security issues in Gridcoin

[Erkan-Yilmaz]

See here for upcoming changes due to exploits.

August 18 (via cm):

• ability to exfiltrate user's email addresses (used also in BOINC) from the Gridcoin blockchain
• hijacking beacons (stealing an user's CPID registration)

---

Martin Grothe:

• August 16: new info update in his blog (see below pic)
• August 13:
  • Gridcoin - The Bad
  • Gridcoin - The Good

---

Gridcoin devs:

• August 16: ravon: "the first vulnerability was fixed in 3.5.9.4 (July 16) while the second one was scheduled for NN2.0 or right before it" (chat)
• August 16: reply by Rob
• August 16: "There are actually two articles. The issues in the old one have been fixed by the author (Martin) while the issues in the new one remain. We're working with input from the author to see how this can be solved." (link)
• August 15: about old article: "And it is outdated. The mechanisms described are no longer used. The attacks wont work. Of course, the new mechanisms have equal amount of holes." (chat)

---

See also my comments:

• August 15: "Thx, Martin! I'll share with others. From what I see u looked at Gridcoin 3.5.9.8 version (17 days old) + it seems u got no replies by dev"
• August 15: "You are aware that Martin posted his findings - in public - on his blog on August 13 (let me look, I have now Aug.16 here),
  
  they talked about it on a security conference + it is tweeted by 'em all over on twitter with hashtag Gridcoin..."

The downvote faction on steemit has again shown what they are capable of (A)...

Thus... please find a copy

• HERE (version: August 15)
  • after posting in the forum, the article on steemit got downvoted massively, see here

(A) see problems with steemit

---

voices in the community:

• August 16, Mercosity

---

• You like what I do? Take action here.
• Did you know, you can also SUBMIT content on twitter account @GridcoinIRC ?
• About steemit + github: read this please.

[Erkan-Yilmaz]

upcoming changes:

the new Gridcoin PoS kernel v8:

• "The most notable effect is that magnitude does no longer affect your stake weight. Investors and BOINCers now have the same chances to mint a block. This drastic change was needed to eliminate an exploit. On the other hand a compensation for less rich BOINCers is already being designed."

[Erkan-Yilmaz]

version 3.6.0.1 has been released 3 days ago which has the new Gridcoin PoS kernel v8 which will be in effect then at block 1010000 (est. 6-7 days)

[Erkan-Yilmaz]

new mandatory released 5 days ago:

• 3.6.0.2

also see:

• timeline for the PoS kernel V8

[Erkan-Yilmaz]

see also:

• Upcoming changes in Gridcoin, by @tomasbrod

excerpts/selection of weaknesses:

• here

[Erkan-Yilmaz]

see also:

• prevent email being leaked in CPIDv2 block field

[Erkan-Yilmaz]

see also:

replay attack:

• reward stealing: slightly harder replay attack
• contracts can be deleted

[Erkan-Yilmaz]

to GRCpool users:

• change your passwords + enable 2FA
• brute force attack

[Erkan-Yilmaz]

https://twitter.com/GridcoinIRC/status/914780762737643521

[tomasbrod]

In case you are wondering what #private info can be recovered, it was already published:

• https://web-in-security.blogspot.cz/2017/08/gridcoin-bad.html
• https://web-in-security.blogspot.cz/2017/08/gridcoin-good.html