> The so-called "key image" as used in CryptoNote coins utilising elliptic curve ed25519 can be modified in a special way, allowing double-spends. This effectively allows someone to create an infinite amount of coins in a way that is impossible to detect without knowing about the exploit and explicitly writing code to check for it.
Ouch. I guess we're now seeing the value in having a crypto-currency depend on as few (well-tested) cryptographic primitives as possible.
It always strikes me as a bit overzealous when blockchain-based currencies add exotic cryptographic primitives to improve on the properties of Bitcoin a little bit, while at the same time risking complete destruction in case just the tiniest detail has gone unnoticed.
I feel like crypto-money must rely on cryptographic primitives whose subversion would cause great harm elsewhere, too. If not, the financial incentive to expose flaws isn't present until it's already too late (the currency is very valuable). If this isn't the case, the crypto-currency becomes a somewhat meaningless research project, as the financial incentive to reveal weaknesses just isn't there.
Monero/CryptoNote actually uses fairly vanilla crypto compared to Zcash. However, you have to create new crypto if you want to do new things. Bitcoin's security model is based on the ridiculous premise that people will spend real money to run worthless calculations in exchange for virtual money (edit: /s).
What bothers me is that none of them are using high-assurance software methods. Cryptocurrencies are better than most in that the developers have an informal security model written down somewhere. However, the real specification boils down to a pile of C++ code.
> Bitcoin's security model is based on the ridiculous premise that people will spend real money to run worthless calculations in exchange for virtual money.
This ridiculous premise is the reality right now.
Also, the calculations are by no means worthless. They prevent alteration of the blockchain history. Without this, everyone involved in a crypto-currency can collude to increase their own balances without leaving any proof whatsoever. It's not waste; it's a necessity.
Imagine an attacker exploiting a bug in the reference implementation, where the exploit is able to travel from node to node (not far-fetched). This exploit deletes the existing chain that all nodes carry, replacing it with the attacker's version. With Bitcoin this exploit has no effect, because proof-of-work makes the chain immutable. For non-proof-of-work currencies, everyone will be left wondering which version of the history is the correct one, and the only way to settle the matter would be through trust.
Not sure it's reasonable to call ed25519 an "exotic crypto primitive". It's more modern than P-curve ECDSA, but "modernism" in curves is a trend towards user-proofing: the P-curves and DSA are themselves a thicket of thorny implementation pitfalls.
There's no simple conservative path you can chart through this particular crypto use case that will make things easy. Public key cryptography is difficult and dangerous.
I'm honestly not sure if "cryptographic primitive" is the right terminology (I'm no cryptographer), but I was referring to the ring signature scheme that comprises CryptoNote[1]; not ed25519 itself.
However, in Poloniex's defense, they could argue that the security disclosure just 24 hours ago has not given them enough time to respond, and that up until now they were only ever aware of a (fake) DoS bug impacting CryptoNote coins, rather than a critical vulnerability.
2017-02-21: The patch is surreptitiously snuck into the Monero codebase in pull request #1744. It is kept secret to prevent it being used to attack other CryptoNote coins.
2017-02-22: A point release of Monero is rushed out so that exchanges and mining pools can update, under the guise of it preventing a RingCT DoS attack (such attack did not exist, but it seemed a fair explanation).
I find it really interesting that they snuck the patch in to a commit months ago. Are there any other examples of something like this happening where maintainers had to obscure changes to the software?
This is a constant issue: what is the safest course of action? You start by patching your shit first, then push it upstream, and then slowly broaden the disclosure circle. Large software vendors (RedHat, IBM, etc) and infrastructure operators (Amazon, Cloudflare, etc) get advanced notice. Only then is it distributed to the public.
This is the de-facto route for closed-source software, but Linus doesn't mark all security patches as such [0]. There are a lot of unpatched systems out there and Linus doesn't have the time to parse the exact ramifications of every security bug.
That being said, it's pretty clear that we need to invest in more robust software development methods.
He's not asking whether or not it's the wisest thing to do, but if there's precedent for this sort of thing (sneaking in fixes to fatal bugs in open source crypto-currencies). You seem to imply it has happened before; do you have any examples?
It's inherently problematic because you need to somehow get your users to upgrade their software without knowledge of exactly why they need to do this.
I know Bitcoin has had denial-of-service fixes sneaked in, but I'm not aware of anything of this nature.
One thing's for sure: the commit logs of crypto-currencies will be scrutinized a lot more by black hats from now on.
I can't find any references to what I'd heard about bitcoin bug handling, but it was probably in reference to the DoS fixes. I haven't heard of any exploitable-for-profit bugs being handled the same way, but we wouldn't have, would we? So the question is whether a shut-down-everything DoS or a stolen money bug would be handled similarly, as a policy. I think if a stolen money bug were considered significantly worse than a shut-down-everything bug there would still be an alert system in place, since it could effectively reduce the former to the latter.
This is why absolute anonymous crypto-currencies will never catch on. Too much trust must be put into the hands of the developers. How do we know this vurnerability (and maybe others yet to be discovered) were not exploited for months? They didn't even share the methodology and tools they used to check the blockchain for this particular exploit. I can understand their assurance that everything is fine, because otherwise any coin on this list gets basically useless overnight, but that's not how it should be handled.
Yes, because of the potential pitfalls of undiscovered vurnerabilities like the one in this post, where an attacker could have generated an unlimited supply of coins and remain undetectable. This is in contrast to Bitcoin and other coins whose transactions are public on the blockchain and can be openly analyzed.
The other aspect is ethical. Did the people involved in discovery of this vurnerability took advantage of it and made themselves rich by exploiting other cryptonote based coins? Little risk, high reward which is tempting.
There have been incidents of 'accidental inflation' of fully-anonymous cryptocurrencies (as opposed to 'semi-anonymous' [sender/receiver anonymous] and pseudonymous bitcoin).
I wouldn't go so far as to say this is will prevent this technology from ever being secure. Its early days. Don't play with what you can't lose.
The great monero team did notify other CryptoNote based currencies, it seems that the granddaddy Bytecoin didn't fix it before the notification period. There is no evidence that they exploited this. They even came up with a method for detecting if it had been exploited...
Secret inflation is just one way to grief a cryptocurrency, there are a lot of things that could cause the value to drop.
Can you really trust Ethereum as a platform given the DAO debacle? I do, but only because I seriously doubt there will ever be a massive hardfork like that again.
Ouch. I guess we're now seeing the value in having a crypto-currency depend on as few (well-tested) cryptographic primitives as possible.
It always strikes me as a bit overzealous when blockchain-based currencies add exotic cryptographic primitives to improve on the properties of Bitcoin a little bit, while at the same time risking complete destruction in case just the tiniest detail has gone unnoticed.
I feel like crypto-money must rely on cryptographic primitives whose subversion would cause great harm elsewhere, too. If not, the financial incentive to expose flaws isn't present until it's already too late (the currency is very valuable). If this isn't the case, the crypto-currency becomes a somewhat meaningless research project, as the financial incentive to reveal weaknesses just isn't there.