You are viewing a single comment's thread from:

RE: upcoming changes in Gridcoin (e.g. effects on less rich users; fixes on (known) exploits)

in #gridcoin7 years ago (edited)

If that were the case, I could take any CPID I wanted from anyone else. Get their email from the blockchain, get their CPID from any of a number of sources, use them to request a new keypair by sending a beacon and I own the CPID.

7 years ago in #gridcoin by
$0.00
    Reply 1
    Sort:  
  • Trending
    • [-]
     7 years ago (edited) 

    I just copied from chat:

    So on his second exploit he said that he can lock out a researcher, if he writes a program to create a beacon right after the beacon is about to expire. We do have a line of code in the system that Prefers the existing keypair IF the client refreshes their own keypair (as it would be impossible for the attacker to sign a NEW message with the existing keypair) first. So to cave on our 'feature' to allow beacon deletion, we sort of have this exploit, but the client constantly checks once every 4 hours if its beacon is about to expire and tries to refresh it. Now that I remember a little more about this exploit, we added code TO PROD, that refreshes a beacon 2 WEEKS before it expires to try to prevent this. We always prefer the newest Matching keypair, so that does invalidate this hack also.
    At least it makes me say - Technically this paper is no longer accurate.

    $0.00
      Reply