NB: https://forum.getmonero.org/1/news-announcements-and-editorials/2452/monero-network-malicious-fork-from-block-913193-updates-and-resolution
From that post (which will be kept updated) -
Hi all,
The Monero network was (once again) the subject of an attack. Due to an error during the development of 0.9, Hydrogen Helix, we omitted a check that allowed for v2 blocks to be added to the network prior to the hard fork block height. Thus instead of forking on March 20, at block height 1009827, a v2 block was added to the network at block height 913193.
This is obviously problematic as not all services have updated to 0.9, and the bulk of the network hash rate is still on 0.8.x. We are preparing a point release to 0.9 that resolves this, but in the meantime only if you are running 0.9 you can do the following as a quick patch:
Shut down your Monero daemon
Grab a checkpoints.json file from getmonero: https://downloads.getmonero.org/checkpoints.json
Put the file in your bitmonero working directory (eg. ~/.bitmonero or C:\ProgramData\bitmonero)
Restart the daemon
As soon as the patched point release is out you can remove the checkpoints.json file, if you wish, and run the updated version. The checkpoints.json patch is a quick fix and does not prevent the attacker from replaying their attack at a later block.
From that post (which will be kept updated) -
Hi all,
The Monero network was (once again) the subject of an attack. Due to an error during the development of 0.9, Hydrogen Helix, we omitted a check that allowed for v2 blocks to be added to the network prior to the hard fork block height. Thus instead of forking on March 20, at block height 1009827, a v2 block was added to the network at block height 913193.
This is obviously problematic as not all services have updated to 0.9, and the bulk of the network hash rate is still on 0.8.x. We are preparing a point release to 0.9 that resolves this, but in the meantime only if you are running 0.9 you can do the following as a quick patch:
Shut down your Monero daemon
Grab a checkpoints.json file from getmonero: https://downloads.getmonero.org/checkpoints.json
Put the file in your bitmonero working directory (eg. ~/.bitmonero or C:\ProgramData\bitmonero)
Restart the daemon
As soon as the patched point release is out you can remove the checkpoints.json file, if you wish, and run the updated version. The checkpoints.json patch is a quick fix and does not prevent the attacker from replaying their attack at a later block.
After all this time on testnet I'm surprised to hear this, isn't there anyone on the team adept at at debugging and exploit testing?
Does anyone actually have a position that actively attack testnet before release? If not there are those out there that relish in this and do it for the accolades.
Not trying to be insulting hear as I know how hard you guys work on this but alpha/beta stages are there for a reason and really this is a simple expliot that should have been on the first error checks before release. I wish I it was 16 years ago, as I would have jumped on this just for the lulz.
Also are all the devs listed active? Did they all check this prior to release? What is the list that signed off on this?
While I agree with your frustration, I think its continuously important to remember the big 0 in front of the version number of Monero (and hell, of bitcoin). Even at the active on-the-mainchain state, all of this software is beta. (of course, we're at 0.9 now... so, we gonna be seeing a lot more decimals put in? I don't know how versioning works. It always fails me when I write manuscripts).
And having been witness to all of the work that went into 0.9, shits gonna happen and your never going to reach perfection in the lab. And at some point you just push things so they *do* break.
Like I said, this kind of stuff can be frustrating and disappointing... but your other option is to wait for a big 1 to go in front of the version number, when the developers feel that their code is really ready for production.
For instance, if some alien entity came to us and said "hey, we don't use currency, but we kind of like how it helps your civilization work. How can we implement it?" We wouldn't try to "sell" them on our experimental new technology. We'd introduce them to our incredibly arcane (but functioning) central banking system and say "yeah we know it sucks, so we're working on version 2" and then show them cryptocurrencies.
