A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com) 88
An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.
"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."
"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."
Re: (Score:3)
In addition The Economist argued that that whereas the heist was not a crime, altering digital ledgers to retrieve the lost ether was affront to the whole project.
Re:Language vs. Implementation (Score:1)
Re: (Score:2)
If we're feeling obtuse: that kinda is yet another new programming langauge... it's just one which happens to be a strict subset of an existing one.
Re: (Score:2)
Does this prove that programming language design has no impact on software quality? No? Then I don't care.
Of course there will always be some non-zero number of bugs in mainstream software. That doesn't mean we can't improve things.
Re: (Score:2)
== vs =, | vs ||, variable/pointer dereference (Score:5, Insightful)
> A one character bug? Really?
Sure, I've seen many single-character bugs, and created a few. I imagine MOST experienced programmers have done this at least once:
if (a = b) {
When they meant:
if (a == b) {
Every language I can think of has a common single-character bug. Many Microsoft SQL users routinely leave off the semicolon which terminates a statement. Sometimes that results in buggy behavior right away, sometimes not until two years later when a change is made to the *proceeding* statement.
> What about the tests?
This is crypto-currency, the hot new thing tests are for old fogeys who still use dollars. Get with the times, young programmers are Agile, they don't plan and test their work, they release early and often. They release the Minimum Viable Product (minimum piece of shit they can get away with for a moment), it's illegal now to even think about corner cases and make code robust.
Re:== vs =, | vs ||, variable/pointer dereference (Score:4, Funny)
when a change is made to the *proceeding* statement
Did you mean "prEceeding"? If you, that's another 1 character bug you've created :-D
Re: (Score:3)
Re: (Score:2)
Non-native C? [wikipedia.org]
Whatever next!? [wikipedia.org]
The following statement, the next statement (Score:3)
I mean the following statement. This works okay:
SELECT 1
SELECT 2;
This doesn't:
SELECT 1
THROW
The latter is equivalent to:
SELECT 1 AS THROW
I had originally written "the preceding or proceeding statement". That's reasonably clear, I think, though it stretches the definition of "proceeding". Then I realized that changes to the PRECEDING statement won't affect anything, so long as if that preceding statement is properly terminated with a semicolon. So I ended up with "the proceeding statement", which is poor
Re: (Score:1)
Re: (Score:2)
If so
Re: (Score:2)
I would describe something like this more as a single math or logic bug.
A single character bug I first think of a misspelled variable name in C creating a new int variable, with no lint type switches on (or nobody paying attention at the spit out warning durng compilation as hundreds of thousands of lines fly by.)
Re: (Score:2)
if (a = b) {
When they meant:
if (a == b) {
Which is the one thing Visual Basic got right IMHO, use := for assignment and == for comparison. The C form is plain wrong when you consider that "=" is the equal sign, to anyone who doesn't know C-isms the first reads "If a equals b then". Same way stealing kilobyte = 1024 bytes was a bad idea, the only excuse you really hear is that we've done it so long it seems natural. Like clicking the start button to shut down the machine, except we're still doing it.
Re: (Score:2)
Think of all the time lost typing those superfluous colons!
Re: (Score:2)
if (a = b) {
When they meant:
if (a == b) {
Which is the one thing Visual Basic got right IMHO, use := for assignment and == for comparison..
Except it didn't, VB6 and VB.Net use "=" both for comparison and assignment, Pascal and PL/SQL, among others, use the ":=" operator for assignment.
Re: (Score:2)
to anyone who doesn't know C-isms
Non-programmers you mean? Seriously what kind of programmer doesn't expect a single '=' to be an assignment operator? C/C++ isn't the only language where that is the case. I have never made the error you mention even once in my entire life. In c/c++ == is the comparison operator and = is the assignment operator. I don't see how that is unclear.
Re: (Score:2)
Seriously what kind of programmer doesn't expect a single '=' to be an assignment operator?
A pascal, basic or matlab programmer.
Re: (Score:2)
edit sorry it seems I was wrong about matlab, apparently it does use the C convention. Shows how having to deal with too frigging many languages can leave one confused.
Re: (Score:2)
Pascal got the := operator from ALGOL.
Aside from some contemporary proprietary dialects, COBOL doesn't use = for assignment either; you use the MOVE or SET verb, or an assignment clause such as GIVING with verbs that have such clauses.
LISP and descendants have SET, SETQ, and SETF for assignment per se, and possibly others (e.g. Scheme's set!), plus the binding forms LET and LETREC (and possibly others).
APL uses left-arrow for assignment, obviously.
Forth uses !.
Don't they teach programming language history t
Re: (Score:2)
they don't plan and test their work, ...
All agile methods emphasize testing. All emphasize to have well educated people, which means they have a plan in thier mind and don't need to sketch plans on the board first.
So, you probably never have worked in an agile team
Facepalm
I thought you knew. Scrum by the book 1-2 weeks (Score:2)
My (mod funny) comment was a bit of a caricature of Agile, of course. Still, I'm surprised you said what you did, rather than chuckling. I thought you'd been doing professional development for a number of years. Perhaps I'm remembering wrong.
Agile emphasizes *automating* testing. Automated testing is a good thing. It sometimes catches regressions and fatal errors that completely break the build entirely. That saves your alpha and beta testers from dealing with some of the easy, dumb mistakes.
Scrum by the
Two options (Score:2)
> If you're finding things wrong during QA at the end of an agile sprint, there's something seriously wrong
Suppose QA is blended into your four and a half days of planning, research, development, and testing. Somehow (magic?) you're testing the changes you've not yet finished against everyone else's unfinished changes. Obviously you're not testing how your changes work with the other guy's changes before you've decided how to write either change. So that gives you max maybe 7 hours integration testin
Re: (Score:2)
Answering to both poste.
Scrum 'by the book' suggests 6 week long sprints.
Most teams do 2 or 3 weeks. One week makes only in the rarest cases sense.
In a Scrum project you test inside of the sprint. But we don't have alpha and beta testing.
While a sprint result should be shipable, it is not necessarily shipped. E.g. a big online game with half yearly updates might still be developped with a few sprints and then testd and bug fixed.
Most projects I was involved in are done with Scrum. We allways had a completel
Re: (Score:2)
What about the tests?
This is crypto-currency, the hot new thing tests are for old fogeys who still use dollars. Get with the times, young programmers are Agile, they don't plan and test their work, they release early and often. They release the Minimum Viable Product (minimum piece of shit they can get away with for a moment), it's illegal now to even think about corner cases and make code robust.
I don't know about ZCash, but Bitcoin has an extensive regression test suite and test mode. And test-first development is a principle of agile, so I'm not sure why you concluded agile programmers don't test.
Re: (Score:2)
Re: (Score:2)
Every language I can think of has a common single-character bug. Many Microsoft SQL users routinely leave off the semicolon which terminates a statement. Sometimes that results in buggy behavior right away, sometimes not until two years later when a change is made to the *proceeding* statement.
I once accidentally put a semicolon after an "if" statement in PHP. The website ran fine for years until one day when there were no articles for the little box this code was behind. That day the whole website ate shit. At least it was an easy fix!
Re: (Score:3)
If that is the right repository, then this is the relevant pull request: https://github.com/zcoinoffici... [github.com]
It is a one line change from two days ago. Apparently the typo was initializing a variable to 1 instead of 0.
Re: (Score:2)
This doesn't look like a typo. And without digging deeper, even the variable name doesn't look like it would be unclear to what it should be initialized. Maybe somebody from the team was involved ...
Re: (Score:2)
A one character bug? Really?
"one character typo" can cover a wide range of things. Using = instead of == is probablly the most famous but also generally one of the easiest to spot (modern compilers usually have a warning for it). Using the wrong variable is a big one (not helped by the fact that mathematicians love one-character variable names). Using the wrong logical or comparision operator can be another.
Unfortunately TFA doesn't say what the "one character typo" was and looking at their github I don't see any one character typos b
Re: he didnt "steal" anything (Score:1)
Your last two examples actually aren't stealing. Don't believe me? Ask a judge.
Steal? (Score:4, Insightful)
Re:Steal? (Score:4, Insightful)
Indeed, he profited from a loophole in the system, and it's unclear whether this was illegal. The question of legality probably depends on the terms of service for Zerocoin, and on the laws of the country where the "attacker" resides.
But in human societies, when a lone wolf exploits a loophole, the lone wolf's behavior is usually unacceptable. When a group of individuals who possess social status exploit the loophole, their behavior is often acceptable. Isolated individuals with low social status have very few advantages in society. And when they figure out how to gain an advantage, society goes on the offensive against them.
Re: (Score:2)
Indeed, he profited from a loophole in the system, and it's unclear whether this was illegal. The question of legality probably depends on the terms of service for Zerocoin, and on the laws of the country where the "attacker" resides.
But in human societies, when a lone wolf exploits a loophole, the lone wolf's behavior is usually unacceptable. When a group of individuals who possess social status exploit the loophole, their behavior is often acceptable. Isolated individuals with low social status have very few advantages in society. And when they figure out how to gain an advantage, society goes on the offensive against them.
I think we need an AC Insightful mod
Re: (Score:2)
Unacceptable but not illegal means society must pass a new law.
Demagogues leading The People on lawless rages against Lone Wolves and small groups is a much bigger problem.
Move along, please, nothing to see here... (Score:5, Interesting)
One char can make big different in performance and correctness. The greatest one character code change I made and got stunning performance improvement was adding an &. It took significant effort to find it, because instrumenting the entire executable for profilers was just out of the question. But once found it was trivial. The caller was passing a std::map by value. The answers were correct and the scaling effects were not visible till the map grew to big sizes. I expected to something along these lines.
Re:Move along, please, nothing to see here... (Score:4, Informative)
It's pretty easy to find: https://github.com/zcoinofficial/zcoin/commit/b20c177032de3c4bfae62b5ada768a5dc2b4fa67
I'm gonna call all my off-by-one errors "typographical errors" from now on.
Re: (Score:2)
Bug Bounty (Score:5, Insightful)
Re: (Score:2)
A force so powerful that the hyperinflation in Zimbabwe reduced it to one of the lowest valued currency units in the world, with denominations up to a $100 trillion banknote.
Re: (Score:3, Insightful)
Why did the Zcoin team even attempt to identify the attacker? Surely they realize that if they succeed, then no one will believe their claim about strong privacy guarantees and anonymity. This could harm their cryptocurrency by more than 592k$. Catch-22.
Re: (Score:2)
Why did the Zcoin team even attempt to identify the attacker? Surely they realize that if they succeed, then no one will believe their claim about strong privacy guarantees and anonymity. This could harm their cryptocurrency by more than 592k$. Catch-22.
Wow, the ACs are in rare form today
Re: (Score:1)
Are you coming on to me? One penis into your butt, coming right up!
Re: (Score:2)
It seems they succeeded in their goal and were hoist by their own petard. Of course, had they recovered the funds then ZeroCoin would have failed at its purpose. I wonder who took the loss.
My intuition was that it would have the same effect as any other currency counterfeiting operation has on the "genuine" currency: i.e. all holders of ZeroCoins took the loss, in the form of a certain amount of extra inflation caused by the increase in "supply", which reduced the values of their ZeroCoin holdings. Possibly also they might take a further loss if people start to lose faith in ZeroCoins and start selling them (or stop buying them), causing their value to decrease some more.
attacker has already sold 350,000 (Score:4, Insightful)
the attacker has already sold 350,000
By which we mean he has already moved it into other accounts that he likely controls.
Re: attacker has already sold 350,000 (Score:1)
No, sold for BTC on poloniex
Correction (Score:2)
The story says " allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price". I seriously doubt 370,000 Zerocoins is worth anywhere near $592k now that the news is out and trading has been suspended. If you can't spend it, it's worth is zero, which kind of makes sense for something named Zerocoin. The name should have been warning enough.
Re: (Score:2)
Price chart is here [bitinfocharts.com].
Judging by the drop since late October, when they were at $5.50 USD, they have other problems.
Guess we'll find out next week what's the impact of this theft.
Re: (Score:3)
zerocoin? What is that? (Score:2)
Re: (Score:2)
Dogecoin has been "relatively stable" [bitinfocharts.com] for about a year.
Re: (Score:2)
Re: (Score:2)
The absoloute value of one "coin" is not a useful comparision. It doesn't really matter whether you have lots of "coins" with a low value per coin or fewer with a higher value per coin.
More interesting as a measure of the relative importance of cryptocurrencies is the "market cap". The value per coin times the number of coins in circulation.
By that measure dogecoin's significance is about 0.1% of bitcoin's
http://coinmarketcap.com/ [coinmarketcap.com]
Let me guess (Score:1)
A whole $592k? (Score:2)
Wow. I'm surprised the total value of all Zerocoin is worth that much in $USD
Why is this described as a theft? (Score:1)
PVS-Studio (Score:1)