Topic: Regarding Auroracoin TW exploit (Fix included) - page 3. (Read 27339 times)

Thank you. It is a jungle indeed.

The announcement section is a jungle:
https://bitcointalksearch.org/topic/m.6113496

Link?

It appears some draino/coin hybrid has been hit with a difficulty of 55 million and just so happens to use KGW. Would you happen to know anything about this? Please tell me I didn't look away and miss something!

The fix actually changes the way algorithm deals with blocks that are timestamped before the latest block's timestamp (ie timewarped blocks). It processes them just like if they were timestamped as the latest block. So if there is any benefit an attacker gets by timestamping the blocks in the past, the benefit will be gone. The attacker could as well timestamp them with latest blocks time. No more any extra gain from Time Warp, whatever it has been.

This change actually lowers the difficulty what the time warped block would get. However, the attacker would get the same lower diff by timestamping that block at the latest block time, ie not using timewarp, so the fix does not give any advantage which had not already been there.

Cannacoin has updated its protocol to patch the potential KGW/Time-Warp exploit. Thanks to everyone involved in the discussion and fix, your time and efforts are appreciated!

Please do. I've found a comfortable seat, and I have plenty of snacks.

Why have you not asked? I'm not a part of your community, not supposed to monitor what you do and to give advice on every matter.

Saying it is a bad idea does not yet make it a bad idea. Can you give some reasoning behind this? If there is good reasoning, why didnt you tell that when it was only being planned?

Your opinion, then, is that one really can make TW exploit with less than majority hashing power. I would be very grateful to know the reasoning behind that statement.

The problem that makes the time warp possible at all is that difficulty is being measured wrong. 

Having a lower difficulty threshold and more blocks, generated by a small fraction of the main chain's hashing power, should NEVER result in the difficulty calculation thinking that you have more total work than the main chain.

Consider two forks, one with a difficulty of, say 20 and one with a difficulty of, say, 11.  If there is actually more work on the chain with 11 difficulty, it will have more blocks that meet the 20 difficulty than the other chain has total blocks.  It shouldn't be getting any work credit at all for blocks that don't meet the hardest branch's difficulty.

First, an attacker still needs to exceed the cumulative difficulty score of the original chain. Second, there must not be any checkpoints on the original chain for those 2 weeks, neither hard coded nor synchronised. Third if the second is true, this is a huge reorganisation which won't pass unnoticed and a smart developer would secure his chain with a checkpoint immediately, release an updated client and ask the community to upgrade.


Median of 11 is 6 blocks. Although AUR has changed this to median of 3 which is a bad idea actually.

USDe has updated its KGW code to close the potential exploit gaps - thanks to users in this discussion for assistance in the solution.

You have misunderstood the fix. There are 2 fixes and the one you are referring fixes another attack vector.

The fix to usual TW attack (which BCX was planning was to use) was to use LatestBlockTime instead of BlockLastSolved->GetBlockTime() to count the timespan. Without this one can timetravel back without diff rise, with this the benefit attacker gets by travellin past is lost.

The another fix (preventing PastRateActualSeconds to go to 0) takes care of another attack vector. Here is a short explanation of the attack:
1. generate a block 2 weeks to the future. You cannot publish it, it is not on current time window.
2. Start generating blocks with the same timestamp (ie the moment 2 weeks in the future)

See what would happen: after there is PastBlocksMax blocks in the private chain, *the diff would not change* at all!

That would mean you have 2 weeks to generate blocks with 0 difficulty. With decent hashrate, you easily get 1 block in a second. In 2 weeks you get 1209600 blocks.

When that 2 weeks has passed, what would happen to the blockchain, if you suddenly publish 1209600 perfectly valid blocks? The whole network would be doing nothing but checking those 1209600 blocks... and finding nothing wrong with them. That would be the end of the coin.

Thats not true. You can generate blocks with the same timestamp. Or is there something that would prevent it (I have not read all the code, it might be prevented somewhere) ? If there is, then this attack vector was already closed and this part was not necessary.

EDIT: Actually, it *is* prevented somewhere else. One can generate only 5 blocks with the same timestamp. So this #2 fix is not necessary to prevent that attack vector, it is already closed elsewhere. However that means the whole if clauses are never true, ie they are itself worthless. But leaving them as they were would keep there an unecessary dependancy between the code blocks, so it is nevertheless better to change it. Also, the main fix is #1, which has been confirmed to work.

I looked at the diff file you proposed very thoroughly. And I must conclude that your fix is nothing more but a bullshit. The only thing your fix does - it protects PastRateActualSeconds varibale in a way that it is always >= 1 (second). Old code assumed it was always >= 0. You probably cared about PastRateAdjustmentRatio variable which is equal to 1 if PastRateActualSeconds happens to be 0. But the point is that it never happens. KGW takes at least PastBlocksMin and at most PastBlocksMax blocks into the calculation. You will never have PastRateActualSeconds == 0 except for the case if your blockchain has only one block.

if i was actually in charge of a coin i would be all about it. im not though. the guy with the charity coin doesn't seem to think that the flaw is such a big deal so why should i? so far we haven't seen any evidence that anyone has the know how to attack a coin like you talk about. especially since aur is still here and you gave a "pass" to the charity guy.

where is the evidence that you even attacked aur. it seems most these people here don't agree with you so i think most of our coins are probably safe.

Nite69, I think you're fixing a difficulty freeze hole - it's possible to spike difficulty up to an unlimited value if you have the following pattern
Block time A
Block time B (much larger than A)
... Many Blocks with time < B ...
Block time B + dx

Difficulty is raised by a factor of (found blocks * target time per block / dx). Now you need 70(ish) blocks in the middle, not sure how far forward you can stick a time stamp, but you don't need to be the source of those 72 blocks. e.g. you could predict when a multipool was about to hit and then try to set your attack block B. Finally, you close with the B + dx, a microsecond (or less) after B, and can start trying at any time after there are enough in the middle.

I'd like a difficulty 21 billion times higher, kkthx. Although, I'd say you're only limiting it to 21,000 times higher, or 73 days for the next block, if such an attack is performed, so I'm not convinced if this is what you were going for after all.

It seems the original point of time warp attack as explained by ArtForz over 2 years ago has been missed by you. No matter how you play this game, you have to follow the rules and cumulative difficulty is one of them. You can mine at a lower difficulty or even attempt to double spend, but you still need to catch up with the original chain. It's up to your skills how to do that. In fact, time warps have never been a real problem for Bitcoin or Litecoin even though the latter addressed one of the issues in their code. This trouble is for those new "fast" coins and their developers who hardly understand what they're doing. Finally, ability to execute an attack doesn't imply ability to benefit from it.