Bug in CryptoNote
A rather serious bug in all CryptoNote-based cryptocoins was recently released by the monero-community. The bug allowed for forging of keyimages, essentially allowing skilled individuals to mint new coins at will.
First i would like to congratulate Fluffypony and the other monero-developers to have handled this situation VERY professionally and responsible.
Although i consider Bytecoin to be shady at best and an outright scam at worst, there are lots of new people in the community that needs to be alerted to the current state of Bytecoin.
A crude audit of Bytecoin
I was curious to see if the current pump of Bytecoin coincided with a simultaneous exploitation of Bytecoin, creating new bytecoins out of thin air.
I forked the Bytecoin repository on Github and added a (very) crude form of audit, by changing the security-patch (which activates at block 1267000) and disabling the checkpointing-system.
The fork with the alterations can be found here: https://github.com/p4fg/bytecoin
By syncing the entire blockchain from scratch, the daemon will automatically print out whenever a keyimage-check fails, but after that accept the block and continue with the next.
- Faulty keyimage found in block 1242306!
- Faulty keyimage found in block 1243473!
- Faulty keyimage found in block 1243475!
- Faulty keyimage found in block 1243478!
- Faulty keyimage found in block 1243489!
- Faulty keyimage found in block 1243491!
- Faulty keyimage found in block 1243496!
As you can see, the first block containing a forged key-image is 1242306, mined at 2017-04-13 04:07 UTC.
The current Bytecoin-pump on poloniex started roughly at 2017-05-16 15:20 UTC.
It is possible, even very likely that some or many of these transaction went to Poloniex and other exchanges. Poloniex have since stopped Bytecoin-deposits but only they know if it was in time…
The patch for Bytecoin fixing this problem feels suspicious. The patch looks like it is starting to check for this bug after block 1267000. But in reality it is only checking blocks after 1268000, as blocks inside the range of checkpoints will not be validated at all (See Checkpoints::isInCheckpointZone). From what I can see this was not exploited, but does not really smell right, as those two should be the same number in my opinion.
I do not claim to understand all the details of CryptoNote, but this is my understanding of the situation. Monero-devs: Feel free to correct me. In my opinion it is entirely possible that exchanges could have key-images in their wallet that will not be valid past block 1267000. They might be for big amounts of Bytecoin. They could probably have been “washed” simply by re-sending them to another wallet before this block, in that case the number of Bytecoins in existence have increased without mining.
I know too little about the exact details to know for sure.
In the worst of case Poloniex (and/or other exchanges) will not be able to honor withdrawals of bytecoins. Also the key-images could possibly linger on in the blockchain, be used as possible inputs when creating ring-signatures and rendering transactions invalid.
Update: No invalid key-images seems to exist, it is the input key-images that are able to be double-spent using this bug. 690 million Bytecoins, worth over 1 million USD were created in the process.
The patch for Bytecoin seems to be rushed out, and it is also entirely possible that the chain have forked or will fork depending on how and when miners and users upgrade to the patched version that considers any block with a forged transaction to be invalid.
The lack of active developers and/or community for Bytecoin is alarming, and i would
- Caution anyone from investing long-term in this coin (Bytecoin also have a questionable past)
- Recommend against holding Bytecoin on any exchange at the moment until the smoke have cleared
Coins without a strong community are dangerous stale software.
Coins with active developers and a strong community are Magic Internet Money(tm)
Updates after initial post
- Over one million USD Bytecoin have been reported to be artificially created
- After some investigation it seems that the output key-images are always valid. It is the input key-images that are double-spent. The exchanges are probably off the hook.