rigs (for litecoin variants) would get scraps, where as currently with some of the new coins, anyone who sees a release quick enough,m even with minimal hashing power, can scoop up a few thousand coins and possible a nice profit if its traded.  I say something like .025 would be a better start than .25 or 1.

What was Bitcoin's original starting difficulty, anyone know?

What are you talking about...? At difficulty 0.25 with 350 KH/s you should find a block roughly every hour, that is hardly scraps. Coins shouldn't be made with the intention of everyone getting thousands of coins in the first few days so they can hoard them until the coin reaches an exchange and then dump their thousands of coins on the market decreasing the value of the coin instantaneously. Any coin designed to be intentionally pumped and dumped shouldn't bother being released.

Bitcoin's starting difficulty was technically higher than 0.25

Code:
static CBigNum bnProofOfWorkLimit(~uint256(0) >> 30)

that generates a starting scrypt difficulty of ~0.25, every incremental increase doubles the difficulty.

Bitcoin started with:

Code:
static CBigNum bnProofOfWorkLimit(~uint256(0) >> 32)

Please explain how that line of code raises the starting difficulty?
full member
Activity: 224
Merit: 100
Please do not start at zero difficulty (0.00024414 to be precise, which is the default start difficulty of litecoin). I know you're hoping to get rich quick but here's why you should not do this: 51% attack.

All someone has to do is build a tool that will mine valid blocks using GPUs as quickly as possible without asking the network if the blocks are valid or not (except the first one). Then you periodically broadcast your attack chain to the network without caring at all about the longest chain seen by your client from the network. As long as the chain is valid this will work.

With the difficulty at the default of 0.00024414, all you need is 0.00024414 * 2^23 * 10 = 10.5 MHash/s to be able to mine 10 blocks per second (the equation is difficulty * 2^32 * blocks_per_second = hashrate_required). I have noticed usually the network is only able to go 2-5 blocks per second because of network latency, and nearly everyone is getting 95%+ orphans thus wasting their hashing power. So at 10 blocks per second an attacker would have absolutely no problem mining faster than a network that's having a laggy orphan-fest. And 10.5 MHash/s is cheap... quite a lot of people have that or more. You might even be able to pull off this attack with just 5 MHash/s as long as you can build your chain faster than the legit network can.

If your new or upcoming coin uses scrypt the above tool will be able to attack your coin! I don't even think there's any need for the tool to be modified for new coins in order to work, it just needs to grab your genesis block and then go nuts producing blocks as fast as it can, periodically broadcasting its chain to ensure if you use checkpoints there's a high chance you'll checkpoint the chain it's produced. It might need some tweaking knobs for commonly changed parameters like the difficulty retarget period, number of coins per block, etc. It's also quite possible this tool could be made by using a simple proxy wrapper around the *coind server to censor data coming in to ensure it's not aware of other chains but the attacker's chain. This ensures the attacker will be able to jump on your new coin an hijack the chain as soon as you launch.

If anyone can prove that the above tool cannot be created, I am all ears. Please quote source code or something as proof. But as far as I know I am correct and it's possible to perform this attack provided the difficulty is low enough.

TL;DR New altcoin authors, please stop using the default litecoin starting difficulty. Please use a sane value such as 0.25 or 1.0 as the starting difficulty. Otherwise a 51% attack can easily steal all your and your early adopter's coins! Checkpoints will not foil this attack!

Obviously this has been going on a LOT the last few days. Sorry people, those 'disappearing' coins are not orphans or invalid. They are just someone else's coins now!
member
Activity: 112
Merit: 10
BitBar doesn't have this problem!
The coin uses Proof of stake together with proof of work.
newbie
Activity: 28
Merit: 0
Copy-pasta was intentional :-) I stole it from someone on IRC I think but I thought it was very fitting.
sr. member
Activity: 287
Merit: 250
+1 OP.  Thanks for posting this.
Pages:
Jump to: