Pages:
Author

Topic: Re: Mining pools list - page 18. (Read 818 times)

legendary
Activity: 2576
Merit: 1186
May 05, 2015, 11:56:16 AM
There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago.
Why did you make a public disclosure in Russian of a security bug in software written and maintained by people who probably don't understand Russian?
The proper procedure for such things is to privately get in touch with the maintainers so they have an opportunity to fix it before public disclosure - especially for bugs easily exploited.

Vulnerability is caused by incorrect algorithm of verification for uniqueness. Instead of checking raw solutions, most of the pools are doing this through checking the hex-encoded representation. This allows miner to create multiple versions of the same share through applying uppercase function to hex encoded solution.

This vulnerability seems as intentionally made i.e. backdoor. Simplest workaround is to use lower() method:
While it's a pretty stupid bug, I don't think I'd automatically assume malice.

As far I know, stratum-mining/eloipool/node-stratum-pool are vulnerable.
Why do you say Eloipool is affected? It checks for duplicate submissions in binary.
sr. member
Activity: 392
Merit: 251
May 05, 2015, 11:54:10 AM
For whatever it is worth, I think SockThing is vulnerable to this (my bad).

I've pushed a change that should fix it:
https://github.com/fireduck64/SockThing/commit/cf7cf1c04be5df747ce0c124be96702f694933e1

legendary
Activity: 3108
Merit: 1359
May 05, 2015, 11:53:18 AM
I've sent a message to some involved people and pool owners mail list.

Though there is no sense because we have found this vulnerability a month ago after experiencing the misterious unluck and checking the share log. So I guess it has been exploited for a while... Maybe a few months or even few years.


wizkid057
Quote
FUD

I didn't check eloipool myself so yep, I can be wrong there. But stratum-mining and node stratum are definetely affected.

legendary
Activity: 1223
Merit: 1006
May 05, 2015, 11:52:03 AM
legendary
Activity: 2730
Merit: 1034
Needs more jiggawatts
May 05, 2015, 10:46:01 AM
Some pools like BtcGuild are not affected for unclear reason. Probably because they're using proprietary software.

Yes, they are. Same thing with Bitminter. I would expect most pools are using their own software and are not vulnerable.

I thought ghash had their own implementation as well. Although of course they could have made the same mistake.

I hope you contacted these pools and gave them a chance to fix the issue before going public with it.
legendary
Activity: 3108
Merit: 1359
May 05, 2015, 10:07:23 AM
Hi guys.

Read an article yesterday, and I think I know why some pools are so "unlucky".

In fact they're not unlucky, they're attacked through share multiplication issue. There is a vulnerability found in the majority of stratum mining protocol implementations. I've published the disclosure of this bug few weeks ago.

Vulnerability is caused by incorrect algorithm of verification for uniqueness. Instead of checking raw solutions, most of the pools are doing this through checking the hex-encoded representation. This allows miner to create multiple versions of the same share through applying uppercase function to hex encoded solution.

Quote
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31ee"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31eE"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31Ee"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0ad31EE"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}
{"id":102,"method":"mining.submit","params":["eobot.41355", "19", "5e490000", "552ce06a", "c0aD31ee"]}
{"id":103,"method":"mining.submit","params":["eobot.41355", "19", "5e440000", "552ce06e", "3b39f0a2"]}

This vulnerability seems as intentionally made i.e. backdoor. Simplest workaround is to use lower() method:

Code:
@@ -192,7 +192,12 @@ def submit_share(self, job_id, worker_name, session, extranonce1_bin, extranonce
    # Check nonce
    if len(nonce) != 8:
        raise SubmitException("Incorrect size of nonce. Expected 8 chars")

+    # normalize the case to prevent duplication of valid shares by the client
+    ntime = ntime.lower()
+    nonce = nonce.lower()
+    extranonce2 = extranonce2.lower()
+
    # Check for duplicated submit

As far I know, stratum-mining/eloipool/node-stratum-pool are vulnerable. Example of affected pools is ghash.io... Some pools like BtcGuild are not affected for unclear reason. Probably because they're using proprietary software.

legendary
Activity: 1610
Merit: 1000
May 01, 2015, 10:12:03 AM
A solo pool with a minimum payout Huh

I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool.

...
Eh?
Do you even know what a solo mining pool is?

I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc.
On ckpool Pure solo there is no minimum payout Wink
No restarts every 4 years are needed. The only restart you need is to  catch up with git commits and that is all..
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
May 01, 2015, 08:22:16 AM
A solo pool with a minimum payout Huh

I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool.

...
Eh?
Do you even know what a solo mining pool is?

I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc.
Some time in about ... 1.25 years ... then ~4 years after that ... then ~4 years after that.
Yeah I don't really think it's a problem stopping the pool once every ~4 years to set that to half it's value Tongue
As for the min payout listed here - well it's not relevant to a solo pool even if the software has some silly configuration in it about that.
Maybe he should fix the code ... ... ... ... ... ... ...

Why should I have to do extra work when I could simply put a 0.01 payout and it doesn't effect anything?

I'm still curious on why you're even commenting on trivial issues as if it is going to effect you somehow. 
Still curious about my comments? When were you curious before?

I'm curious why you are running a pool when you can't even edit the software to resolve such a trivial problem but instead comment on how the value you've used is to save you from restarting the pool once every 4 years ... ... ... ...

That sort of comment raises a major flag IMO.

I've made comment about this before around the forum about people running pools who are unable to fully manage the pool.
I guess when there comes a problem with the pool and you are unable to change/fix the code, then anyone who chose to mine on your pool is now in the situation of waiting until you find someone (trustworthy? or omg I better grab the first person I can find) to fix the problem.

People seem to think they can run a pool on their home internet connection or some tiny vps worth $10 a month
Then of course there's issues like tuning the server to handle a large number of connections.
Then the obvious stuff like ensuring the pool has a very good connection to the bitcoin network so that miners aren't throwing hashes at you and getting regular orphans - even big pools like Eligius fail at doing that Tongue
I wonder where your pool wallet is? Is it on a server that you may know next to nothing about managing?
Do you know all the services running on the server and what they do?
Do you monitor the connections and keep an eye on server access and security?

These sorts of things become an issue down the track when the pool operator says OMG someone hacked the pool and stole all the BTC. Sorry.
It's happened quite a few times in the past with pools.

Seems the latest trend is people seeing some free pool download software and thinking OMG I can make a fortune running a pool.
Being able to fully run a pool may be no where in their repertoire.
sr. member
Activity: 392
Merit: 250
★ BitClave pre-ICO: 25/07/17 ★
May 01, 2015, 07:38:42 AM
A solo pool with a minimum payout Huh

I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool.

...
Eh?
Do you even know what a solo mining pool is?

I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc.
Some time in about ... 1.25 years ... then ~4 years after that ... then ~4 years after that.
Yeah I don't really think it's a problem stopping the pool once every ~4 years to set that to half it's value Tongue
As for the min payout listed here - well it's not relevant to a solo pool even if the software has some silly configuration in it about that.
Maybe he should fix the code ... ... ... ... ... ... ...

Why should I have to do extra work when I could simply put a 0.01 payout and it doesn't effect anything?

I'm still curious on why you're even commenting on trivial issues as if it is going to effect you somehow. 
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
May 01, 2015, 12:05:07 AM
A solo pool with a minimum payout Huh

I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool.

...
Eh?
Do you even know what a solo mining pool is?

I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc.
Some time in about ... 1.25 years ... then ~4 years after that ... then ~4 years after that.
Yeah I don't really think it's a problem stopping the pool once every ~4 years to set that to half it's value Tongue
As for the min payout listed here - well it's not relevant to a solo pool even if the software has some silly configuration in it about that.
Maybe he should fix the code ... ... ... ... ... ... ...
donator
Activity: 2058
Merit: 1007
Poor impulse control.
April 30, 2015, 10:55:19 PM
A solo pool with a minimum payout Huh

I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool.

...
Eh?
Do you even know what a solo mining pool is?

I'm guessing it's the way the minimum payout variable is set on the pool software. If you set it to say 25 btc, then it might not be happy when rewards are 12.5 btc.
donator
Activity: 2058
Merit: 1007
Poor impulse control.
April 30, 2015, 10:54:00 PM
Is this different to other solo-mining pools?

No, I suppose not.  Just didn't know how to word it.

Good-oh, list had been updated.
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
April 30, 2015, 10:32:38 PM
A solo pool with a minimum payout Huh

I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool.

...
Eh?
Do you even know what a solo mining pool is?
sr. member
Activity: 392
Merit: 250
★ BitClave pre-ICO: 25/07/17 ★
April 30, 2015, 09:49:23 PM
A solo pool with a minimum payout Huh

I'm just putting down the minimum payout as the setting has in place so when it halves I don't have to take down the pool.


Pool:                             Crypto-Miners Club
Website:                        www.Crypto-Miners.Club
Generation address:     1Q8M87yTySES5cS44gjapr2Uw7WCV58oQC
Blockchain.info sig:       H/jWZVfKAD/0X3B2C2ajmtcHXcFA7lhzYYFPeRN6mk7FaSmqXi7evwVzPghJS3PSkSPeJZan6/OHUxnz17nLE6o=    
Payout method:             Group Solo Mining Pool
Fee:                               0.5%
Pay Tx Reward:             Yes
Vardiff:                           Yes / User-Defined
Local Work:                    Stratum
Pay Orphans:                 No
Min Withdrawal:              0.001 BTC
Merge Mining:                 Not Yet

Updated original post as well.

Is this different to other solo-mining pools?

No, I suppose not.  Just didn't know how to word it.
donator
Activity: 2058
Merit: 1007
Poor impulse control.
April 29, 2015, 08:54:52 PM
Pool:                             Crypto-Miners Club
Website:                        www.Crypto-Miners.Club
Generation address:     1Q8M87yTySES5cS44gjapr2Uw7WCV58oQC
Blockchain.info sig:       H/jWZVfKAD/0X3B2C2ajmtcHXcFA7lhzYYFPeRN6mk7FaSmqXi7evwVzPghJS3PSkSPeJZan6/OHUxnz17nLE6o=    
Payout method:             Group Solo Mining Pool
Fee:                               0.5%
Pay Tx Reward:             Yes
Vardiff:                           Yes / User-Defined
Local Work:                    Stratum
Pay Orphans:                 No
Min Withdrawal:              0.001 BTC
Merge Mining:                 Not Yet

Updated original post as well.

Is this different to other solo-mining pools?
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
April 29, 2015, 08:41:01 PM
A solo pool with a minimum payout Huh
sr. member
Activity: 392
Merit: 250
★ BitClave pre-ICO: 25/07/17 ★
April 29, 2015, 08:33:21 PM
Pool:                             Crypto-Miners Club
Website:                        www.Crypto-Miners.Club
Generation address:     1Q8M87yTySES5cS44gjapr2Uw7WCV58oQC
Blockchain.info sig:       H/jWZVfKAD/0X3B2C2ajmtcHXcFA7lhzYYFPeRN6mk7FaSmqXi7evwVzPghJS3PSkSPeJZan6/OHUxnz17nLE6o=    
Payout method:             Group Solo Mining Pool
Fee:                               0.5%
Pay Tx Reward:             Yes
Vardiff:                           Yes / User-Defined
Local Work:                    Stratum
Pay Orphans:                 No
Min Withdrawal:              0.001 BTC
Merge Mining:                 Not Yet

Updated original post as well.
full member
Activity: 186
Merit: 100
April 29, 2015, 06:36:54 PM
Pool:                      GIVE-ME-COINS.com
Website:                 http://give-me-coins.com
Proxy:                    No
Generation address: 17wqvgUuKPBesXbGDBMKfPdwtdfQXzCuKG
Coinbase signature: GIVE-ME-COINS.com
Payout method:        PPLNS
Fee:                        0%
Pay Tx Reward:        Yes
Vardiff:                   12 SPM
Local Work:             stratum
Pay Orphans:           No
Min Withdrawal:       0.01
Merge Mining:          Currently disabled. Will be re-enabled soon

Done. Please check for errors.

Perfect.
Thanks! Smiley
donator
Activity: 2058
Merit: 1007
Poor impulse control.
April 29, 2015, 06:31:58 PM
Pool:                      GIVE-ME-COINS.com
Website:                 http://give-me-coins.com
Proxy:                    No
Generation address: 17wqvgUuKPBesXbGDBMKfPdwtdfQXzCuKG
Coinbase signature: GIVE-ME-COINS.com
Payout method:        PPLNS
Fee:                        0%
Pay Tx Reward:        Yes
Vardiff:                   12 SPM
Local Work:             stratum
Pay Orphans:           No
Min Withdrawal:       0.01
Merge Mining:          Currently disabled. Will be re-enabled soon

Done. Please check for errors.
full member
Activity: 186
Merit: 100
April 29, 2015, 06:04:40 PM
Pool:                      GIVE-ME-COINS.com
Website:                 http://give-me-coins.com
Proxy:                    No
Generation address: 17wqvgUuKPBesXbGDBMKfPdwtdfQXzCuKG
Coinbase signature: GIVE-ME-COINS.com
Payout method:        PPLNS
Fee:                        0%
Pay Tx Reward:        Yes
Vardiff:                   12 SPM
Local Work:             stratum
Pay Orphans:           No
Min Withdrawal:       0.01
Merge Mining:          Currently disabled. Will be re-enabled soon
Pages:
Jump to: