New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replay attack: solutions #3

Closed
arvicco opened this Issue Jul 16, 2016 · 20 comments

Comments

Projects
None yet
7 participants
@arvicco
Contributor

arvicco commented Jul 16, 2016

Some people expressed concerns over cross-chain replay attack.

However, if you plan to use both altchains (ETH and ETC), it is quite possible to avoid replay attacks:

  • First of all, it is advisable to use two separate sets of private keys for operations on each network: one set for Ethereum, another for Ethereum Classic. Don't reuse the same key on the other network, even though they have the same format.
  • Exchanges need to cleanly separate their ETH and ETC wallets by following this procedure.
  • The easiest options for users to split legacy ETH funds are the following:
@trapp

This comment has been minimized.

Show comment
Hide comment
@trapp

trapp Jul 17, 2016

The initial split is not enough. You have to keep the balance of your separate addresses at 0 on the respective other chain. As soon as it receives a single replayable value transfer all your transfers become replayable up to the total sum of the balance the address has.

One way to permanently be safe would be to only send funds to the separated addresses through a smart contract that routes the funds depending on the chain it resides on:

Write up of the issue and this solution:
https://medium.com/@timonrapp/how-to-deal-with-the-ethereum-replay-attack-3fd44074a6d8#.1jk4dj7g3

This works for exchanges but obviously doesn't work for every network participant. A normal user receives money from other users and he can't be sure they only send non-replayable transactions.

trapp commented Jul 17, 2016

The initial split is not enough. You have to keep the balance of your separate addresses at 0 on the respective other chain. As soon as it receives a single replayable value transfer all your transfers become replayable up to the total sum of the balance the address has.

One way to permanently be safe would be to only send funds to the separated addresses through a smart contract that routes the funds depending on the chain it resides on:

Write up of the issue and this solution:
https://medium.com/@timonrapp/how-to-deal-with-the-ethereum-replay-attack-3fd44074a6d8#.1jk4dj7g3

This works for exchanges but obviously doesn't work for every network participant. A normal user receives money from other users and he can't be sure they only send non-replayable transactions.

@whatisgravity

This comment has been minimized.

Show comment
Hide comment
@whatisgravity

whatisgravity Jul 17, 2016

Member

I have a working proof of concept of this attack that can be tested on private networks if anyone needs a copy to help decide how to best defend against this.

Since there has been talks about using it against the original chain, I felt we needed it ready to use against the new chain as a form of mutually assured destruction style defense. I would prefer if neither side did this.

Member

whatisgravity commented Jul 17, 2016

I have a working proof of concept of this attack that can be tested on private networks if anyone needs a copy to help decide how to best defend against this.

Since there has been talks about using it against the original chain, I felt we needed it ready to use against the new chain as a form of mutually assured destruction style defense. I would prefer if neither side did this.

@ethernomad

This comment has been minimized.

Show comment
Hide comment
@ethernomad

ethernomad Jul 17, 2016

I think after the hard fork block it is essential that we switch to a new starting nonce.

ethernomad commented Jul 17, 2016

I think after the hard fork block it is essential that we switch to a new starting nonce.

@whatisgravity

This comment has been minimized.

Show comment
Hide comment
@whatisgravity

whatisgravity Jul 21, 2016

Member

There are contracts available that will check which side of the fork you are on and act as a gateway. This should prevent any issues. Once you use this to migrate your ETH to a newly created address all the threats related to replay attacks are gone.

Member

whatisgravity commented Jul 21, 2016

There are contracts available that will check which side of the fork you are on and act as a gateway. This should prevent any issues. Once you use this to migrate your ETH to a newly created address all the threats related to replay attacks are gone.

@whatisgravity

This comment has been minimized.

Show comment
Hide comment
@whatisgravity

whatisgravity Jul 22, 2016

Member

I would not recommend using the HFConditionalTransfer contract, it is based on a variable in the WhiteHatDAO that could change without announcement. It is a dangerous to use this contract. Seems like a hacky solution.

#How To

Description
The RelaySafeSplit Kraken contract is much better, it uses another contract as an oracle, the oracle was deployed and checked the range between a defined time period then locked the result so it can not be tampered with or changed.

The result to a publicly accessible variable and can not be altered. (Assuming they do not change the blockchain)

It allows you to solve the entirely resolve the issue in a single contract too.

Instructions
I recomend using the RelaySafeSplit()

You can deploy the code yourself or just use contract found at http://etherscan.io/address/0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444 it is not hard coded and can be used by anyone

  1. Create 2 new accounts, 1 for the destination of your tokens on each side of the fork. It does not matter which client you use because the accounts/keys are valid on chain.
  2. Obtain the JSON ABI from http://etherscan.io/address/0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444
  3. Load Ethereum Wallet, Select "Contracts", Scrolldown and Select "Watch Contract"
  4. Put in the name, the address and paste in the JSON ABI
  5. Click the contract
  6. Scroll down to "Write to contract", click the "Select Function" dropdown
  7. Execute the function "split"
  8. Paste in each of the 2 new addresses, specify the balance you want to split and send it.
  9. Now your coins are safely split and can be used from now on without any further need to worry about the issue.
Member

whatisgravity commented Jul 22, 2016

I would not recommend using the HFConditionalTransfer contract, it is based on a variable in the WhiteHatDAO that could change without announcement. It is a dangerous to use this contract. Seems like a hacky solution.

#How To

Description
The RelaySafeSplit Kraken contract is much better, it uses another contract as an oracle, the oracle was deployed and checked the range between a defined time period then locked the result so it can not be tampered with or changed.

The result to a publicly accessible variable and can not be altered. (Assuming they do not change the blockchain)

It allows you to solve the entirely resolve the issue in a single contract too.

Instructions
I recomend using the RelaySafeSplit()

You can deploy the code yourself or just use contract found at http://etherscan.io/address/0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444 it is not hard coded and can be used by anyone

  1. Create 2 new accounts, 1 for the destination of your tokens on each side of the fork. It does not matter which client you use because the accounts/keys are valid on chain.
  2. Obtain the JSON ABI from http://etherscan.io/address/0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444
  3. Load Ethereum Wallet, Select "Contracts", Scrolldown and Select "Watch Contract"
  4. Put in the name, the address and paste in the JSON ABI
  5. Click the contract
  6. Scroll down to "Write to contract", click the "Select Function" dropdown
  7. Execute the function "split"
  8. Paste in each of the 2 new addresses, specify the balance you want to split and send it.
  9. Now your coins are safely split and can be used from now on without any further need to worry about the issue.
@trapp

This comment has been minimized.

Show comment
Hide comment
@trapp

trapp Jul 22, 2016

@whatisgravity, please update the referenced address to the updated version of the contract: 0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444

The version you linked was meant for internal use only and should only be used with accounts as targets. When it's used with contracts as destination there could edge cases be triggered that trap the value in the contract.

Please recommend the updated version which works with both accounts and contract destinations: http://etherscan.io/address/0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444

trapp commented Jul 22, 2016

@whatisgravity, please update the referenced address to the updated version of the contract: 0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444

The version you linked was meant for internal use only and should only be used with accounts as targets. When it's used with contracts as destination there could edge cases be triggered that trap the value in the contract.

Please recommend the updated version which works with both accounts and contract destinations: http://etherscan.io/address/0xaa1a6e3e6ef20068f7f8d8c835d2d22fd5116444

@whatisgravity

This comment has been minimized.

Show comment
Hide comment
@whatisgravity

whatisgravity Jul 23, 2016

Member

Thank you for alerting me. I will do that now.

Member

whatisgravity commented Jul 23, 2016

Thank you for alerting me. I will do that now.

@whatisgravity

This comment has been minimized.

Show comment
Hide comment
@whatisgravity

whatisgravity Jul 23, 2016

Member

Hallo,
I overlooked that, I clearly need to sleep, looking over it again, that was painfully obvious.

I see now though, since it uses send it would run out of gas on the transfer to a contract, fall out of the if else if statement, then return false leaving the money in the contract.

That would be very unfortunate. Thankfully no one reported any issues yet, I will take care of it personally if they do since I failed to recognize this issue. Thanks for catching that, it is really appreciated, it will certainly save some people from a lot of potential frustration.

I'm curious, why did you not include a suicide as a back up? You could have recorded the last address that entered and used it as the output of the suicide as a failsafe.

Member

whatisgravity commented Jul 23, 2016

Hallo,
I overlooked that, I clearly need to sleep, looking over it again, that was painfully obvious.

I see now though, since it uses send it would run out of gas on the transfer to a contract, fall out of the if else if statement, then return false leaving the money in the contract.

That would be very unfortunate. Thankfully no one reported any issues yet, I will take care of it personally if they do since I failed to recognize this issue. Thanks for catching that, it is really appreciated, it will certainly save some people from a lot of potential frustration.

I'm curious, why did you not include a suicide as a back up? You could have recorded the last address that entered and used it as the output of the suicide as a failsafe.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 27, 2016

I'm confused. I placed all my ETHER into brain wallet addresses which I exclusively own the private keys to. This was long before the hard fork. How can I separate them into ETC and ETH? If I put them on Poloinex or Kracken will they automatically be recognized as PRE-FORK, and I'll get both ETC and ETH balances? I would prefer a method not using exchanges. Thank you!

ghost commented Jul 27, 2016

I'm confused. I placed all my ETHER into brain wallet addresses which I exclusively own the private keys to. This was long before the hard fork. How can I separate them into ETC and ETH? If I put them on Poloinex or Kracken will they automatically be recognized as PRE-FORK, and I'll get both ETC and ETH balances? I would prefer a method not using exchanges. Thank you!

@whatisgravity

This comment has been minimized.

Show comment
Hide comment
@whatisgravity

whatisgravity Jul 27, 2016

Member

Unfortunately I do not know how Kraken is handling this. From experiences relayed to me Poloneix is registering transfers from addresses with both tokens as two separate deposits effectively splitting any balance for you. @trapp may be able to provide more details for us about Kraken's system and if it works in the same way.

Alternatively you can use the contract provided by Kraken. I explained above how to use this contract, if there is any confusion, let me know so I can assist you and update the guide accordingly. If you do not want to risk putting your tokens on an exchange I believe the contract supplied by Kraken was well made and is easy to understand.

Member

whatisgravity commented Jul 27, 2016

Unfortunately I do not know how Kraken is handling this. From experiences relayed to me Poloneix is registering transfers from addresses with both tokens as two separate deposits effectively splitting any balance for you. @trapp may be able to provide more details for us about Kraken's system and if it works in the same way.

Alternatively you can use the contract provided by Kraken. I explained above how to use this contract, if there is any confusion, let me know so I can assist you and update the guide accordingly. If you do not want to risk putting your tokens on an exchange I believe the contract supplied by Kraken was well made and is easy to understand.

@benjyz

This comment has been minimized.

Show comment
Hide comment
@benjyz

benjyz Jul 30, 2016

@arvicco (let me rephrase):

An ETC token is nothing else than an ETH token honouring the DAOattack balance. an ETH token is nothing else than an ETC token and not honouring the DAOattack balance. and post fork, these two states are inconsistent. Replay attack is related to double spend. Its only that same players have created the fiction that ETC balances can have value.

If the users withdraws (already separated) ETH/ETC funds from the exchanges post-fork, s/he can cleanly "split" his other legacy funds by mixing funds as described here.

No, there is the double spending problem. There is no clean split here.

benjyz commented Jul 30, 2016

@arvicco (let me rephrase):

An ETC token is nothing else than an ETH token honouring the DAOattack balance. an ETH token is nothing else than an ETC token and not honouring the DAOattack balance. and post fork, these two states are inconsistent. Replay attack is related to double spend. Its only that same players have created the fiction that ETC balances can have value.

If the users withdraws (already separated) ETH/ETC funds from the exchanges post-fork, s/he can cleanly "split" his other legacy funds by mixing funds as described here.

No, there is the double spending problem. There is no clean split here.

@arvicco

This comment has been minimized.

Show comment
Hide comment
@arvicco

arvicco Jul 30, 2016

Contributor

@benjyz Obviously, major exchanges such as Bitfinex, Kraken and Poloniex (which collectively represent 70%+ of ETH trading) thought about risks clearly, and decided that this does not prevent them from offering ETC trading option. All these exchanges properly split their legacy funds and suffered no losses. It is only the exchanges that heeded the EF advice to "just ignore the legacy chain" that have suffered losses, and some of them are now trying to push such losses to their customers.

I don't think such strategy would be effective, ultimately - at least not for the exchanges that are situated in normal jurisdictions and can be sued.

Contributor

arvicco commented Jul 30, 2016

@benjyz Obviously, major exchanges such as Bitfinex, Kraken and Poloniex (which collectively represent 70%+ of ETH trading) thought about risks clearly, and decided that this does not prevent them from offering ETC trading option. All these exchanges properly split their legacy funds and suffered no losses. It is only the exchanges that heeded the EF advice to "just ignore the legacy chain" that have suffered losses, and some of them are now trying to push such losses to their customers.

I don't think such strategy would be effective, ultimately - at least not for the exchanges that are situated in normal jurisdictions and can be sued.

@arvicco

This comment has been minimized.

Show comment
Hide comment
@arvicco

arvicco Jul 30, 2016

Contributor

"An ETC token is nothing else than an ETH token honouring the DAOattack balance" - this is simply not correct. Since the blockchains diverged, their tokens diverged as well. Mixing up double spending attack and replay problem is disingenuous.

Contributor

arvicco commented Jul 30, 2016

"An ETC token is nothing else than an ETH token honouring the DAOattack balance" - this is simply not correct. Since the blockchains diverged, their tokens diverged as well. Mixing up double spending attack and replay problem is disingenuous.

@picojoule

This comment has been minimized.

Show comment
Hide comment
@picojoule

picojoule May 25, 2017

is this method still valid today? Shapeshift.io and Jaxx.io have discontinued their split feature for unknown reasons and Poloniex doesn't seem to be splitting anymore. I tried to follow the steps in the following article which afaik is the recommended method:

https://steemit.com/ethereum/@pauls/ethereum-fork-step-by-step-guide-to-safely-splitting-your-eth-etc

but have run into issues where the ETH arrives but the ETC does not.

Really hoping someone can guide me as to what the recommended way is to do this.

picojoule commented May 25, 2017

is this method still valid today? Shapeshift.io and Jaxx.io have discontinued their split feature for unknown reasons and Poloniex doesn't seem to be splitting anymore. I tried to follow the steps in the following article which afaik is the recommended method:

https://steemit.com/ethereum/@pauls/ethereum-fork-step-by-step-guide-to-safely-splitting-your-eth-etc

but have run into issues where the ETH arrives but the ETC does not.

Really hoping someone can guide me as to what the recommended way is to do this.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost May 25, 2017

I'm not sure if this is the best way - or really applies to your situation - but it worked for me. On an airgapped machine I made two brand new unrelated addresses. I used: https://classicetherwallet.com/ for the inbound ETC, and I used: https://www.myetherwallet.com for the inbound ETH. Then on an internet connected machine I used these same websites to send from my old combined address to the new split addresses. The ETH website to send to my new ETH address, and the corresponding ETC website to send to my new ETC address.

I did it quickly, and I checked my balances through the whole thing with https://etherscan.io for ETH and http://gastracker.io/ for ETC. NOW IT IS ENTIRELY POSSIBLE THIS WAS DANGEROUS and in reality open to a replay attack. ( I hope someone else will chime in as to the risk ) But it did work for me and I moved quickly once I exposed the private key on the ETH (which I always moved first) to hurry up and move the ETC. I did this on about 10 different addresses.

ghost commented May 25, 2017

I'm not sure if this is the best way - or really applies to your situation - but it worked for me. On an airgapped machine I made two brand new unrelated addresses. I used: https://classicetherwallet.com/ for the inbound ETC, and I used: https://www.myetherwallet.com for the inbound ETH. Then on an internet connected machine I used these same websites to send from my old combined address to the new split addresses. The ETH website to send to my new ETH address, and the corresponding ETC website to send to my new ETC address.

I did it quickly, and I checked my balances through the whole thing with https://etherscan.io for ETH and http://gastracker.io/ for ETC. NOW IT IS ENTIRELY POSSIBLE THIS WAS DANGEROUS and in reality open to a replay attack. ( I hope someone else will chime in as to the risk ) But it did work for me and I moved quickly once I exposed the private key on the ETH (which I always moved first) to hurry up and move the ETC. I did this on about 10 different addresses.

@arvicco

This comment has been minimized.

Show comment
Hide comment
@arvicco

arvicco May 25, 2017

Contributor

Right now both ETH and ETC implemented replay protection for transactions. Pretty much all the client software supports it by default now, including https://classicetherwallet.com and https://www.myetherwallet.com. So, unless you specifically want to send a transaction in replayable format (or using some extremely old client SW), your transactions are not replayable.

Contributor

arvicco commented May 25, 2017

Right now both ETH and ETC implemented replay protection for transactions. Pretty much all the client software supports it by default now, including https://classicetherwallet.com and https://www.myetherwallet.com. So, unless you specifically want to send a transaction in replayable format (or using some extremely old client SW), your transactions are not replayable.

@arvicco arvicco closed this May 25, 2017

@picojoule

This comment has been minimized.

Show comment
Hide comment
@picojoule

picojoule May 25, 2017

picojoule commented May 25, 2017

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost May 26, 2017

you can absolutely still do that

ghost commented May 26, 2017

you can absolutely still do that

@picojoule

This comment has been minimized.

Show comment
Hide comment
@picojoule

picojoule May 26, 2017

I got it done via myclassicetherwallet! Thanks!

picojoule commented May 26, 2017

I got it done via myclassicetherwallet! Thanks!

@Marloe1

This comment has been minimized.

Show comment
Hide comment
@Marloe1

Marloe1 Jan 4, 2018

Hi,
He're propably not a very smart question. I use a Jaxx wallet and my ethereum was send to 0xAA1A6e3e6EF20068f7F8d8C835d2D22fd5116444 ( in november 2016) .

Now it's gone from my wallet. How do I get my ether back?

Marloe1 commented Jan 4, 2018

Hi,
He're propably not a very smart question. I use a Jaxx wallet and my ethereum was send to 0xAA1A6e3e6EF20068f7F8d8C835d2D22fd5116444 ( in november 2016) .

Now it's gone from my wallet. How do I get my ether back?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment