More Info About How @supercomputing Was Dominating The Mining Queue by abit

View this thread on: hive.blog | peakd.com | ecency.com

steem · @abit · Aug 17 '16

$454.92

More Info About How @supercomputing Was Dominating The Mining Queue

@arhag wrote a [post](https://steemit.com/steem/@arhag/how-supercomputing-was-able-to-dominate-the-mining-queue-and-how-the-bug-was-fixed) described how @supercomputing was able to dominate the mining queue before hard fork 13.

Here is the old algorithm described in @arhag's post:
```
1) hash1     = SHA256(latest_block_id)

2) hash2     = hash1 except for the first 64-bits replaced by some nonce (basically some random number selected to try to make the final work value have a sufficient number of leading 0 bits)

3) input     = SHA256(hash2)

4) sig       = ECDSA signature (in 65-byte format) of input using d (the active private key) and k (which is just another nonce used for signing)

5) sig_hash  = SHA256(sig)

6) pubkey    = Recover public key (33-byte format) corresponding to the private key that would have signed sig_hash with signature sig

7) work      = SHA256(pubkey)

work must have sufficient number of leading 0 bits matching the current mining difficulty target
```

In the post @arhag described:
> ... quickly (within a millisecond) calculate the corresponding private key necessary to make the new PoW valid according to the mining algorithm ... With the appropriate active private key `d` computed, the attacker can then change their account's active public key to the one corresponding to the private key ...

But there is a hole in the description, because the private key of a given signature shouldn't be so quickly to be resolved -- it's the nature of ECC algo.

**Actually, with the old algorithm, to submit a PoW, an attacker doesn't need to know the private key.**

When an attacker got an `input` with latest `head_block_id` and whatever `nounce` in step 3), and if she already have a known will-work `sig` in step 4), she can simply **recover** the public key (which is needed to put into the PoW operation) with the same method used in step 6). In addition, because a transaction contains only a PoW operation requires no signature (which is another hole in the old algo which got fixed in new algo),  the PoW will be accepted by other nodes.

👍 smooth, abit, arhag, smooth.witness, complexring, fuzzyvest, samupaha, boombastic, barrie, inboundinken, officialfuzzy, mrs.agsexplorer, noaommerrr, bonapartist, easteagle13, rubybian, rea, bue, onesunbeingnow, fatboy, ubg, anonymous, sweetsssj, beowulfoflegend, james-show, xtester, royaltiffany, akareyon, jparty, lee5, magicmonk, plasticfuzzy, picokernel, bingo-0, michaeldodridge, noodhoog, goose, furion, cmtzco, spaninv, mahekg, sebastien, kennyskitchen, elishagh1, thebotkiller, dercoco, sunshinecrypto, bue-witness, oflyhigh, fkn, boy, pjheinz, johnbradshaw, alenevaa, d-marim, positive, orly, iloveporn, imp3, lantto, murh, kissmybutt, unicornfarts, vote, and 70 others

`author`	abit
`permlink`	more-info-about-how-supercomputing-was-dominating-the-mining-queue
`category`	steem
`json_metadata`	{"tags":["steem","security","mining"],"users":["arhag","supercomputing"],"links":["https://steemit.com/steem/@arhag/how-supercomputing-was-able-to-dominate-the-mining-queue-and-how-the-bug-was-fixed"]}
`created`	2016-08-17 19:12:09
`last_update`	2016-08-17 19:12:09
`depth`	0
`children`	13
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	355.116 HBD
`curator_payout_value`	99.807 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	2,083
`author_reputation`	141,171,499,037,785
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	857,596
`net_rshares`	56,261,200,812,970
`author_curate_reward`	""

properties (23)vote details (134)

voter	rshares	pct
barrie	612,356,476,997	100%
smooth	28,382,497,242,697	100%
anonymous	28,855,332,382	1%
samupaha	1,116,865,609,185	50%
fuzzyvest	2,419,728,481,554	35%
abit	6,190,156,178,411	100%
boy	2,470,238,755	100%
bue-witness	2,998,129,153	100%
bunny	567,603,623	100%
complexring	3,814,280,768,110	100%
arhag	6,165,731,406,761	100%
bue	41,948,280,065	100%
mini	1,324,164,960	100%
moon	170,709,221	100%
mineralwasser	101,837,668	100%
bonapartist	108,182,318,200	100%
boombastic	804,047,209,546	100%
mrs.agsexplorer	118,907,289,959	100%
lee5	14,940,507,233	100%
bingo-0	9,024,479,102	100%
smooth.witness	5,012,931,163,982	100%
officialfuzzy	304,915,376,102	100%
healthcare	496,873,319	100%
daniel.pan	725,575,461	100%
helen.tan	230,145,753	100%
noaommerrr	115,247,789,657	100%
easteagle13	78,580,548,002	100%
fkn	2,546,973,718	10%
paco-steem	421,263,405	85%
spaninv	4,803,859,585	85%
james-show	24,354,999,904	100%
elishagh1	3,344,213,822	10%
cortegam	421,178,507	100%
alenevaa	2,319,067,245	100%
murh	1,798,578,468	33.01%
akaninyene-etuk	269,722,136	100%
stiletto	329,360,555	85%
kennyskitchen	3,782,935,478	100%
jparty	16,830,079,856	100%
inboundinken	356,413,829,978	100%
fuck.off	1,433,034,244	50%
iloveporn	1,952,310,489	50%
the.bot	697,660,465	50%
johnbradshaw	2,374,285,836	50%
the.whale	1,655,802,562	50%
sunshinecrypto	3,116,399,323	100%
teego	1,537,744,530	100%
unicornfarts	1,680,941,325	50%
rubybian	72,397,427,886	100%
orly	2,045,187,460	100%
soupernerd	111,254,149	35%
cmtzco	5,268,813,105	100%
vote	1,655,945,435	50%
kissmybutt	1,743,467,886	50%
picokernel	9,295,055,374	100%
furion	5,414,738,190	10%
owdy	1,484,069,854	100%
barbara2	60,615,428	10%
ch0c0latechip	67,141,731	10%
doge4lyf	62,137,052	10%
vi1son	1,337,312,460	100%
akareyon	19,373,885,038	100%
sebastien	3,825,309,932	100%
d-marim	2,313,191,038	100%
noodhoog	7,570,248,623	100%
delik	197,161,095	100%
imp3	1,939,182,634	100%
natalyt	413,482,907	100%
ubg	29,679,766,942	100%
royaltiffany	23,098,291,588	100%
beowulfoflegend	24,905,550,630	100%
rea	70,627,678,627	100%
positive	2,051,274,967	10%
yarly	1,148,826,520	100%
yarly2	265,075,857	100%
yarly3	265,474,476	100%
yarly4	153,878,108	100%
yarly5	154,748,369	100%
yarly7	88,291,213	100%
fatboy	34,051,715,807	100%
yarly10	258,408,878	100%
yarly11	142,218,343	100%
michaeldodridge	7,836,736,951	100%
yarly12	79,810,941	100%
fnait	63,919,325	10%
keepcalmand	62,705,479	10%
creatorgalaxy	112,996,238	100%
spinner	1,377,978,426	100%
webosfritos	886,367,604	100%
weenis	109,225,124	35%
mahekg	4,758,902,094	100%
alrx6918	94,775,168	100%
magicmonk	14,687,080,525	100%
xtester	23,667,598,056	100%
oflyhigh	2,791,158,771	100%
future24	177,210,080	100%
thebotkiller	3,239,173,078	50%
dercoco	3,134,430,561	100%
plasticfuzzy	11,652,331,721	100%
gamerate	90,143,051	100%
immortality	61,696,026	100%
tomeraddady	59,668,352	100%
future-shock	112,641,010	100%
longevity	70,003,435	100%
rashka	58,234,574	100%
pjheinz	2,388,145,666	100%
wilfred	66,184,695	100%
litali	65,611,696	100%
chanbam	577,231,315	100%
jimmytwoshoes	86,954,700	50%
longtech	57,640,568	100%
sweetsssj	26,247,169,890	100%
zite	56,903,682	100%
lantto	1,882,732,119	100%
fiat19	55,543,179	100%
eileenbeach	894,839,496	100%
mrainp	120,452,952	100%
runridefly	111,116,739	100%
onesunbeingnow	40,922,124,954	100%
gsdalex	51,749,039	100%
budda	53,539,776	100%
goose	6,565,371,034	100%
analyzethis	50,931,848	100%
renzoarg	1,404,090,310	100%
warhammer	52,915,392	100%
roadhog	50,718,184	100%
doggnostic	51,699,969	100%
cnfund	159,035,648	100%
zzzzzzzzz	55,607,840	100%
jenny-talls	51,432,754	100%
post-successful	51,230,467	100%
bik1980	52,247,577	100%
puffin	0	100%
fenya	0	100%

@arhag · Aug 18 '16 (edited)

> she can simply recover the public key (which is needed to put into the PoW operation) with the same method used in step 6

> because a transaction contains only a PoW operation requires no signature (which is another hole in the old algo which got fixed in new algo)

Good point.

That means the implementation of the exploit was actually easier than I thought because it didn't require messing around the libsecp256k1 function implementations. The existing APIs could have been used to get the active public key, and that's most likely what was used by @supercomputing.

properties (22)

`author`	arhag
`permlink`	re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160817t205401396z
`category`	steem
`json_metadata`	{"tags":["steem"],"users":["supercomputing"]}
`created`	2016-08-17 20:54:00
`last_update`	2016-08-18 01:15:15
`depth`	1
`children`	1
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	572
`author_reputation`	52,490,827,205,383
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	859,327
`net_rshares`	0

@abit · Aug 18 '16

I don't know if @supercomputing was doing so with API call. But here is the code I used to compete with @supercomputing, you can see, only need one line to get the public key:
```
//construct pow operation
          chain::pow_operation op;
          op.block_id = block_id;
          op.worker_account = miner;
          op.nonce = start + thread_num;
          op.props = _miner_prop_vote;

// some code omitted here to find a working sig from local db

               op.work.signature = sig;
               op.work.work = work;
               op.work.input = op.work_input();
               //calculate worker
               op.work.worker = fc::ecc::public_key( sig, op.work.input, false );

// construct transaction
...
```

👍 pjheinz

`author`	abit
`permlink`	re-arhag-re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160818t011047480z
`category`	steem
`json_metadata`	{"tags":["steem"],"users":["supercomputing"]}
`created`	2016-08-18 01:10:48
`last_update`	2016-08-18 01:10:48
`depth`	2
`children`	0
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	729
`author_reputation`	141,171,499,037,785
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	863,068
`net_rshares`	2,388,145,666
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
pjheinz	0 B		2,388,145,666	100%

@cnfund · Aug 18 '16

Good post.

properties (22)

`author`	cnfund
`permlink`	re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160818t023833863z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-08-18 02:36:57
`last_update`	2016-08-18 02:36:57
`depth`	1
`children`	0
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	10
`author_reputation`	105,733,074,011,368
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	864,156
`net_rshares`	0

@cryptohead · Sep 1 '16

Now, it seems that the mining queue is  dominated by the  "rabbit" servers.
I wonder if it's necessary to do another fork to fix this:
http://www.crservers.com/images/steem_mining_queue.JPG

Can somebody explain what is going on?
Thanks

properties (22)

`author`	cryptohead
`permlink`	re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160901t005026786z
`category`	steem
`json_metadata`	{"tags":["steem"],"image":["http://www.crservers.com/images/steem_mining_queue.JPG"]}
`created`	2016-09-01 00:50:24
`last_update`	2016-09-01 00:50:24
`depth`	1
`children`	4
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	236
`author_reputation`	607,929,583,052
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,078,620
`net_rshares`	0

@abit · Sep 2 '16

Probably a GPU miner cluster.

properties (22)

`author`	abit
`permlink`	re-cryptohead-re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160902t163448662z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-09-02 16:34:48
`last_update`	2016-09-02 16:34:48
`depth`	2
`children`	3
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	29
`author_reputation`	141,171,499,037,785
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,100,434
`net_rshares`	0

@cryptohead · Sep 2 '16

I understand there is only CPU mining  for Steem

properties (22)

`author`	cryptohead
`permlink`	re-abit-re-cryptohead-re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160902t181614200z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-09-02 18:16:36
`last_update`	2016-09-02 18:16:36
`depth`	3
`children`	2
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	48
`author_reputation`	607,929,583,052
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	1,101,535
`net_rshares`	0

2 replies

@minfon · Aug 21 '16

原來是 POW 作業時不需簽名中有流程代碼的漏洞，在hard Fork 13版以後应該修正了吧？！

properties (22)

`author`	minfon
`permlink`	re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160821t042955685z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-08-21 04:29:57
`last_update`	2016-08-21 04:29:57
`depth`	1
`children`	1
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	49
`author_reputation`	4,620,523,428,308
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	916,008
`net_rshares`	0

@abit · Aug 21 '16

新版的挖矿算法严谨多了，暂时还没找到漏洞。
老版也是运行几个月了才有人发现这个，虽然是比较低级的错误。

properties (22)

`author`	abit
`permlink`	re-minfon-re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160821t193237911z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-08-21 19:32:36
`last_update`	2016-08-21 19:32:36
`depth`	2
`children`	0
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	51
`author_reputation`	141,171,499,037,785
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	924,217
`net_rshares`	0

@oflyhigh · Aug 18 '16

好深奥

properties (22)

`author`	oflyhigh
`permlink`	re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160818t023407147z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-08-18 02:34:09
`last_update`	2016-08-18 02:34:09
`depth`	1
`children`	0
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	3
`author_reputation`	6,307,181,401,566,315
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	864,126
`net_rshares`	0

@vi1son · Aug 17 '16

> But there is a hole in the description, because the private key of a given signature shouldn't be so quickly to be resolved -- it's the nature of ECC algo.

Is it bad?

properties (22)

`author`	vi1son
`permlink`	re-abit-more-info-about-how-supercomputing-was-dominating-the-mining-queue-20160817t193631631z
`category`	steem
`json_metadata`	{"tags":["steem"]}
`created`	2016-08-17 19:36:30
`last_update`	2016-08-17 19:36:30
`depth`	1
`children`	0
`last_payout`	2016-09-18 02:35:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	169
`author_reputation`	6,286,810,078,777
`root_title`	"More Info About How @supercomputing Was Dominating The Mining Queue"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	857,951
`net_rshares`	0

@zzzzzzzzz · Aug 18 '16

Thank you for information. Now I will keep in mind.

properties (22)