Witness arhag update: Aug. 1, 2016 to Aug. 8, 2016

in witness-category •  2 years ago

I continued work on the will contract / recovery feature that I started the week prior. I finished the design and made a post about it on Friday, Aug. 5, 2016 as an official proposal which you can read here. I also started the implementation of that feature, which you can find here. I would estimate that the code currently found on that GitHub branch implements about 80% of the coding efforts needed to realize the proposed will contract feature (not including any unit tests).

However, I have stopped work on the implementation of that feature and do not have any current plans to complete it because unfortunately @dan said that Steemit does not plan to adopt that proposed feature at this time due to its complexity.

On Monday evening, Aug. 8, 2016, a user with a set of accounts with names starting with supercomputing began dominating the entire mining queue. The fact that they were completely taking over the mining queue even with high difficulty was suspicious enough, but it was made even more suspicious by the fact that they were always changing their active keys shortly prior to "finding" a proof of work. This suggested to me that @supercomputing was taking advantage of some vulnerability in the mining algorithm to avoid doing the actually computationally heavy steps of finding a proof of work.

From just the information above and my existing understanding of the mining algorithm, I was able to quickly figure out the hack that @supercomputing came up with and determine a solution to fix it. I will likely later write up a separate blog post explaining this in more detail. Anyway, the solution was a fairly straightforward change to the mining algorithm, but it required a hardfork. I explained the vulnerability and the required fix in a chat message to @dan so that he could then write the code changes to fix it the next day.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

"supercomputing" was a name chosen to disguise the bug abuse lol. good catch.

my advice please, continue your work then steemit will less vulnerable ...... thanks :D

I would be interested in hearing about what exactly they had done to exploit a vulnerability. I had also noticed something like 30 of their accounts in the queue and thought it was a little unbelievable.

·

+1 Ya, it would be interesting to find out exactly what they did.

·
·

Judging from the github fix, it says "The proposed solution is to make the final step of the POW dependent upon block id". So I guess it wasn't doing that.

https://github.com/steemit/steem/issues/256

·

From the sparse details given it sounds like he was taking credit for the computational work of others with some sort of key switching spoof hack. Do we know how much supercomputing accumulated?

Awesome detective work @arhag.

jeez, the black horses are everywhere, eh? Sounds like you did amazing work at resolving that problem. You get an upvote for your dedication.

I will looking forward for the separate blog for the detail post. Thanks.

I was going over the "new" category. Subject made me curious but honestly, I got no clue what this is about... My bet it is something great and awesome. :-)

·

A user @supercomputing figured out a bug in the mining algorithm that allowed him to pretty much take over the mining rewards system for himself and booting everyone else out.

Mining is crucial in attracting new users from the crypto-currency community. I myself came here originally to learn how to mine steem. If the mining system doesnt' allow everyone to mine easily it will really hurt Steem's growth.

Right now it's pretty much impossible to mine thanks to this hack being exploited and they have also removed the market maker liquidity reward system due to abuse. That's two core reward systems currently broken.

@arhag you should get bug bounty reward for this....

Excellent work and (although in general witnesses are well paid I don't really think need high rewards on every status report) upvoting to recognize the obvious accomplishment of quickly figuring out the mining exploit and the required fix.

It just feels good that the development team responds so quickly to issues. I just remember on certain platforms "wink wink" you had to wait weeks to fix a bug. Very good job dev team!

Nice catch. Will voting for you as witness.

·

what is the advantage of being as the witness? we get anything if we voting for someone?

·
·

Witnesses operate the servers that sign the blocks which create the blockchain, thus making up the backbone of the network. They also perform some other functions such as providing the price feed that values Steem Dollars. Finally they do a variety of other work to support and promote the Steem ecosystem, such as the design, development, and security analysis that @arhag mentioned in his post. If you want the system to work well and be supported with other efforts you should vote for witnesses who you trust to carry out these functions competently and honestly.

·
·
·

Hi @smooth,
He will get my witness vote for his contributions.
I will also vote for @rainman @liondani and @blocktrade
they had provide important information about the current situation with supercomputing on my post. Thank you all.

Nice information @arhag

Thanks for posting. I missed this when it happened but was wondering why I wasn't getting any blocks. I have already voted for you as a witness and my upvote here doesn't count for much so all I can say is thanks:)

Awesome work as always, @arhag! It's a pity that @dan doesn't want to integrate this right now in steem, but I can understand the reason why. Still, I think this is an extremely important feature and would like to see it integrated in graphene directly, so it'd be nice to know if he would agree to that. @dan? I understand that this would mean also backporting some code from the recovery feature (correct?) but I'd be willing to chip in a good amount of STEEM/SBD for that. I'd also pay for code review by @abit and whoever else has the skills to do so. Obviously, default config for that feature should be to not activate anything unless explicitly done so by the user, but I know I would use that feature for sure (and would feel confident knowing my wife would get my stuff should anything happen to me, without having to give her any private keys)