fake hash vulnerability

[burakyalti]

I found a vulnerability on stratum pools.

1. Create a mining proxy on ubuntu
   https://github.com/slush0/stratum-mining-proxy
2. Change difficulty on mine/mining_libs/client_service.py , edit like;
   elif method == 'mining.set_difficulty':
   difficulty = 0.0001
3. Start proxy, connect any cpu miner.

With this method, all pools accepts fake hashrate and shares.

So, all stratum pools need a fix for this.

There is a huge fake hashrate on all pools now.

Best Regards

[ahmedbodi]

Done a test on stratum-mining and eloipool using the exploit documented above.
Stratum-mining and eloipool in scrypt mode both reject these shares.
This makes it almost 99% sure that it is a diff1 error and stratum-mining IS NOT at fault. the pool operator's are at fault for not using the correct diff1's for the algorithm

[andrey82]

Can somebody please state what does it mean "correct diff1's for the algorithm".

Where and how cand / should this be set ?

TY in advance.

[ahmedbodi]

this is set in lib/template_registry.py and its always been set by however added the specific algo to stratum so ask them to fix it