• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

stratum pool - fake hash vulnerability #1938

So is it a real vulnerability, or pool operator's fault for not blocking low difficulty submissions?
 
It's kind of the pool operator's fault, but more so the MPOS fork developer's software developer's in my eyes. It's simply a "magic" bitmask that caused low diff shares to be accepted as high diff shares. A stratum patch is already submitted and easy to implement that stops it from even potentially being an issue - hardcoded value replaced with an algo to generate it dynamically, but it doesn't look like anyone is accepting blame here.

I've never run a MPOS pool, but I can't imagine that's a configurable value, and thus it lands in the hands of the person who released the forked MPOS for DRK, as they've not changed that to the correct value.
 
Last edited by a moderator:
It's kind of the pool operator's fault, but more so the MPOS fork developer's software developer's in my eyes. It's simply a "magic" bitmask that caused low diff shares to be accepted as high diff shares. A stratum patch is already submitted and easy to implement that stops it from even potentially being an issue - hardcoded value replaced with an algo to generate it dynamically, but it doesn't look like anyone is accepting blame here.

I've never run a MPOS pool, but I can't imagine that's a configurable value, and thus it lands in the hands of the person who released the forked MPOS for DRK, as they've not changed that to the correct value.
Thats correct as im aware. Its not a problem with mining itself ratehr than with the stratum server.

See spoiler:
Here is a quote from the guy who used the "exploit as he claimed":
hrt
Newbie
star.gif

useron.gif
Online

Activity: 27



profile_sm.gif
im_on.gif

Trust: 0: -0 / +0(0)

Re: cpu hashrate
« Sent to: x on: March 11, 2014, 06:44:56 PM »
« You have forwarded or responded to this message. »
quote.gif
Quote
im_reply.gif
Reply
delete.gif
Delete
I run through mining proxy with a changed code. it denies automatic difficulty adjustment on pool stratum server, assign to each share variable hash raws [not unfeigned] thus stratum server is incapable to make up authenticity of this shares. i have always calculated at 0 diff and got all shares accepted, earnings respectively
Report To Admin
hrt
Newbie
star.gif

useron.gif
Online

Activity: 27



profile_sm.gif
im_on.gif

Trust: 0: -0 / +0(0)

Re: cpu hashrate
« Sent to: x on: March 11, 2014, 08:50:38 PM »
« You have forwarded or responded to this message. »
quote.gif
Quote
im_reply.gif
Reply
delete.gif
Delete
added several extensions while compiled from 1.3 version in open source
i tried with different algos and at now proxy works on X11, groestl, qubit and sha256d.
saying clearly sha256d is not so useful as 500-1000GH guys play. on sha256d i have 80 iterations per second each pick up a low diff share at speed 48000KH. Running 30 CPU is equal to 115GH
if you are interested and there are other engaged people i can start a new topic with this on mind and share proxy for small donate although pulling out this in public would be risky as this is still cheating
 
Back
Top