You are viewing a single comment's thread from:

RE: upcoming changes in Gridcoin (e.g. effects on less rich users; fixes on (known) exploits)

in #gridcoin7 years ago

hijacking beacons (stealing an user's CPID registration)

For the love of everything, can we have less of these tiny FUD sentences with no explanation? For example, this specific item was discussed between Rob and Martin in the dev channel on Slack, and Martin conceded it is not possible anymore due to automatic beacon renewal 2 weeks before expiry. Further, the network will prefer the older keys over a newer set.

This drastic change was needed to eliminate an exploit.

Which was?

Sort:  

Good point. But as far as I remember Rob has written that the client always prefers the newest matching keypair ;)

If that were the case, I could take any CPID I wanted from anyone else. Get their email from the blockchain, get their CPID from any of a number of sources, use them to request a new keypair by sending a beacon and I own the CPID.

I just copied from chat:

So on his second exploit he said that he can lock out a researcher, if he writes a program to create a beacon right after the beacon is about to expire. We do have a line of code in the system that Prefers the existing keypair IF the client refreshes their own keypair (as it would be impossible for the attacker to sign a NEW message with the existing keypair) first. So to cave on our 'feature' to allow beacon deletion, we sort of have this exploit, but the client constantly checks once every 4 hours if its beacon is about to expire and tries to refresh it. Now that I remember a little more about this exploit, we added code TO PROD, that refreshes a beacon 2 WEEKS before it expires to try to prevent this. We always prefer the newest Matching keypair, so that does invalidate this hack also.
At least it makes me say - Technically this paper is no longer accurate.

Coin Marketplace

STEEM 0.20
TRX 0.25
JST 0.037
BTC 96493.32
ETH 3372.63
USDT 1.00
SBD 2.99