Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Almighty Buck Security

A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com) 88

An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.

"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."

This discussion has been archived. No new comments can be posted.

A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency

Comments Filter:
  • Steal? (Score:4, Insightful)

    by beernutmark ( 1274132 ) on Sunday February 19, 2017 @10:59AM (#53895805)
    I don't think steal is the right word in this context. The article doesn't state that anyone else lost their coins. More accurately would be "created", "unauthorized-mining", or perhaps most accurately "counterfeited"
    • Re:Steal? (Score:4, Insightful)

      by Anonymous Coward on Sunday February 19, 2017 @12:11PM (#53895967)

      Indeed, he profited from a loophole in the system, and it's unclear whether this was illegal. The question of legality probably depends on the terms of service for Zerocoin, and on the laws of the country where the "attacker" resides.

      But in human societies, when a lone wolf exploits a loophole, the lone wolf's behavior is usually unacceptable. When a group of individuals who possess social status exploit the loophole, their behavior is often acceptable. Isolated individuals with low social status have very few advantages in society. And when they figure out how to gain an advantage, society goes on the offensive against them.

      • by haruchai ( 17472 )

        Indeed, he profited from a loophole in the system, and it's unclear whether this was illegal. The question of legality probably depends on the terms of service for Zerocoin, and on the laws of the country where the "attacker" resides.

        But in human societies, when a lone wolf exploits a loophole, the lone wolf's behavior is usually unacceptable. When a group of individuals who possess social status exploit the loophole, their behavior is often acceptable. Isolated individuals with low social status have very few advantages in society. And when they figure out how to gain an advantage, society goes on the offensive against them.

        I think we need an AC Insightful mod

        • Unacceptable but not illegal means society must pass a new law.

          Demagogues leading The People on lawless rages against Lone Wolves and small groups is a much bigger problem.

  • by 140Mandak262Jamuna ( 970587 ) on Sunday February 19, 2017 @11:09AM (#53895825) Journal
    They are not disclosing what that extra character was or even which language the code was written. As a coder I was interested in finding how it could have happened. But as it stands, it is a puff piece.

    One char can make big different in performance and correctness. The greatest one character code change I made and got stunning performance improvement was adding an &. It took significant effort to find it, because instrumenting the entire executable for profilers was just out of the question. But once found it was trivial. The caller was passing a std::map by value. The answers were correct and the scaling effects were not visible till the map grew to big sizes. I expected to something along these lines.

  • Bug Bounty (Score:5, Insightful)

    by Registered Coward v2 ( 447531 ) on Sunday February 19, 2017 @11:11AM (#53895829)
    Seems like he collected an ~500k$ bug bounty. The interesting part is "Zero Coin is a project to fix a major weakness in Bitcoin: the lack of privacy guarantees we take for granted in using credit cards and cash. Our goal is to build a cryptocurrency where your neighbors, friends and enemies can’t see what you bought or for how much" per Zero Coin. It seems they succeeded in their goal and were hoist by their own petard. Of course, had they recovered the funds then ZeroCoin would have failed at its purpose. I wonder who took the loss.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Why did the Zcoin team even attempt to identify the attacker? Surely they realize that if they succeed, then no one will believe their claim about strong privacy guarantees and anonymity. This could harm their cryptocurrency by more than 592k$. Catch-22.

      • by haruchai ( 17472 )

        Why did the Zcoin team even attempt to identify the attacker? Surely they realize that if they succeed, then no one will believe their claim about strong privacy guarantees and anonymity. This could harm their cryptocurrency by more than 592k$. Catch-22.

        Wow, the ACs are in rare form today

        • by Anonymous Coward

          Are you coming on to me? One penis into your butt, coming right up!

    • by Jeremi ( 14640 )

      It seems they succeeded in their goal and were hoist by their own petard. Of course, had they recovered the funds then ZeroCoin would have failed at its purpose. I wonder who took the loss.

      My intuition was that it would have the same effect as any other currency counterfeiting operation has on the "genuine" currency: i.e. all holders of ZeroCoins took the loss, in the form of a certain amount of extra inflation caused by the increase in "supply", which reduced the values of their ZeroCoin holdings. Possibly also they might take a further loss if people start to lose faith in ZeroCoins and start selling them (or stop buying them), causing their value to decrease some more.

  • by frovingslosh ( 582462 ) on Sunday February 19, 2017 @11:37AM (#53895877)

    the attacker has already sold 350,000

    By which we mean he has already moved it into other accounts that he likely controls.

  • The story says " allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price". I seriously doubt 370,000 Zerocoins is worth anywhere near $592k now that the news is out and trading has been suspended. If you can't spend it, it's worth is zero, which kind of makes sense for something named Zerocoin. The name should have been warning enough.

    • by haruchai ( 17472 )

      Price chart is here [bitinfocharts.com].
      Judging by the drop since late October, when they were at $5.50 USD, they have other problems.
      Guess we'll find out next week what's the impact of this theft.

  • An obscure, second-rate digital coin can be worth that much money? There is a bubble in the cryptocoin market. I wonder what happened to Dogecoin.
    • Dogecoin has been "relatively stable" [bitinfocharts.com] for about a year.

      • At a price of roughly zero?
        • The absoloute value of one "coin" is not a useful comparision. It doesn't really matter whether you have lots of "coins" with a low value per coin or fewer with a higher value per coin.

          More interesting as a measure of the relative importance of cryptocurrencies is the "market cap". The value per coin times the number of coins in circulation.

          By that measure dogecoin's significance is about 0.1% of bitcoin's

          http://coinmarketcap.com/ [coinmarketcap.com]

  • The bug has been found with a modern diagnostic tool, such as clang-5.0 with all the warnings and sanity checks enabled. Anyway, this is really cool story.
  • Wow. I'm surprised the total value of all Zerocoin is worth that much in $USD

  • Who is the victim? Surely the crime, if any, is that Zcoins were forged by exploiting this bug...
  • Some developers say that typos are not dangerous and PVS-Studio is not needed. This great tool for typos search: https://www.viva64.com/en/exam... [viva64.com] Now I have the argument. :)

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...