Pages:
Author

Topic: Regarding Auroracoin TW exploit (Fix included) - page 3. (Read 27362 times)

full member
Activity: 154
Merit: 100
It would be an exponential difficulty growth for several thousands iterations (the base difficulty would be equal to the network difficulty at the fork time). So, one would have to possess really good hashing power. I think that mathematically this attack is even less possible than wellknown 51% attack. More precisely this attack would have possibility 100% but the computation time would be HUGE.



You should sand box it before making those statements. This is exactly the vector that was opened up.


~BCX~

It appears some draino/coin hybrid has been hit with a difficulty of 55 million and just so happens to use KGW. Would you happen to know anything about this? Please tell me I didn't look away and miss something! Grin

Link?

The announcement section is a jungle:
https://bitcointalksearch.org/topic/m.6113496

Thank you. It is a jungle indeed.
member
Activity: 308
Merit: 10
★YoBit.Net★ 1400+ Coins Exchange
It would be an exponential difficulty growth for several thousands iterations (the base difficulty would be equal to the network difficulty at the fork time). So, one would have to possess really good hashing power. I think that mathematically this attack is even less possible than wellknown 51% attack. More precisely this attack would have possibility 100% but the computation time would be HUGE.



You should sand box it before making those statements. This is exactly the vector that was opened up.


~BCX~

It appears some draino/coin hybrid has been hit with a difficulty of 55 million and just so happens to use KGW. Would you happen to know anything about this? Please tell me I didn't look away and miss something! Grin

Link?

The announcement section is a jungle:
https://bitcointalksearch.org/topic/m.6113496
full member
Activity: 154
Merit: 100
It would be an exponential difficulty growth for several thousands iterations (the base difficulty would be equal to the network difficulty at the fork time). So, one would have to possess really good hashing power. I think that mathematically this attack is even less possible than wellknown 51% attack. More precisely this attack would have possibility 100% but the computation time would be HUGE.



You should sand box it before making those statements. This is exactly the vector that was opened up.


~BCX~

It appears some draino/coin hybrid has been hit with a difficulty of 55 million and just so happens to use KGW. Would you happen to know anything about this? Please tell me I didn't look away and miss something! Grin

Link?
member
Activity: 308
Merit: 10
★YoBit.Net★ 1400+ Coins Exchange
It would be an exponential difficulty growth for several thousands iterations (the base difficulty would be equal to the network difficulty at the fork time). So, one would have to possess really good hashing power. I think that mathematically this attack is even less possible than wellknown 51% attack. More precisely this attack would have possibility 100% but the computation time would be HUGE.



You should sand box it before making those statements. This is exactly the vector that was opened up.


~BCX~

It appears some draino/coin hybrid has been hit with a difficulty of 55 million and just so happens to use KGW. Would you happen to know anything about this? Please tell me I didn't look away and miss something! Grin
sr. member
Activity: 477
Merit: 500

Now... fix #1. I'm sorry but is not a fix. Logically both flows (without fix and with it) are absolutelly THE SAME. Just check it line by line very carefuly. Both flows protect PastRateActualSeconds variable in a way that it is >= 0. That is it. Just CHECK.

The fix actually changes the way algorithm deals with blocks that are timestamped before the latest block's timestamp (ie timewarped blocks). It processes them just like if they were timestamped as the latest block. So if there is any benefit an attacker gets by timestamping the blocks in the past, the benefit will be gone. The attacker could as well timestamp them with latest blocks time. No more any extra gain from Time Warp, whatever it has been.

This change actually lowers the difficulty what the time warped block would get. However, the attacker would get the same lower diff by timestamping that block at the latest block time, ie not using timewarp, so the fix does not give any advantage which had not already been there.
member
Activity: 98
Merit: 10
sr. member
Activity: 404
Merit: 250
RIP Phil 2015
Cannacoin has updated its protocol to patch the potential KGW/Time-Warp exploit. Thanks to everyone involved in the discussion and fix, your time and efforts are appreciated!
member
Activity: 308
Merit: 10
★YoBit.Net★ 1400+ Coins Exchange
Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.



Would you like to back that statement up and offer your coin as a sacrificial lamb?


~BCX~

where is the evidence that you even attacked aur. it seems most these people here don't agree with you so i think most of our coins are probably safe.


I see you hide behind a new registered account today with a single post while making that "bold" statement. Shows real confidence doesn't it.

All you and your fellow "devs" are whining about is that you paid someone to create a basic shitcoin clone and lack the technical ability to update it LOL

Maybe I really do need to kill a few to convince the masses.

Since you're so sure it's not possible, don't be a wanker, volunteer your coin!


~BCX~









Please do. I've found a comfortable seat, and I have plenty of snacks.
legendary
Activity: 1242
Merit: 1020
No surrender, no retreat, no regret.
Median of 11 is 6 blocks. Although AUR has changed this to median of 3 which is a bad idea actually.

Saying it is a bad idea does not yet make it a bad idea. Can you give some reasoning behind this? If there is good reasoning, why didnt you tell that when it was only being planned?

Why have you not asked? I'm not a part of your community, not supposed to monitor what you do and to give advice on every matter.
sr. member
Activity: 477
Merit: 500
Median of 11 is 6 blocks. Although AUR has changed this to median of 3 which is a bad idea actually.

Saying it is a bad idea does not yet make it a bad idea. Can you give some reasoning behind this? If there is good reasoning, why didnt you tell that when it was only being planned?
legendary
Activity: 996
Merit: 1013
Having a lower difficulty threshold and more blocks, generated by a small fraction of the main chain's hashing power, should NEVER result in the difficulty calculation thinking that you have more total work than the main chain.

Your opinion, then, is that one really can make TW exploit with less than majority hashing power. I would be very grateful to know the reasoning behind that statement.





legendary
Activity: 924
Merit: 1132
The problem that makes the time warp possible at all is that difficulty is being measured wrong. 

Having a lower difficulty threshold and more blocks, generated by a small fraction of the main chain's hashing power, should NEVER result in the difficulty calculation thinking that you have more total work than the main chain.

Consider two forks, one with a difficulty of, say 20 and one with a difficulty of, say, 11.  If there is actually more work on the chain with 11 difficulty, it will have more blocks that meet the 20 difficulty than the other chain has total blocks.  It shouldn't be getting any work credit at all for blocks that don't meet the hardest branch's difficulty.



legendary
Activity: 1242
Merit: 1020
No surrender, no retreat, no regret.
The another fix (preventing PastRateActualSeconds to go to 0) takes care of another attack vector. Here is a short explanation of the attack:
1. generate a block 2 weeks to the future. You cannot publish it, it is not on current time window.
2. Start generating blocks with the same timestamp (ie the moment 2 weeks in the future)

See what would happen: after there is PastBlocksMax blocks in the private chain, *the diff would not change* at all!

That would mean you have 2 weeks to generate blocks with 0 difficulty. With decent hashrate, you easily get 1 block in a second. In 2 weeks you get 1209600 blocks.

When that 2 weeks has passed, what would happen to the blockchain, if you suddenly publish 1209600 perfectly valid blocks? The whole network would be doing nothing but checking those 1209600 blocks... and finding nothing wrong with them. That would be the end of the coin.

First, an attacker still needs to exceed the cumulative difficulty score of the original chain. Second, there must not be any checkpoints on the original chain for those 2 weeks, neither hard coded nor synchronised. Third if the second is true, this is a huge reorganisation which won't pass unnoticed and a smart developer would secure his chain with a checkpoint immediately, release an updated client and ask the community to upgrade.

Quote
EDIT: Actually, it *is* prevented somewhere else. One can generate only 5 blocks with the same timestamp.

Median of 11 is 6 blocks. Although AUR has changed this to median of 3 which is a bad idea actually.
sr. member
Activity: 1313
Merit: 278
USDe has updated its KGW code to close the potential exploit gaps - thanks to users in this discussion for assistance in the solution.
sr. member
Activity: 477
Merit: 500
I looked at the diff file you proposed very thoroughly. And I must conclude that your fix is nothing more but a bullshit. The only thing your fix does - it protects PastRateActualSeconds varibale in a way that it is always >= 1 (second). Old code assumed it was always >= 0. You probably cared about PastRateAdjustmentRatio variable which is equal to 1 if PastRateActualSeconds happens to be 0. But the point is that it never happens. KGW takes at least PastBlocksMin and at most PastBlocksMax blocks into the calculation. You will never have PastRateActualSeconds == 0 except for the case if your blockchain has only one block.

You have misunderstood the fix. There are 2 fixes and the one you are referring fixes another attack vector.

The fix to usual TW attack (which BCX was planning was to use) was to use LatestBlockTime instead of BlockLastSolved->GetBlockTime() to count the timespan. Without this one can timetravel back without diff rise, with this the benefit attacker gets by travellin past is lost.

The another fix (preventing PastRateActualSeconds to go to 0) takes care of another attack vector. Here is a short explanation of the attack:
1. generate a block 2 weeks to the future. You cannot publish it, it is not on current time window.
2. Start generating blocks with the same timestamp (ie the moment 2 weeks in the future)

See what would happen: after there is PastBlocksMax blocks in the private chain, *the diff would not change* at all!

That would mean you have 2 weeks to generate blocks with 0 difficulty. With decent hashrate, you easily get 1 block in a second. In 2 weeks you get 1209600 blocks.

When that 2 weeks has passed, what would happen to the blockchain, if you suddenly publish 1209600 perfectly valid blocks? The whole network would be doing nothing but checking those 1209600 blocks... and finding nothing wrong with them. That would be the end of the coin.

Quote
You will never have PastRateActualSeconds == 0 except for the case if your blockchain has only one block.
Thats not true. You can generate blocks with the same timestamp. Or is there something that would prevent it (I have not read all the code, it might be prevented somewhere) ? If there is, then this attack vector was already closed and this part was not necessary.

EDIT: Actually, it *is* prevented somewhere else. One can generate only 5 blocks with the same timestamp. So this #2 fix is not necessary to prevent that attack vector, it is already closed elsewhere. However that means the whole if clauses are never true, ie they are itself worthless. But leaving them as they were would keep there an unecessary dependancy between the code blocks, so it is nevertheless better to change it. Also, the main fix is #1, which has been confirmed to work.
Code:
    // Check timestamp against prev
    if (GetBlockTime() <= pindexPrev->GetMedianTimePast())
        return error("AcceptBlock() : block's timestamp is too early");
member
Activity: 98
Merit: 10
I looked at the diff file you proposed very thoroughly. And I must conclude that your fix is nothing more but a bullshit. The only thing your fix does - it protects PastRateActualSeconds varibale in a way that it is always >= 1 (second). Old code assumed it was always >= 0. You probably cared about PastRateAdjustmentRatio variable which is equal to 1 if PastRateActualSeconds happens to be 0. But the point is that it never happens. KGW takes at least PastBlocksMin and at most PastBlocksMax blocks into the calculation. You will never have PastRateActualSeconds == 0 except for the case if your blockchain has only one block.
newbie
Activity: 3
Merit: 0
Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.



Would you like to back that statement up and offer your coin as a sacrificial lamb?


~BCX~

where is the evidence that you even attacked aur. it seems most these people here don't agree with you so i think most of our coins are probably safe.


I see you hide behind a new registered account today with a single post while making that "bold" statement. Shows real confidence doesn't it.

All you and your fellow "devs" are whining about is that you paid someone to create a basic shitcoin clone and lack the technical ability to update it LOL

Maybe I really do need to kill a few to convince the masses.

Since you're so sure it's not possible, don't be a wanker, volunteer your coin!


~BCX~


if i was actually in charge of a coin i would be all about it. im not though. the guy with the charity coin doesn't seem to think that the flaw is such a big deal so why should i? so far we haven't seen any evidence that anyone has the know how to attack a coin like you talk about. especially since aur is still here and you gave a "pass" to the charity guy.
newbie
Activity: 3
Merit: 0
Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.



Would you like to back that statement up and offer your coin as a sacrificial lamb?


~BCX~

where is the evidence that you even attacked aur. it seems most these people here don't agree with you so i think most of our coins are probably safe.
newbie
Activity: 1
Merit: 0
Nite69, I think you're fixing a difficulty freeze hole - it's possible to spike difficulty up to an unlimited value if you have the following pattern
Block time A
Block time B (much larger than A)
... Many Blocks with time < B ...
Block time B + dx

Difficulty is raised by a factor of (found blocks * target time per block / dx). Now you need 70(ish) blocks in the middle, not sure how far forward you can stick a time stamp, but you don't need to be the source of those 72 blocks. e.g. you could predict when a multipool was about to hit and then try to set your attack block B. Finally, you close with the B + dx, a microsecond (or less) after B, and can start trying at any time after there are enough in the middle.

I'd like a difficulty 21 billion times higher, kkthx. Although, I'd say you're only limiting it to 21,000 times higher, or 73 days for the next block, if such an attack is performed, so I'm not convinced if this is what you were going for after all.
legendary
Activity: 1242
Merit: 1020
No surrender, no retreat, no regret.
Time warps can decrease or increase difficulty, but they cannot make you more hash power than you have actually. You still need 50%+ of the network hash rate.

No, the point of the time warp attack is that you don't need more than 50% of the network hashrate to execute the attack.
With that much hashing power you can always attack the chain, regardless of how the coin adjusts difficulty.

It seems the original point of time warp attack as explained by ArtForz over 2 years ago has been missed by you. No matter how you play this game, you have to follow the rules and cumulative difficulty is one of them. You can mine at a lower difficulty or even attempt to double spend, but you still need to catch up with the original chain. It's up to your skills how to do that. In fact, time warps have never been a real problem for Bitcoin or Litecoin even though the latter addressed one of the issues in their code. This trouble is for those new "fast" coins and their developers who hardly understand what they're doing. Finally, ability to execute an attack doesn't imply ability to benefit from it.
Pages:
Jump to: