Temporary disabling of InstandSend due to potential quorum exploit method

AndyDark

Well-known Member
Sep 10, 2014
353
705
163
Hi everyone,

We'd like to inform you that with help from the community, we have discovered a potential exploit in the current InstantSend implementation which provides the chance for an attacker with 6 or more Masternodes to dominate an InstantSend quorum by brute forcing collateral transaction hashes in a certain way as to increase their chance to be selected for an IS quorum, which could provide the possibility to perform a double spend or a potential network fork.

We have not yet seen this attack executed on our network and we believe the risks are low because the exploit requires ownership of at least US$ 2.1 million in Dash. However, for safety we have disabled InstandSend via ["SPORK_2_INSTANTSEND_ENABLED": false] to ensure this attack cannot be performed until the fix, which is already completed & QA’d, is released to the network.

As 12.2 release is imminent, our intention is to include the fix as part of the 12.2 release process, which is estimated within the next few weeks, instead of releasing a hotfix immediately, to minimize the disruption in the coming network upgrade.

As a result, any InstandSend transactions made before 12.2 deployment will fallback to normal confirmation times, therefore users are advised to refrain from selecting InstantSend on payments in wallets until 12.2 to prevent being charged the higher fee.

We’d like to thank two community members, Matthew Robertson and Alexander Block for helping to discover this exploit. Consequently, after a post-mortem, our conclusion is that the exploit was missed internally due to the fact that we did not provide enough review of early InstantSend code, with everyone in our (much larger) team today being focused on V12 features and our forthcoming V13 Evolution release.

Therefore we have been conducting an internal security audit of earlier code which hasn’t found any further explots and we are also seeing the Dash community becoming much more active in contribution and code review, from new contributors to the recent $240,000 BugBounty program funded by the network, which we believe together will ensure that enough ongoing review is being provided to find and secure any future exploits quickly and comprehensively to ensure the Dash Network remains secure.


Thank you,


The Dash Core Team
 

Macrochip

Active Member
Feb 1, 2015
224
185
103
Our haters are already spinning this as something bad. So amusing! Imagine any other project encountering such an issue while not having sporks. Price would plummet as they'd issue emergency patches like someone kicked a hornet's nest while the exploit could actually be used costing people their hard earned money :rolleyes:

Thank Duffield for Sporks!
 
  • Like
Reactions: scronxs

Voluntary

Member
May 14, 2016
109
37
78
Dash Address
XivwUmSu5davqhqc3BX1j4w6dskzNFihQQ
Could this network feature suspension have an effect on how masternodes are selected for reward payments? I ask because I've got an established mn that reports as enabled and will shortly reach twelve days since its last reward payment.
 

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
Our haters are already spinning this as something bad. So amusing! Imagine any other project encountering such an issue while not having sporks. Price would plummet as they'd issue emergency patches like someone kicked a hornet's nest while the exploit could actually be used costing people their hard earned money :rolleyes:

Thank Duffield for Sporks!
You have to understand that the same way the core team can fix bugs using sporks, the same way they can also implant bugs (especially if forced by the 3 letters agency). Stop being so stupid please.:rolleyes:

The solution ? Community driven sporks, and a proof of individuality of course. The sad thing? Look how many stupid agree with the stupidity of @Macrochip. In the case of such a big concentration of stupids, NO, there is no solution! Even with community driven sporks. Even with proof of individuality. The stupids will always remain stupids, and will always rely upon the will of the smart one.

So what is the FINAL solution? EDUCATION of the community. Hard education. Even whipping sometimes. They certainly deserve it.

The good news? Both @codablock and @Matt Robertson do not belong to the greedy stupid dash generation of 2014-2016. Furthermore @codablock is the user 12000, and this number says something.
 
Last edited:

camosoul

Grizzled Member
Sep 19, 2014
2,266
1,130
1,183
I hate to admit it, but there are a few small seeds of truth in the pile of butt gumbo demo posted... Don't throw the baby out with the bathwater.

Sporks need to be network consensus managed.

Early DASH adopters are mostly a bunch of fucktards.
 

camosoul

Grizzled Member
Sep 19, 2014
2,266
1,130
1,183
Could this network feature suspension have an effect on how masternodes are selected for reward payments? I ask because I've got an established mn that reports as enabled and will shortly reach twelve days since its last reward payment.
I've had this happen many times prior to this sporking. I've had MNs get a payment in 4 days, and had one go 22 days... There is some entropy in the system that can lead to an occasional outlier. It averages out in the long run.

It is likely unrelated, but it would be a good idea for more MNOs to keep an eye to see if this accelerates.
 

Super8

Active Member
Mar 27, 2015
295
152
103
I hope 12.2 is released (and Instant send switched back on) in time for Max Keiser's GAP show. It will be a pity if Max has to admit that one of the keys advantages of Dash compared to Bitcoin isn't working. It's just bad PR for Dash and a missed opportunity for us.

(I do realise that updates happen at their own pace, but this is just a point to try and ask Dash Core to be mindful and laser focused on a speedy outcome!)

Thanks.
 
Apr 23, 2017
66
26
58
34
Personally, I still most if not all crypto's still in alpha version, so as investors in alpha software, my biggest concern is to find out that there are potential bugs that could totally destroy the network. (for example non transparent blockchains, which could potential have hidden printed extra coins). Having that said, Dash evolution is aimed at the mainstream, and once it is really for mass adoption (that does not have to mean version one of evolution) the Spork feature should be completely decentralized. It's a necessity. I hope to see this feature gets to be put on the roadmap in a way that is clear as day for everyone that is going be added within a reasable time frame.

PS we should not forget that Ethereum has a similiar way of control in the hands of Vitalik
 

TroyDASH

Well-known Member
Jul 31, 2015
1,251
794
183
I'm not sure about decentralizing the sporks themselves, but I would definitely be in favor of giving the Masternodes control over who has the keys to them, so that the situation can be remedied quickly in the event that the keys are leaked to a malicious actor or if the current spork key holders are no longer willing or able to use them well.
 
Apr 23, 2017
66
26
58
34
Adding to what TroyDash said a vote of convince could be done by simply proposing a vote similar to the question to increase the blockchain from 1mb to 2mb for the time being
 

Macrochip

Active Member
Feb 1, 2015
224
185
103
In Evolution sporking will be done by the network itself without human intervention. That's what's meant by "decentralizing the keys". No voting on each spork by MNOs as that would be wildly inefficient and cause massive lags in response time to urgent network issues. Source: MooCowMoo.
 

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
In Evolution sporking will be done by the network itself without human intervention. That's what's meant by "decentralizing the keys". No voting on each spork by MNOs as that would be wildly inefficient and cause massive lags in response time to urgent network issues. Source: MooCowMoo.
Sporks done bye the network. And who initiates the network to spork? This is still centralization too.
 

Voluntary

Member
May 14, 2016
109
37
78
Dash Address
XivwUmSu5davqhqc3BX1j4w6dskzNFihQQ
@camosoul Thank you for your reply - 22 days is nuts. My mn finally got paid a few hours into its twelfth day. If it makes a habit of that I'd be tempted to put it down to an 'unlucky' hash or masternode key or whatever the selection criteria is. Starting over with a new address and masternode key (and ip address etc) couldn't really hurt with delays like that.
 

camosoul

Grizzled Member
Sep 19, 2014
2,266
1,130
1,183
@camosoul Thank you for your reply - 22 days is nuts. My mn finally got paid a few hours into its twelfth day. If it makes a habit of that I'd be tempted to put it down to an 'unlucky' hash or masternode key or whatever the selection criteria is. Starting over with a new address and masternode key (and ip address etc) couldn't really hurt with delays like that.
It doesn't help to change key/address. You're just putting yourself at the back of the line.

Sometimes shit just happens.

The overwhelming majority hold entropy to ~half day worth of blocks.

I've got one hanging on to 13 days right now... But, two others popped at 6 days... Should be ~7.5.

If you have only 1 or 2 nodes the aberrations stand out to the limited sample proportion. When you look at the entire stack, it's stable.

Go to dash ninja and sort the whole stack by payment.
 

younglegend

Member
Jan 1, 2017
102
17
68
What is their wallet address? I'd like to thank them for discovering it.

"We’d like to thank two community members, Matthew Robertson and Alexander Block for helping to discover this exploit"
 

Voluntary

Member
May 14, 2016
109
37
78
Dash Address
XivwUmSu5davqhqc3BX1j4w6dskzNFihQQ
Is there an obvious fix for this InstantSend exploit or will it require more work than that?
 

camosoul

Grizzled Member
Sep 19, 2014
2,266
1,130
1,183
Is there an obvious fix for this InstantSend exploit or will it require more work than that?
OP:
As 12.2 release is imminent, our intention is to include the fix as part of the 12.2 release process, which is estimated within the next few weeks, instead of releasing a hotfix immediately, to minimize the disruption in the coming network upgrade.
reeding iz gud
 
Last edited:

TroyDASH

Well-known Member
Jul 31, 2015
1,251
794
183
Do we know how imminent is imminent? What is the timeline for 12.2 release?
 

tungfa

Administrator
Dash Core Team
Moderator
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,972
6,740
1,283
a "couple" of weeks is all i know
 

dark_wanderer

Member
Nov 12, 2014
82
36
58
What is the status of the fix ?

30 aug: fix completed and qa'ed (according to AndyDark)
24 sep: work on fixing in progress (1st annual dash conference)

anyway, when would it be safe to use InstaSend?

Otoh owns more than 6 masternodes. So, it is not unrealistic to conduct such an attack ...