Monthly Archives: June 2016

Waves is not Ethereum, for the sake of God, don’t buy it

I thought that Waves was a complete platform. Meanwhile, their GitHub is quite empty, looks like they wasted their resources on the graphics instead. This is not Ethereum, which had clients ready on launch. This is a scam if I’ve ever seen one. Their only .conf file includes a mention of NXT, so will they run in NXT in the end and just forgot to rename it?

https://github.com/wavesplatform/Waves/blob/master/src/main/resources/waves.conf

app {
product = "Scorex"
release = "Waves"
version = "0.1.3"
consensusAlgo = "nxt"
}

And here is the compromising material:

https://github.com/input-output-hk/Scorex/blob/master/README.md

Bitcoin Core source code contains more 100K lines of code(80K of C++ only), Nxt is more than 45K line of Java code. All parts of the design(network/transactional/consensus protocols) are mixed in a hard way. So researchers and developers are not in good start positions to make experiments.

Also, there is no code in the repository, the only thing I could find was 5 HTML files titled “swagger ui”
https://github.com/input-output-hk/Scorex/tree/master/scorex-basics/src/main/resources

Greedy DAO stakeholders will be ETH’s demise

The only possible option to keep Ethereum live is to stop touching it’s code in order to fix The DAO and to stop introducing bugs to it. However, there is a large user group called The DAO investors, who are unable to see the truth thanks to their greed. If they do not realize quickly enough, The DAO will take Ethereum down with it. There is no longer any space to pretend these projects are independent, because as pressure rises, the sacred unbiased code of ETH is getting a nasty sacrilege.

And the truth is:
-The DAO has already been hacked, reverting the funds using an address-specific rule violates the whole decentralized principle and will make the price plummet

-If you don’t stop interfering, the price of ETH will be directly correlated to that of the DAO, taking all ETH holders who did not invest in the DAO hostage. It was all fun and games, freedom, decentralization while the price was rising, right? But when somebody touches your property, you want them executed, taking and killing hostages in the process.

-And most interestingly: The hacker will most probably dump, which will make the price plummet, but probably not as hard. This is your only chance

I bet that the hard fork will be implemented and it will kill the DAO. And the DAO Hitlers will take ETH owners in the process. I never make predictions, but I’m 89.5% sure here.

The DAO fix would cause a DoS attack

http://hackingdistributed.com/2016/06/28/ethereum-soft-fork-dos-vector/

Conclusions:

The current soft fork deployed in Ethereum poses a DoS vector. If the soft fork activation goes ahead as planned, the community should be prepared for potential DoS attacks, which would lead to diminished performance for the network. We urge the community to come to consensus on the ultimate resolution of The DAO saga as quickly as possible.

$1,000,000 hidden in plain sight

Network synchronization requires UDP.
VCASH has UDP. Bitcoin does not.

Here is a price comparison:

This basically means that if you put $1 to XVC and all the coins gain same adoption as Bitcoin has now, that $1 will be worth $4308. As you can calculate, it takes $232 to earn 1 million dollars if such situation occurs.

Mircea Popescu takes credit for exploiting The DAO code

As time goes by, it becomes ever more clear that The DAO cannot be salvaged. No rollback will restore the trust in the platform, and it could very well do the exact opposite. Although everyone is still looking for reasons why “everything is OK”, the reality keeps becoming apparent. The DAO developers fucked up big time and there is no excuse for that.

To the DAO and the Ethereum community,

I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of “child DAOs”.

I am disappointed by those who are characterizing the use of this intentional feature as “theft”. I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO:

“The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation.”

A soft or hard fork would amount to seizure of my legitimate and rightful ether, claimed legally through the terms of a smart contract. Such fork would permanently and irrevocably ruin all confidence in not only Ethereum but also the in the field of smart contracts and blockchain technology. Many large Ethereum holders will dump their ether, and developers, researchers, and companies will leave Ethereum. Make no mistake: any fork, soft or hard, will further damage Ethereum and destroy its reputation and appeal.

I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ether, and am actively working with my law firm. Those accomplices will be receiving Cease and Desist notices in the mail shortly.

I hope this event becomes an valuable learning experience for the Ethereum community and wish you all the best of luck.

Yours truly,
“The Attacker”

Message Hash (Keccak): 0xaf9e302a664122389d17ee0fa4394d0c24c33236143c1f26faed97ebb
d017d0e
Signature: 0x5f91152a2382b4acfdbfe8ad3c6c8cde45f73f6147d39b072c81637fe810060616039
08f692dc15a1b6ead217785cf5e07fb496708d129645f3370a28922136a32
PS. You probably want to revisit the 2013 discussion of “Ripple”. Just because you idiots changed the name doesn’t mean anything changed! Just how hard is it to grok this utterly banal point ?

PPS. Since so many people have asked : yes, there are more. This definitely isn’t the only hole in the pile of shit, but in the immortal words of Jerry Seinfeld,


http://trilema.com/2016/to-the-dao-and-the-ethereum-community-fuck-you/#selection-21.0-99.157

Letter to the DAO community by the hacker (presumably)

===== BEGIN SIGNED MESSAGE =====
To the DAO and the Ethereum community,

I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of “child DAOs”.

I am disappointed by those who are characterizing the use of this intentional feature as “theft”. I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO:

“The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation.”

A soft or hard fork would amount to seizure of my legitimate and rightful ether, claimed legally through the terms of a smart contract. Such fork would permanently and irrevocably ruin all confidence in not only Ethereum but also the in the field of smart contracts and blockchain technology. Many large Ethereum holders will dump their ether, and developers, researchers, and companies will leave Ethereum. Make no mistake: any fork, soft or hard, will further damage Ethereum and destroy its reputation and appeal.

I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ether, and am actively working with my law firm. Those accomplices will be receiving Cease and Desist notices in the mail shortly.

I hope this event becomes an valuable learning experience for the Ethereum community and wish you all the best of luck.

Yours truly,
“The Attacker”
===== END SIGNED MESSAGE =====

Message Hash (Keccak): 0xaf9e302a664122389d17ee0fa4394d0c24c33236143c1f26faed97ebbd017d0e
Signature: 0x5f91152a2382b4acfdbfe8ad3c6c8cde45f73f6147d39b072c81637fe81006061603908f692dc15a1b6ead217785cf5e07fb496708d129645f3370a28922136a32

Vitalik: We can handle that

CRITICAL UPDATE Re: DAO Vulnerability
Posted by Vitalik Buterin on June 17th, 2016.

An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.

The leaked ether is in a child DAO at https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490; even if no action is taken, the attacker will not be able to withdraw any ether at least for another ~27 days (the creation window for the child DAO). This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe.

The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that execute code with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released), preventing the ether from being withdrawn by the attacker past the 27-day window. This will later be followed up by a hard fork which will give token holders the ability to recover their ether.

Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem. DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH.

Contract authors should take care to (1) be very careful about recursive call bugs, and listen to advice from the Ethereum contract programming community that will likely be forthcoming in the next week on mitigating such bugs, and (2) avoid creating contracts that contain more than ~$10m worth of value, with the exception of sub-token contracts and other systems whose value is itself defined by social consensus outside of the Ethereum platform, and which can be easily “hard forked” via community consensus if a bug emerges (eg. MKR), at least until the community gains more experience with bug mitigation and/or better tools are developed.

Developers, cryptographers and computer scientists should note that any high-level tools (including IDEs, formal verification, debuggers, symbolic execution) that make it easy to write safe smart contracts on Ethereum are prime candidates for DevGrants, Blockchain Labs grants and String’s autonomous finance grants.

This post will continue to be updated.

Why Lisk is a scam

There are several reasons why consider Lisk a scam.

The Lisk code is only a rebranded Crypti (XCR) code, the only difference is the new logo.
Crypti already had an ICO and raised money for the development, yet it was abandoned by Lisk developers for profit.
The Lisk developers are actually no developers at all, they are two managers who never wrote a single line of code.
Everyone who has ever bought Lisk must have known that. In that case, nobody would invest anything.
In fact, Lisk never raised $6,000,000. The money simply does not exist and it is only a marketing strategy – here’s the proof https://nxtforum.org/general-discussion/nxt-2-0-crowfunding-will-be-a-failure/msg217969/#msg217969