Topic: Regarding Auroracoin TW exploit (Fix included) - page 4. (Read 27342 times)
51% attacks exist with or without KGW. You can't say KGW introduces a new attack if it makes an existing attack worse. Though I fail to see how it makes a 51% attack easier to perform.
The main chain is not selected by "the longer chain". This is a myth which has been around for a long time. It is completely false. The main chain is selected by the amount of calculated work in the chain. You can produce loads of low difficulty blocks, but the total work will be stochastically (probabilistically) related to the total number of hashes done. You still need to do more work, meaning you need majority hashpower to catch up, whatever the difficulty is.
People need to understand this before going around shouting that there is an exploit with KGW that allows for blockchain forks. There is no need for pandemonium.
If there is a real exploit please explain how it works. No one has explained a real exploit yet.
People need to understand this before going around shouting that there is an exploit with KGW that allows for blockchain forks. There is no need for pandemonium.
If there is a real exploit please explain how it works. No one has explained a real exploit yet.
Now some puzzle for all you: What is a tricky hole this one fixes? Well I could be wrong, maybe this is just my imagination, but I think there was a funny attack vector. Please confirm or bust! (BCX, this is a special challenge for you!):
Code:
- if (PastRateActualSeconds < 0) { PastRateActualSeconds = 0; }
+ if (BlockReading->nHeight > XXXXX) // HARD Fork block number
+ if (PastRateActualSeconds < 1) { PastRateActualSeconds = 1; }
+ } else {
+ if (PastRateActualSeconds < 0) { PastRateActualSeconds = 0; }
+ }Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.
If you can drive the difficulty down you can generate a longer chain regardless of the power of the rest of the network. You could do this in isolation and then rejoin the main network and force a reorg. The exploit is very serious and if you pull it off, you can wreak havoc. Checkpoints wont help since you can rinse and repeat over and over and that much disruption to the network is simply a game over for the coin.
Time warps can decrease or increase difficulty, but they cannot make you more hash power than you have actually. You still need 50%+ of the network hash rate.
No, the point of the time warp attack is that you don't need more than 50% of the network hashrate to execute the attack.
With that much hashing power you can always attack the chain, regardless of how the coin adjusts difficulty.
Yes, the blockchain work has nothing to do with time. I still don't think this is an exploit and it's annoying because many exchanges have bought into it and are asking everyone to upgrade needlessly.
The main chain is calculated by total work done already. If it wasn't, this would actually open a vulnerability in Bitcoin. Unless you can trick the software into calculating more work at a lower difficulty I do not see how this is a critical issue. No one has explains why my logic is wrong yet. It's not critical that coins update KGW. The best any coin can do to increase security is to have a higher and well distributed hashrate.
this
What is to prevent me from creating a chain of greater proof-of-work comprised of lower difficulty blocks? If I'm following protocol, nothing. I more than likely don't need anywhere close to a majority of the hashing power since I am manipulating time.
Time warps can decrease or increase difficulty, but they cannot make you more hash power than you have actually. You still need 50%+ of the network hash rate.
Ok, this DOES sound like an April fool's joke. The patch does not apply.
Code:
patching file src/main.cpp
Hunk #1 FAILED at 886.
patch: **** malformed patch at line 31: +
Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison.
If someone owned coins that had a higher value than they were actually worth, because of misrepresentations or in spite of flaws in the implementation, and the coins have become less valuable due to a correction precipitated by the exposure of this misrepresentation or flaw, that person joins the ranks of the millions of people who owned houses whose value was artificially inflated due to misrepresentations during the mortgage meltdown. When the misrepresentations were exposed, the market corrected and the houses became less valuable. Sucks to be them, but they're not getting that money back.
To blame BCX here here is the equivalent of blaming the people who exposed the fraud for the lost value of the homes. It isn't their fault the mortgages were fraudulent. And it isn't BCX's fault that somebody was misrepresenting a blockchain they hadn't secured as trustworthy. Sucks to be the bagholder, but you were the victim of fraud, not vandalism, and if anybody deserves to go to jail, it's the people who made the fraudulent claims in the first place.
Heck, if you consider anyone who destroys the value of coins, through an otherwise legal action, to be a criminal, you might as well try to prosecute the IRS for declaring that cryptocurrencies are property and subject to capital gains taxes.
I predict you wouldn't get very far with that either.I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins... 
This of course is just a conspiracy theory and not based on any facts.
This of course is just a conspiracy theory and not based on any facts.
Yeah.. good luck with that. That's not how it works.
LOL.... some people just don't get how decentralization works
Pretty sure that's how it would work in the US. Now that it has a label of property it's like any other property and the law states personal property destruction etc. Decentralization has nothing to do with what I'm talking about. Cyber crimes are still cyber crimes anywhere you live on the planet and off it for that matter. Just like Gox has to answer to it's US customers. Crypto may be decentralized but the law is not. I could be wrong about this but so could you. Nobody really knows for sure what courts will rule. But I feel like a lawsuit or criminal charge in this area is on the horizon.
You are probably correct here. US, EU and UK all have laws which make it illegal to cause malicious damage to computer systems and computer networks. You can be sure, if the amounts of money involved warranted it, the police could and would probably get involved. Whether that can be applied to decentralized blockchains which actually have a "voting" mechanism to decide which chain is valid or not, would be a matter for the police to decide. It's certainly not clear cut in this case (by virtue of the fact the coins have a chain voting mechanism, proving malicious intent would be difficult I think).
That being said, I support making it hard for shitcoins to survive because frankly, it's far worse for people to release coins they have no idea how to maintain and thus endangering all their users. Not to mention all the scams that are being executed by shitcoin creators...
For any law to take effect, there needs to be jurisdiction. If I sit in Afghanistan and access a a network of computers in US and format them, that needs to be illegal in Afghanistan for me to be charged with a crime. Moreover there needs to be a complaint, friendly ties between the two govt, and enough volume/damage to warrant an Interpol case. I believe shooting down a shitcoin's blockchain does not fall into that category
Then there is the anonymity and decentralization issue. Crypto addresses are not tied to a physical location or person and there is no "court order" that you hand to someone to spill the beans of sorts. No way to prove anyone did anything here, neither is there any way to prove you lost fiat money.
BCX could be Morgan Freeman sitting in a cafe looking at Batman for all you know
Hmm.. ok.. so in the end there really is a attack vector (however not so easy I have been thinking)? But that means summing the difficulty is a wrong way to measure the height of a blockchain. There should be a way (some algorithm) to assure a certain blockchain has been done with more work than the other, regardless of are they done with lots of low diff blocks or a few high diff blocks.
It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.
It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.
The main chain is calculated by total work done already. If it wasn't, this would actually open a vulnerability in Bitcoin. Unless you can trick the software into calculating more work at a lower difficulty I do not see how this is a critical issue. No one has explains why my logic is wrong yet. It's not critical that coins update KGW. The best any coin can do to increase security is to have a higher and well distributed hashrate.
this
I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins...
This of course is just a conspiracy theory and not based on any facts.
This of course is just a conspiracy theory and not based on any facts.
Yeah.. good luck with that. That's not how it works.
LOL.... some people just don't get how decentralization works
Pretty sure that's how it would work in the US. Now that it has a label of property it's like any other property and the law states personal property destruction etc. Decentralization has nothing to do with what I'm talking about. Cyber crimes are still cyber crimes anywhere you live on the planet and off it for that matter. Just like Gox has to answer to it's US customers. Crypto may be decentralized but the law is not. I could be wrong about this but so could you. Nobody really knows for sure what courts will rule. But I feel like a lawsuit or criminal charge in this area is on the horizon.
You are probably correct here. US, EU and UK all have laws which make it illegal to cause malicious damage to computer systems and computer networks. You can be sure, if the amounts of money involved warranted it, the police could and would probably get involved. Whether that can be applied to decentralized blockchains which actually have a "voting" mechanism to decide which chain is valid or not, would be a matter for the police to decide. It's certainly not clear cut in this case (by virtue of the fact the coins have a chain voting mechanism, proving malicious intent would be difficult I think).
That being said, I support making it hard for shitcoins to survive because frankly, it's far worse for people to release coins they have no idea how to maintain and thus endangering all their users. Not to mention all the scams that are being executed by shitcoin creators...
I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins...
This of course is just a conspiracy theory and not based on any facts.
This of course is just a conspiracy theory and not based on any facts.
Yeah.. good luck with that. That's not how it works.
LOL.... some people just don't get how decentralization works
Pretty sure that's how it would work in the US. Now that it has a label of property it's like any other property and the law states personal property destruction etc. Decentralization has nothing to do with what I'm talking about. Cyber crimes are still cyber crimes anywhere you live on the planet and off it for that matter. Just like Gox has to answer to it's US customers. Crypto may be decentralized but the law is not. I could be wrong about this but so could you. Nobody really knows for sure what courts will rule. But I feel like a lawsuit or criminal charge in this area is on the horizon.
That's the whole point, the current network will happily accept chain-of-massive-number-of-low-diff-blocks over chain-of-less-harder-blocks as long as the sum of difficulty of the first is higher and it follows the "rules set in stone" (no invalid tx, generation amount <= calculated amount, difficulty == getNextDifficulty(prevblock), block nTime > median of prev 11 blocks, block nTime can't be more than 2 h in the future, ...).
ArtForz also noted that any asymmetrical algorithm will be vulnerable. Because KGW is designed to deal with multipool problems and abrupt jumps in difficulty that are caused by fast increases in hashrate, it makes increasing diff harder than decreasing it. Because of that, attacker can get a lot of lower difficulty blocks at the cost of few larger difficulty blocks when he jumps back and forth in time.
Hmm.. ok.. so in the end there really is a attack vector (however not so easy I have been thinking)? But that means summing the difficulty is a wrong way to measure the height of a blockchain. There should be a way (some algorithm) to assure a certain blockchain has been done with more work than the other, regardless of are they done with lots of low diff blocks or a few high diff blocks.
It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.
Before I chitchat more bullshit, I guess I have to make some homework and familiarize myself more with the source.. and what block difficulty really relates to.
That's nice link to ArtForz comments. I have been wondering the same; does it need to be symmetric to protect the chain better? I think it is somehow weaker, if it is not, but that's not as big 'hole' than what other issues cause.
In order to succeed, an attacker needs to put more hash power into his chain than the other miners can supply. Their pools may be DDoS'ed or they may just autoswitch to a more profitable coin. There are also checkpoints, either hard coded or synchronised. No matter how much cumulative difficulty or trust score you have on a forked chain, it always fails against a checkpoint. KGW is just an overcomplicated solution with no difficulty limiting. This is what needs to be fixed actually.
Quote
And, with symmetric algorithm and one block retarget, you have the problem not being able to calulate with zero or negative timespans. Truly symmetric would approach infinite difficulty when time difference approaches zero.
A long averaging window can be used even for every block retargets. There are no zero or negative time spans.
I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins...
This of course is just a conspiracy theory and not based on any facts.
This of course is just a conspiracy theory and not based on any facts.
Yeah.. good luck with that. That's not how it works.
LOL.... some people just don't get how decentralization works
Hmm.. ok.. so in the end there really is a attack vector (however not so easy I have been thinking)? But that means summing the difficulty is a wrong way to measure the height of a blockchain. There should be a way (some algorithm) to assure a certain blockchain has been done with more work than the other, regardless of are they done with lots of low diff blocks or a few high diff blocks.
It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.
It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.
The main chain is calculated by total work done already. If it wasn't, this would actually open a vulnerability in Bitcoin. Unless you can trick the software into calculating more work at a lower difficulty I do not see how this is a critical issue. No one has explains why my logic is wrong yet. It's not critical that coins update KGW. The best any coin can do to increase security is to have a higher and well distributed hashrate.
I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins...
This of course is just a conspiracy theory and not based on any facts.
This of course is just a conspiracy theory and not based on any facts.
Yeah.. good luck with that. That's not how it works.
I still question if it didn't go something like this. IRS says coins are now considered personal property. Destroying a coin intentionally is destroying someone's personal property. Destroying thousands of dollars worth of property and your a felon and going to prison. OP Shit coin doesn't look like a really good idea anymore. Better not destroy shit coins...
This of course is just a conspiracy theory and not based on any facts.
This of course is just a conspiracy theory and not based on any facts.
Yes per our agreement I will pull back the exploit and allow a fix.
I am most definitely a person of my word. The conditions that solve for a solution have been met.
Why does Nite69 say "allow" a fix?
As explained by Nite69 I am gaining on the chain with a current running KGW TW. In order to prevent me from gaining and over taking the current AUR blockchain AUR needs 25X my mining power at a minimum, something the miners have proven they have little interest in doing. As such, it is just a matter of time before the TW catches up and is in full implementation.
In order to deploy the "fix" a new client will need to be released and another hard fork implemented. If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.
Nite69 is very correct, I have no real desire to destroy AUR as initially I was only going to run a test for a few hundred blocks. The concesion by the AUR development is sufficient for me. Understand this is enabled by KGW and was not a vulnerability till KGW was implemented. All coins that deploy KGW are vulnerable.
~BCX~
I am most definitely a person of my word. The conditions that solve for a solution have been met.
Why does Nite69 say "allow" a fix?
As explained by Nite69 I am gaining on the chain with a current running KGW TW. In order to prevent me from gaining and over taking the current AUR blockchain AUR needs 25X my mining power at a minimum, something the miners have proven they have little interest in doing. As such, it is just a matter of time before the TW catches up and is in full implementation.
In order to deploy the "fix" a new client will need to be released and another hard fork implemented. If the TW exploit isn't pulled back before the hard fork, it will instantly catch up at the next hard fork due to diff swings and be in full full implementation. So either way I win, fix it or don't fix it.
Nite69 is very correct, I have no real desire to destroy AUR as initially I was only going to run a test for a few hundred blocks. The concesion by the AUR development is sufficient for me. Understand this is enabled by KGW and was not a vulnerability till KGW was implemented. All coins that deploy KGW are vulnerable.
~BCX~
So, there still isn't a new Auroracoin release, nor has the fix shown up on git...
When can we expect the fireworks?
As always, I could be wrong, and point out any mistakes I have made if I am wrong.
I think that is the correct explanation.
The attack chain has individual blocks of low difficulty, but because it's longer, it has higher sum of difficulty.
Or as the discoverer of this exploit wrote:
That's the whole point, the current network will happily accept chain-of-massive-number-of-low-diff-blocks over chain-of-less-harder-blocks as long as the sum of difficulty of the first is higher and it follows the "rules set in stone" (no invalid tx, generation amount <= calculated amount, difficulty == getNextDifficulty(prevblock), block nTime > median of prev 11 blocks, block nTime can't be more than 2 h in the future, ...).
ArtForz also noted that any asymmetrical algorithm will be vulnerable. Because KGW is designed to deal with multipool problems and abrupt jumps in difficulty that are caused by fast increases in hashrate, it makes increasing diff harder than decreasing it. Because of that, attacker can get a lot of lower difficulty blocks at the cost of few larger difficulty blocks when he jumps back and forth in time.
Hmm.. ok.. so in the end there really is a attack vector (however not so easy I have been thinking)? But that means summing the difficulty is a wrong way to measure the height of a blockchain. There should be a way (some algorithm) to assure a certain blockchain has been done with more work than the other, regardless of are they done with lots of low diff blocks or a few high diff blocks.
It should be possible to count the total amount of needed hashes calculated to generate a certain blockchain. And that should quite explicitely tell which blockchain really has been generated with most work.
Before I chitchat more bullshit, I guess I have to make some homework and familiarize myself more with the source.. and what block difficulty really relates to.
That's nice link to ArtForz comments. I have been wondering the same; does it need to be symmetric to protect the chain better? I think it is somehow weaker, if it is not, but that's not as big 'hole' than what other issues cause.
And, with symmetric algorithm and one block retarget, you have the problem not being able to calulate with zero or negative timespans. Truly symmetric would approach infinite difficulty when time difference approaches zero.
Jump to: