From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 4D07F1009 for ; Sat, 22 Sep 2018 19:22:34 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ot1-f68.google.com (mail-ot1-f68.google.com [209.85.210.68]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E3661A8 for ; Sat, 22 Sep 2018 19:22:33 +0000 (UTC) Received: by mail-ot1-f68.google.com with SMTP id g14-v6so2600718otj.7 for ; Sat, 22 Sep 2018 12:22:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=w7vAP5vRxweXe/7rXZAJRqwX1o0ri5y1nBMWfoRW10U=; b=rbZEUPbrYamAUyUydPWTWCPgUpobyGnqulECd+vaz141eHWngh3bGS+qvfSrqA4G09 O9R2wDFCYA7xvr5/cDUDZoOVpete+IkXPfNTqm2rKgG6uqV19khDwyRTzxOs/rOd+mlq ulmrh8o1QlmJjsW059IlCuDfrXGc2KzGEm14UCQ7gtmjBmZMfLvZBtpctl8UYPhUW9Tm UmqzgIS6B/6LWLvUckxvbWUzZcTQOCkPMTHCeQyoBj8jpA2hv4T1rJG3JzP42UdNFSx1 h2MX9PKyzn58ke8rSOwnx2hJkQwZgZTYLxPpX1awkYzVqRNb6B28IRl/4eg6NSpP+F1f lE+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=w7vAP5vRxweXe/7rXZAJRqwX1o0ri5y1nBMWfoRW10U=; b=TMnbC4aFn+I61kL7jg/n1KQMd4a1LzSbRJB/fBe0Ax7GgqQ1/CQMNeDcOJV1x9DhMa f5E7+sZgnUyjrTY8fd7DFC0ZFdstw5OGNyxpZu7mH6ugDiV3qv+1x5bGdf49YFZe8FoX 1nmYPejv8S9zcmLyM35LWSvaQ82A5ZcvHZgqFTqKleTHkGhwpj5cY0EmTgp7N5pyFi5w KNimyt16JZkiS/RkrG+d1bqQasmN0v8y9U385KrpSYe7/Txe18doWsjfhC6NGk9XAZzm 2VcDy2JFFivbfaaAfOhuqiaz0OKAWC9LpMqE/kHns52+bo7F9OXj7BbmUzKP+QhCcEU7 wlbw== X-Gm-Message-State: ABuFfogvoVvoKneyd9YCO1CHIJG/z7LOi+j3LUgpwlIZv4zr5WJx+SU/ VLDp+DkyEn5Tt8hEc5OvoPt6xz6I01szHa5lSmU= X-Google-Smtp-Source: ACcGV62YYmUpcNRBEALe0h2Dq5wdPToDp6L5OcoJnp3jHlJA7qKmR6ZrEkYMFVBU7ihF37wZpJJXDpA9kXBrcwgu6jU= X-Received: by 2002:a9d:530c:: with SMTP id g12-v6mr2250581oth.353.1537644152986; Sat, 22 Sep 2018 12:22:32 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "sickpig@gmail.com" Date: Sat, 22 Sep 2018 21:22:20 +0200 Message-ID: To: kanzure@gmail.com, Bitcoin Dev , gmaxwell@gmail.com, Matt Corallo Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 22 Sep 2018 22:14:09 +0000 Subject: Re: [bitcoin-dev] Fwd: [bitcoin-core-dev] On the initial notice of CVE-2018-17144 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2018 19:22:34 -0000 Gregory, > For some reason I don't understand, Andrea Suisani is stating on > twitter that the the report by awemany was a report of an inflation > bug, contrary to the timeline we published. guess that the fact you don't understand it, it's probably related to the fact that you didn't read properly the tweet you are referring to, for reference this the tweet URL https://twitter.com/sickpig/status/1043530088636194816 This is the text of such a tweet: "He [awemany] *did not* mention the inflation bug in the email, still he has proof he was aware of that before sending out the report" then tweet continue referring a reddit post where awemany while trying to prove he was the original author of the report, included a timestamped note containing the following text: BitcoinABC does not check for duplicate inputs when processing a block, only when inserting a transaction into the mempool. This is dangerous as blocks can be generated with duplicate transactions and then sent through e.g. compact block missing transactions and avoid hitting the mempool, creating money out of thin air. /u/awemany this the timeline of the timestamping process: https://originstamp.org/s/5c45a1ba957362a2ba97c9f8c48d4d59d4fa990945b7094a8d2a98c3a91ed9b6 as you can see the note was submitted to originstamp.org before the report email was sent. > This is not the case: > the report specifically stated that inflation was not possible because > the node crashed. It also described a reproduction of the crash, but > not of inflation. Furthermore as you should be aware, having been copied on the report, awemany specifically said that "[the assert(is_spent)] *seems* to prevent the worse outcome of monetary inflation" I guess that in the hurry of informing you and other people involved of the DoS vector he identified and proved, he decided to give priority to informing Core about that rather than waiting and continue exploring the idea he had about exploiting the code to create coins out of thin air.