In this post we will show why Gridcoin is insecure and probably will never achieve better security. Therefore, we are going to explain two critical implementation vulnerabilities and our experience with the core developer in the process of the responsible disclosure.
Update (15.08.2017):
After the talk at WOOT'17 serveral other developers of Gridcoin quickly reached out to us and told us that there was a change in responsibility internally in the Gridcoin-Dev team. Thus, we are going to wait for their response and then change this blog post accordingly. So stay tuned :)
Update (16.08.2017):
We are currently in touch with the whole dev team of Gridcoin and it seems that they are going to fix the vulnerabilities with the next release.
TL;DR
The whole Gridcoin currency is seriously insecure against attacks and should not be trusted anymore; unless some developers are in place, which have a profound background in protocol and application security.
What is Gridcoin?
Gridcoin is an altcoin, which is in active development since 2013. It claims to provide a high sustainability, as it has very low energy requirements in comparison to Bitcoin. It rewards users for contributing computation power to scientific projects, published on the BOINC project platform. Although Gridcoin is not as widespread as Bitcoin, its draft is very appealing as it attempts to eliminate Bitcoin's core problems. It possesses a market capitalization of $13,530,738 as of August the 4th 2017 and its users contributed approximately 5% of the total scientific BOINC work done before October 2016.A detailed description of the Gridcoin architecture and technical terms used in this blog post are explained in our last blog post.
The Issues
Currently there are 2 implementation vulnerabilities in the source code, and we can mount the following attacks against Gridcoin:
- We can steal the block creation reward from many Gridcoin minters
- We can efficiently prevent many Gridcoin minters from claiming their block creation reward (DoS attack)
Because we already fixed a critical design issue in Gridcoin last year and tried to help them to fix the new issues. Unfortunately, they do not seem to have an interest in securing Gridcoin and thus leave us no other choice than fully disclosing the findings.
In order to explain the vulnerabilities we will take a look at the current Gridcoin source code (version 3.5.9.8).
WARNING: Due to the high number of source code lines in the source files, it can take a while until your browser shows the right line.
Stealing the BOINC block reward
The developer implemented our countermeasures in order to prevent our attack from the last blog post. Unfortunately, they did not look at their implementation from an attacker's perspective. Otherwise, they would have found out that they conduct not check, if the signature over the last block hash really is done over the last block hash. But we come to that in a minute. First lets take a look at the code flow:In the figure the called-by-graph can be seen for the function VerifyCPIDSignature. |
- CheckBlock → DeserializeBoincBlock [Source]
- Here we deserialize the BOINC data structure from the first transaction
- CheckBlock → IsCPIDValidv2 [Source]
- Then we call a function to verify the CPID used in the block. Due to the massive changes over the last years, there are 3 possible verify functions. We are interested in the last one (VerifyCPIDSignature), for the reason that it is the current verification function.
- IsCPIDValidv2 → VerifyCPIDSignature [Source]
- VerifyCPIDSignature → CheckMessageSignature [Source, Source]
In the last function the real signature verification is conducted [Source]. When we closely take a look at the function parameter, we see the message (std::string sMsg) and the signature (std::string sSig) variables, which are checked. But where does this values come from?
If we go backwards in the function call graph we see that in VerifyCPIDSignature the sMsg is the string sConcatMessage, which is a concatenation of the sCPID and the sBlockHash.
We are interested where the sBlockHash value comes from, due to the fact that this one is the only changing value in the signature generation.
When we go backwards, we see that the value originate from the deserialization of the BOINC structure (MiningCPID& mc) and is the variable mc.lastblockhash [Source, Source]. But wait a second, is this value ever checked whether it contains the real last block hash?
No, it is not....
So they just look if the stored values there end up in a valid signature.
Thus, we just need to wait for one valid block from a researcher and copy the signature, the last block hash value, the CPID and adjust every other dynamic value, like the RAC. Consequently, we are able to claim the reward of other BOINC users. This simple bug allows us again to steal the reward of every Gridcoin researcher, like there was never a countermeasure.
Lock out Gridcoin researcher
The following vulnerability allows an attacker under specific circumstances to register a key pair for a CPID, even if the CPID was previously tied to another key pair. Thus, the attacker locks out a legit researcher and prevent him from claiming BOINC reward in his minted blocks.
Reminder: A beacon is valid for 5 months, afterwards a new beacon must be sent with the same public key and CPID.
Therefore, we need to take a look at the functions, which process the beacon information. Every time there is a block, which contains beacon information, it is processed the following way (click image for higher resolution):
In the figure the called-by-graph can be seen for the function GetBeaconPublicKey. |
- ProcessBlock → CheckBlock [Source]
- CheckBlock → LoadAdminMessages [Source]
- LoadAdminMessages → MemorizeMessages [Source]
- MemorizeMessages → GetBeaconPublicKey [Source]
For the following explanation we assume that we have an existing association (bound) between a CPID A and a public key pubK_A for 4 months.
- First public key for a CPID received [Source]
- The initial situation, when pubK_A was sent and bind to CPID A (4 months ago)
- Existing public key for a CPID was sent [Source]
- The case that pubK_A was resent for a CPID A, before the 5 months are passed by
- Other public key for a CPID was sent [Source]
- The case, if a different public key pubK_B for the CPID A was sent via beacon.
- The existing public key for the CPID is expired
- After 5 months a refresh for the association between A and pubK_A is required.
When an incoming beacon is processed, a look up is made, if there already exists a public key for the CPID used in the beacon. If yes, it is compared to the public key used in the beacon (case 2 and 3).
If no public key exists (case 1) the new public key is bound to the CPID.
If a public key exists, but it was not refreshed directly 12.960.000 seconds (5 months [Source]) after the last beacon advertisement of the public key and CPID, it is handled as no public key would exist [Source].
Thus, case 1 and 4 are treated identical, if the public key is expired, allowing an attacker to register his public key for an arbitrary CPID with expired public key. In practice this allows an attacker to lock out a Gridcoin user from the minting process of new blocks and further allows the attacker to claim reward for BOINC work he never did.
If no public key exists (case 1) the new public key is bound to the CPID.
If a public key exists, but it was not refreshed directly 12.960.000 seconds (5 months [Source]) after the last beacon advertisement of the public key and CPID, it is handled as no public key would exist [Source].
Thus, case 1 and 4 are treated identical, if the public key is expired, allowing an attacker to register his public key for an arbitrary CPID with expired public key. In practice this allows an attacker to lock out a Gridcoin user from the minting process of new blocks and further allows the attacker to claim reward for BOINC work he never did.
There is a countermeasure, which allows a user to delete his last beacon (identified by the CPID) . Therefore, the user sends 1 GRC to a special address (SAuJGrxn724SVmpYNxb8gsi3tDgnFhTES9) from an GRC address associated to this CPID [Source]. We did not look into this mechanism in more detail, because it only can be used to remove our attack beacon, but does not prevent the attack.
The responsible disclosure process
As part of our work as researchers we all have had the pleasure to responsible disclose the findings to developer or companies.For the reasons that we wanted to give the developer some time to fix the design vulnerabilities, described in the last blog post, we did not issue a ticket at the Gridcoin Github project. Instead we contacted the developer at September the 14th 2016 via email and got a response one day later (2016/09/15). They proposed a variation of our countermeasure and dropped the signature in the advertising beacon, which would result in further security issues. We sent another email (2016/09/15) explained to them, why it is not wise to change our countermeasures and drop the signature in the advertising beacon.
Unfortunately, we did not receive a response. We tried it again on October the 31th 2016. They again did not respond, but we saw in the source code that they made some promising changes. Due to some other projects we did not look into the code until May 2017. At this point we found the two implementation vulnerabilities. We contacted the developer twice via email (5th and 16th of May 2017) again, but never received a response. Thus, we decided to wait for the WOOT notification to pass by and then fully disclose the findings. We thus have no other choice then to say that:
The whole Gridcoin cryptocurrency is seriously insecure against attacks and should not be trusted anymore; unless some developers are in place, which have a profound background in protocol and application security.
Further Reading
A more detailed description of the Gridcoin architecture, the old design issue and the fix will be presented at WOOT'17. Some days after the conference the paper will be available online.
Related word
- Hacking Tools Name
- What Is Hacking Tools
- Hack Tools
- Kik Hack Tools
- Hacker Tools Github
- Beginner Hacker Tools
- Hacker Tools Free
- Hack And Tools
- Usb Pentest Tools
- Pentest Tools Nmap
- Nsa Hack Tools
- Hacking Tools Hardware
- Hacking Tools And Software
- Pentest Tools Subdomain
- Hack Tools For Ubuntu
- Game Hacking
- Pentest Tools Linux
- Pentest Tools Kali Linux
- Underground Hacker Sites
- Beginner Hacker Tools
- Termux Hacking Tools 2019
- Hacker Tools For Windows
- Hacker Tools Free Download
- Hacker Tools For Windows
- Nsa Hacker Tools
- Hack Tool Apk No Root
- Hacker Tools Apk
- Hacking Tools Software
- Hack Rom Tools
- Tools For Hacker
- New Hack Tools
- Hacking Tools For Windows
- Pentest Tools Alternative
- World No 1 Hacker Software
- Hacking Tools
- Hacker Tools Free Download
- Hacker Tools List
- Pentest Recon Tools
- How To Hack
- Hacker Tools Software
- Hacking Tools Windows 10
- Tools For Hacker
- Hacker Tools Software
- Tools 4 Hack
- Hacking Tools 2020
- Pentest Tools For Ubuntu
- What Is Hacking Tools
- Computer Hacker
- Hacker Tools Free
- Android Hack Tools Github
- Hacker Tools 2019
- Tools Used For Hacking
- Hacker Tools Free
- Pentest Tools Kali Linux
- Pentest Tools Download
- Top Pentest Tools
- Hak5 Tools
- Pentest Tools Github
- Pentest Tools For Mac
- Hacker Tools Free Download
- Hacking Tools 2019
- Pentest Tools List
- Pentest Tools Bluekeep
- Hack Tools
- Hack Tools
- Pentest Tools Website
- Free Pentest Tools For Windows
- Hack Rom Tools
- Physical Pentest Tools
- What Are Hacking Tools
- Usb Pentest Tools
- Hack Tool Apk No Root
- Pentest Tools Find Subdomains
- How To Make Hacking Tools
- Hack Tools
- Hack Tools For Pc
- Tools Used For Hacking
- Wifi Hacker Tools For Windows
- Hacking Tools Pc
- Pentest Tools Android
- Hack Tools
- Best Pentesting Tools 2018
- Hacking Tools Pc
- Hacking Tools For Windows Free Download
- Hacker Hardware Tools
- Hacker Tools For Mac
- Github Hacking Tools
- What Are Hacking Tools
- Hack Tools Mac
- Hacking Tools Usb
- Top Pentest Tools
- Hacker Tools Free
- Hack Tools 2019
- Tools 4 Hack
- Hack Tools For Windows
- How To Make Hacking Tools
- Pentest Tools Apk
- Termux Hacking Tools 2019
- Hacker Tool Kit
- Pentest Tools Nmap
- Best Hacking Tools 2019
- Beginner Hacker Tools
- Hacking Tools For Mac
- Hacking Tools Online
- Hacker Techniques Tools And Incident Handling
- Bluetooth Hacking Tools Kali
- Hack Tools
- Hacker Tools Github
- Hacker Tools For Pc
- Hacker Tools Software
- Pentest Tools Github
- Pentest Tools Linux
- Hacker Tools Apk
- What Are Hacking Tools
- Termux Hacking Tools 2019
- Hack Tools
- Hacking Tools Windows 10
- Hacker Tools 2019
- Hacking Tools 2019
- Pentest Box Tools Download
- Pentest Tools Alternative
- What Are Hacking Tools
- Pentest Tools Framework
- Hack Tools For Mac
- Hacker Tools Windows
- Pentest Tools Nmap
- Hacking Tools For Kali Linux
- Pentest Tools Linux
- Hak5 Tools
- Hack Tools
- Ethical Hacker Tools
- Hacker Search Tools
- Underground Hacker Sites
- Hacking Tools Mac
- Hacker Tools Free
- Top Pentest Tools
- Pentest Tools Open Source
- Best Hacking Tools 2020
- Top Pentest Tools
- Black Hat Hacker Tools
- Hacker Tools Free Download
- Tools 4 Hack
- Hak5 Tools
- Pentest Tools Linux
- Hacking Tools Mac
- Pentest Tools Nmap
- Pentest Tools For Ubuntu
- Wifi Hacker Tools For Windows
- Pentest Tools Windows
- Hacker Tools Free Download
- Android Hack Tools Github
- Hacker Tools Online
- Pentest Tools For Ubuntu
- Hack Tools For Ubuntu
- Hacker Tools Windows
- Hacker Tools 2020
- New Hacker Tools
- Pentest Tools Tcp Port Scanner
- Best Hacking Tools 2019
- Pentest Reporting Tools
- Ethical Hacker Tools
- Hacker Tools Linux
- Pentest Tools Free
- Pentest Tools List
- What Is Hacking Tools
- Hacking Tools Mac
- Hacker Hardware Tools
- Hack Tools For Windows
- Pentest Tools Download
- Pentest Tools Alternative
- Hacker Tools Mac
- Hacking Tools Hardware
- Hack Tool Apk
No comments:
Post a Comment