URGENT Serious bug in Peercoin master branch

mullick · July 26, 2015, 2:26am

Hello I am the Head of IT and Crypto Currency Manager at Cryptsy. We recently came across a serious bug in the master branch of peercoin

This would affect anyone accepting deposits with reusable addresses

Example:

 User A deposits 1000 PPC to the address PEXAMPLE1KJcCoNLyBAzQANCzVN2VdPm53t

 Deposit clears and is credited to their account accordingly

 User B initiates a withdrawal for 100 PPC going to PEXAMPLE2zYnQaeKFq2senzBdeUcZusT1i

 If the daemon selects Users A's deposit as the best input then the following will be the result

 The 2 outputs created for the transaction will be 

      100 PPC -> PEXAMPLE2zYnQaeKFq2senzBdeUcZusT1i

      900 PPC -> PEXAMPLE1KJcCoNLyBAzQANCzVN2VdPm53t

 Therefore User A gets another deposit for 900 PPC

This will mainly effect exchanges where Withdrawals are initiated and deposit addresses are stored in the same wallet. But is not limited to that case

Even if there are separate wallets for withdrawals and deposits, Coins will still need to be swept from the deposit wallet to the withdrawal and to cold storage. Any send transaction leaving the deposit wallet runs a high risk of creating an invalid deposit to a users account.

If any merchant allows users to maintain a ppc balance with them. And provides a re usable deposit address. Then the merchant would be subject to the same possibility of fraudulent deposits.

This may seem like a simple oversight. But for someone without the monitoring we have in place this could be devastating. Thankfully we caught this early and have corrected the invalid deposits. I hope the developers take this seriously and patch the repository ASAP before it results in significant loss for someone.

-Mullick
mullick@cryptsy.com

mhps · July 26, 2015, 6:50am

Hi mullick,
Thanks for reaching out.

The avatar mode (change going to the input address) is not default with Peercoin so did you enable it on your exchange?

This problem has surfaced in a few Nushares exchanges (example). That is why the Nu Integration Guide has a warning. Nu (Nubits and NuShares) is a fork of PPC.

by the way, any chance cryptsy has Nubits and NuShares?

mullick · July 26, 2015, 4:57pm

[quote=“mhps, post:2, topic:3588”]Hi mullick,
Thanks for reaching out.

The avatar mode (change going to the input address) is not default with Peercoin so did you enable it on your exchange?

This problem has surfaced in a few Nushares exchanges (example). That is why the Nu Integration Guide has a warning. Nu (Nubits and NuShares) is a fork of PPC.

by the way, any chance cryptsy has Nubits and NuShares?[/quote]

The problem is we do not have avatar mode set in the config file. It seems to be enabled by default which is the bug. Im really quite shocked this hasnt been addressed yet when the developers have been aware for over a week.

We currently do not list Nubits or Nushares.

Sentinelrv · July 26, 2015, 7:24pm

I just alerted Sunny King of this in case he didn’t yet see the issue that was opened.

Sunny_King · July 27, 2015, 9:26pm

Fixed by glv2 in the latest master branch. Problem was introduced during development of v0.5, so not affecting the v0.4.0 release. If building from the latest master branch, please update the daemon as soon as possible.

Ray1957 · July 29, 2015, 6:56pm

Slightly off topic here but not by much. I have had this notice on my peercoin wallet for a long time now. Am concerned about it.

WARNING: Blockchain redownload required approaching or past v0.4 upgrade deadline.

Where do I get the upgrade?

Any danger of loosing my coins during an upgrade?

Thanks.