Hi
Reported this back in march, but nobody seemed to care.
https://bitcointalksearch.org/topic/bug-in-stratum-mining-software-1001603
Denis
Topic: Re: Mining pools list - page 17. (Read 784 times)
FYI the coinbase tag "/pool34/" and address 15rQXUSBQRubShPpiJfDLxmwS8ze2RUm4z are mined by 21E6/21 Inc's private pool.
Source?
Thanks for the info. I'll see if I can get independent confirmation.
FYI the coinbase tag "/pool34/" and address 15rQXUSBQRubShPpiJfDLxmwS8ze2RUm4z are mined by 21E6/21 Inc's private pool.
Source?
FYI the coinbase tag "/pool34/" and address 15rQXUSBQRubShPpiJfDLxmwS8ze2RUm4z are mined by 21E6/21 Inc's private pool.
Source?
FYI the coinbase tag "/pool34/" and address 15rQXUSBQRubShPpiJfDLxmwS8ze2RUm4z are mined by 21E6/21 Inc's private pool.
I am late on this, can't believe as much as I read on the forum I missed it.... thanks to the heavy hitters here who put the time/research in and disclosed this.
That's from March, so I guess this is still based on Balthazar's initial post? Nothing earlier than that?
That is April.
Or are you referring to something else?
March usually comes before April
https://github.com/slush0/stratum-mining/pull/12
is 42 days ago.
It would depend on the % of the pool that were external miners and those miners % of shares submitted using this.
Blaming their luck on nefarious miners requires a high % of external miners and a high % of them withholding or doing this.
As stated before, if it was withholding, they would have the information already about who was doing it since the amount of withholding would need to be large enough to make it clear who was doing it and they would need to be external miners and a large % of the pool.
If it was this, then they'd have the share information to see who did it since it would be a LOT of such shares by a LOT of external miners who would have to be a large external % of the pool.
That's from March, so I guess this is still based on Balthazar's initial post? Nothing earlier than that?
That is April.
Or are you referring to something else?
March usually comes before April
https://github.com/slush0/stratum-mining/pull/12
is 42 days ago.
That's from March, so I guess this is still based on Balthazar's initial post? Nothing earlier than that?
There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago.
Why did you make a public disclosure in Russian of a security bug in software written and maintained by people who probably don't understand Russian?The proper procedure for such things is to privately get in touch with the maintainers so they have an opportunity to fix it before public disclosure - especially for bugs easily exploited.
Balthazar contacted me a few days ago, mentioning the possibility of this bug causing poor 'luck' for GHash. I suggested posting an English translation on the pools board so I could see if there was a consensus that the attack was valid. I didn't even think about disclosure to GHash, but it should have been my first suggestion. Hassle me about that, not him. I'll certainly be forwarding GHash this discussion and see if that finally gets a response.
Nope.
But I read about it a long time ago:
https://github.com/simplecrypto/powerpool/issues/128
I assumed everyone had patched already.
But I read about it a long time ago:
https://github.com/simplecrypto/powerpool/issues/128
I assumed everyone had patched already.
Your link is from 21 days ago and uses the same example as Balthazar. Was there something from longer ago?
BTC Guild isn't affected as you mentioned. The BTC Guild stratum server was actually written before Stratum even existed when I was working on a different mining protocol solution to prepare for ASICs. Stratum was close-enough to my protocol proposal that it took just a few hours to adapt it to match stratum syntax.
Quite alarmed that such a simple bug is in the "official" stratum branch, I'm pretty sure I remember this same type of exploit existing in the early days of getwork mining servers.
Quite alarmed that such a simple bug is in the "official" stratum branch, I'm pretty sure I remember this same type of exploit existing in the early days of getwork mining servers.
Nope.
But I read about it a long time ago:
https://github.com/simplecrypto/powerpool/issues/128
I assumed everyone had patched already.
But I read about it a long time ago:
https://github.com/simplecrypto/powerpool/issues/128
I assumed everyone had patched already.
We use eloipool too, so we are not affected. I found the problem in nodejs stratum. It was an easy patch.
I've seen an issue notification in the project... Was it yours?
We use eloipool too, so we are not affected. I found the problem in nodejs stratum. It was an easy patch.
I've seen an issue notification in the project... Was it yours?
We use eloipool too, so we are not affected. I found the problem in nodejs stratum. It was an easy patch.
FWIW, I also checked CKPool, and (as expected) it is not affected either.
Confirming that eloipool is not vulnerable and that Eligius hasn't been subject to this attack I scanned the share database for duplicates since the last database cleanup (~week ago) and found no duplicate work credited.
Congratulations. By the way, I have always seen eligius as an example of good work. 
Confirming that eloipool is not vulnerable and that Eligius hasn't been subject to this attack I scanned the share database for duplicates since the last database cleanup (~week ago) and found no duplicate work credited.
Luke-Jr
OK, then it's fine. Again, I didn't check Eloipool myself because I had not so much free time. Sorry for that.
OK, then it's fine.
Again, I didn't check Eloipool myself because I had not so much free time. Sorry for that. Jump to: