
Disclosure of a Major Bug in CryptoNote Based Currencies - mike-cardwell
https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
======
runeks
> The so-called "key image" as used in CryptoNote coins utilising elliptic
> curve ed25519 can be modified in a special way, allowing double-spends. This
> effectively allows someone to create an infinite amount of coins in a way
> that is impossible to detect without knowing about the exploit and
> explicitly writing code to check for it.

Ouch. I guess we're now seeing the value in having a crypto-currency depend on
as few (well-tested) cryptographic primitives as possible.

It always strikes me as a bit overzealous when blockchain-based currencies add
exotic cryptographic primitives to improve on the properties of Bitcoin a
little bit, while at the same time risking complete destruction in case just
the tiniest detail has gone unnoticed.

I feel like crypto-money _must_ rely on cryptographic primitives whose
subversion would cause great harm elsewhere, too. If not, the financial
incentive to expose flaws isn't present until it's already too late (the
currency is very valuable). If this isn't the case, the crypto-currency
becomes a somewhat meaningless research project, as the financial incentive to
reveal weaknesses just isn't there.

~~~
indolering
Monero/CryptoNote actually uses fairly vanilla crypto compared to Zcash.
However, you have to create new crypto if you want to do new things. Bitcoin's
security model is based on the ridiculous premise that people will spend real
money to run worthless calculations in exchange for virtual money (edit: /s).

What bothers me is that none of them are using high-assurance software
methods. Cryptocurrencies are better than most in that the developers have an
informal security model written down somewhere. However, the _real_
specification boils down to a pile of C++ code.

~~~
runeks
> Bitcoin's security model is based on the ridiculous premise that people will
> spend real money to run worthless calculations in exchange for virtual
> money.

This ridiculous premise is the reality right now.

Also, the calculations are by no means worthless. They prevent alteration of
the blockchain history. Without this, everyone involved in a crypto-currency
can collude to increase their own balances without leaving any proof
whatsoever. It's not waste; it's a necessity.

Imagine an attacker exploiting a bug in the reference implementation, where
the exploit is able to travel from node to node (not far-fetched). This
exploit deletes the existing chain that all nodes carry, replacing it with the
attacker's version. With Bitcoin this exploit has no effect, because proof-of-
work makes the chain immutable. For non-proof-of-work currencies, everyone
will be left wondering which version of the history is the correct one, and
the only way to settle the matter would be through trust.

~~~
indolering
I was being sarcastic ; )

I'll edit the post.

------
jstanley
I find it interesting that the price of ByteCoin hasn't crashed yet.

[https://poloniex.com/exchange#btc_bcn](https://poloniex.com/exchange#btc_bcn)

~~~
sna1l
Dropping pretty fast now. 20% in last 5-10 minutes it seems

~~~
jstanley
If you can truly create infinite amounts of ByteCoin, the price should quickly
go to 0. I'm amazed it still hasn't.

~~~
mbgaxyz
Poloniex has a duty of care to its customers.

Poloniex should suspend the trading of ByteCoin until it can be determined
whether or not the bug has been exploited, as some reports indicate:

[https://www.reddit.com/r/Monero/comments/6buu5j/disclosure_o...](https://www.reddit.com/r/Monero/comments/6buu5j/disclosure_of_a_major_bug_in_cryptonotebased/dhpt1ow/)

It's surprising that an exchange like Poloniex would allow trading in
potentially fradulent ByteCoins to continue.

[https://poloniex.com/exchange#btc_bcn](https://poloniex.com/exchange#btc_bcn)

However, in Poloniex's defense, they could argue that the security disclosure
just 24 hours ago has not given them enough time to respond, and that up until
now they were only ever aware of a (fake) DoS bug impacting CryptoNote coins,
rather than a critical vulnerability.

[https://getmonero.org/2017/05/17/disclosure-of-a-major-
bug-i...](https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-
cryptonote-based-currencies.html)

 _2017-02-21: The patch is surreptitiously snuck into the Monero codebase in
pull request #1744. It is kept secret to prevent it being used to attack other
CryptoNote coins.

2017-02-22: A point release of Monero is rushed out so that exchanges and
mining pools can update, under the guise of it preventing a RingCT DoS attack
(such attack did not exist, but it seemed a fair explanation)._

~~~
jstanley
Poloniex have suspended deposits and withdrawals for ByteCoin (I'm not sure
when), although it looks like trading is still active.

------
vosper
If the main website isn't working for you (wasn't for me), here's a link to
Google's cache:

[https://webcache.googleusercontent.com/search?q=cache:https:...](https://webcache.googleusercontent.com/search?q=cache:https://getmonero.org/2017/05/17/disclosure-
of-a-major-bug-in-cryptonote-based-currencies.html)

------
aeleos
I find it really interesting that they snuck the patch in to a commit months
ago. Are there any other examples of something like this happening where
maintainers had to obscure changes to the software?

~~~
firethief
I think that's standard practice for cryptocurrencies. I mean, what else would
you do, announce it and make users race with exploiters to react?

~~~
runeks
He's not asking whether or not it's the wisest thing to do, but if there's
precedent for this sort of thing (sneaking in fixes to fatal bugs in open
source crypto-currencies). You seem to imply it has happened before; do you
have any examples?

It's inherently problematic because you need to somehow get your users to
upgrade their software without knowledge of exactly why they need to do this.

I know Bitcoin has had denial-of-service fixes sneaked in, but I'm not aware
of anything of this nature.

One thing's for sure: the commit logs of crypto-currencies will be scrutinized
a lot more by black hats from now on.

~~~
firethief
I can't find any references to what I'd heard about bitcoin bug handling, but
it was probably in reference to the DoS fixes. I haven't heard of any
exploitable-for-profit bugs being handled the same way, but we wouldn't have,
would we? So the question is whether a shut-down-everything DoS or a stolen
money bug would be handled similarly, as a policy. I think if a stolen money
bug were considered significantly worse than a shut-down-everything bug there
would still be an alert system in place, since it could effectively reduce the
former to the latter.

------
runeks
So, did the Monero developers sneak this fix into the April hardfork? I'm not
saying this is wrong, but it's certainly not very transparent.

In case of the Bitcoin overflow bug[1], a public announcement was made and
everyone was asked to upgrade.

[1]
[https://bitcointalk.org/index.php?topic=827.0](https://bitcointalk.org/index.php?topic=827.0)

~~~
_coldfire
You would assume that it was kept quiet to protect the other coins out there
using cryptonote.

------
candl
This is why absolute anonymous crypto-currencies will never catch on. Too much
trust must be put into the hands of the developers. How do we know this
vurnerability (and maybe others yet to be discovered) were not exploited for
months? They didn't even share the methodology and tools they used to check
the blockchain for this particular exploit. I can understand their assurance
that everything is fine, because otherwise any coin on this list gets
basically useless overnight, but that's not how it should be handled.

~~~
StavrosK
> This is why absolute anonymous crypto-currencies will never catch on.

What, because of vulnerabilities? How are anonymous cryptocurrencies any
different from literally any other piece of software in this regard?

~~~
candl
Yes, because of the potential pitfalls of undiscovered vurnerabilities like
the one in this post, where an attacker could have generated an unlimited
supply of coins and remain undetectable. This is in contrast to Bitcoin and
other coins whose transactions are public on the blockchain and can be openly
analyzed. The other aspect is ethical. Did the people involved in discovery of
this vurnerability took advantage of it and made themselves rich by exploiting
other cryptonote based coins? Little risk, high reward which is tempting.

~~~
45h34jh53k4j
its a signing bug.

There have been incidents of 'accidental inflation' of fully-anonymous
cryptocurrencies (as opposed to 'semi-anonymous' [sender/receiver anonymous]
and pseudonymous bitcoin).

Zerocoin had a 1/4 inflation from
[https://news.ycombinator.com/item?id=13672117](https://news.ycombinator.com/item?id=13672117)

I wouldn't go so far as to say this is will prevent this technology from ever
being secure. Its early days. Don't play with what you can't lose.

The great monero team did notify other CryptoNote based currencies, it seems
that the granddaddy Bytecoin didn't fix it before the notification period.
There is no evidence that they exploited this. They even came up with a method
for detecting if it had been exploited...

------
zenlikethat
Nice work team and thanks for the responsible disclosure. Vulnerabilities are
inevitable and it's how you handle them that counts.

