Hello I am the Head of IT and Crypto Currency Manager at Cryptsy. We recently came across a serious bug in the master branch of peercoin
This would affect anyone accepting deposits with reusable addresses
Example:
User A deposits 1000 PPC to the address PEXAMPLE1KJcCoNLyBAzQANCzVN2VdPm53t
Deposit clears and is credited to their account accordingly
User B initiates a withdrawal for 100 PPC going to PEXAMPLE2zYnQaeKFq2senzBdeUcZusT1i
If the daemon selects Users A's deposit as the best input then the following will be the result
The 2 outputs created for the transaction will be
100 PPC -> PEXAMPLE2zYnQaeKFq2senzBdeUcZusT1i
900 PPC -> PEXAMPLE1KJcCoNLyBAzQANCzVN2VdPm53t
Therefore User A gets another deposit for 900 PPC
This will mainly effect exchanges where Withdrawals are initiated and deposit addresses are stored in the same wallet. But is not limited to that case
Even if there are separate wallets for withdrawals and deposits, Coins will still need to be swept from the deposit wallet to the withdrawal and to cold storage. Any send transaction leaving the deposit wallet runs a high risk of creating an invalid deposit to a users account.
If any merchant allows users to maintain a ppc balance with them. And provides a re usable deposit address. Then the merchant would be subject to the same possibility of fraudulent deposits.
This may seem like a simple oversight. But for someone without the monitoring we have in place this could be devastating. Thankfully we caught this early and have corrected the invalid deposits. I hope the developers take this seriously and patch the repository ASAP before it results in significant loss for someone.
-Mullick
mullick@cryptsy.com