From: "sickpig@gmail.com" <sickpig@gmail.com>
To: kanzure@gmail.com,
Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>,
gmaxwell@gmail.com, Matt Corallo <matt@bluematt.me>
Subject: Re: [bitcoin-dev] Fwd: [bitcoin-core-dev] On the initial notice of CVE-2018-17144
Date: Sat, 22 Sep 2018 21:22:20 +0200 [thread overview]
Message-ID: <CA+c4ZoxQFHnWvMY8sW17yrE_ccLKe82dX5W6G7nC1R7ZH6kP0A@mail.gmail.com> (raw)
In-Reply-To: <CABaSBaxk7sJ9WFstC_aj7W==+puXkGNAqA-n96wDzOvjaC-HCg@mail.gmail.com>
Gregory,
> For some reason I don't understand, Andrea Suisani is stating on
> twitter that the the report by awemany was a report of an inflation
> bug, contrary to the timeline we published.
guess that the fact you don't understand it, it's probably related to the fact
that you didn't read properly the tweet you are referring to, for reference this
the tweet URL https://twitter.com/sickpig/status/1043530088636194816
This is the text of such a tweet:
"He [awemany] *did not* mention the inflation bug in the email, still
he has proof
he was aware of that before sending out the report"
then tweet continue referring a reddit post where awemany while trying
to prove he was the original author of the report, included a timestamped note
containing the following text:
BitcoinABC does not check for duplicate inputs when processing a block,
only when inserting a transaction into the mempool.
This is dangerous as blocks can be generated with duplicate transactions
and then sent through e.g. compact block missing transactions and avoid
hitting the mempool, creating money out of thin air.
/u/awemany
this the timeline of the timestamping process:
https://originstamp.org/s/5c45a1ba957362a2ba97c9f8c48d4d59d4fa990945b7094a8d2a98c3a91ed9b6
as you can see the note was submitted to originstamp.org before the
report email was sent.
> This is not the case:
> the report specifically stated that inflation was not possible because
> the node crashed. It also described a reproduction of the crash, but
> not of inflation.
Furthermore as you should be aware, having been copied on the report,
awemany specifically
said that "[the assert(is_spent)] *seems* to prevent the worse outcome
of monetary inflation"
I guess that in the hurry of informing you and other people involved of the DoS
vector he identified and proved, he decided to give priority to
informing Core about that
rather than waiting and continue exploring the idea he had about exploiting the
code to create coins out of thin air.
next prev parent reply other threads:[~2018-09-22 19:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAAS2fgR9Swxv3=-u_uHrgGtfn0WhXEuOV78TFpOewCuwb3fmUA@mail.gmail.com>
2018-09-22 17:54 ` [bitcoin-dev] Fwd: [bitcoin-core-dev] On the initial notice of CVE-2018-17144 Bryan Bishop
2018-09-22 19:22 ` sickpig [this message]
2018-09-22 20:49 ` Gregory Maxwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+c4ZoxQFHnWvMY8sW17yrE_ccLKe82dX5W6G7nC1R7ZH6kP0A@mail.gmail.com \
--to=sickpig@gmail.com \
--cc=bitcoin-dev@lists.linuxfoundation.org \
--cc=gmaxwell@gmail.com \
--cc=kanzure@gmail.com \
--cc=matt@bluematt.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox