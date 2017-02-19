Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


The Almighty Buck Security

A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com) 12

Posted by EditorDavid from the big-bug-bounties dept.
An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.

"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."

  • Steal? (Score:3)

    by beernutmark ( 1274132 ) on Sunday February 19, 2017 @10:59AM (#53895805)
    I don't think steal is the right word in this context. The article doesn't state that anyone else lost their coins. More accurately would be "created", "unauthorized-mining", or perhaps most accurately "counterfeited"
  • They are not disclosing what that extra character was or even which language the code was written. As a coder I was interested in finding how it could have happened. But as it stands, it is a puff piece.

    One char can make big different in performance and correctness. The greatest one character code change I made and got stunning performance improvement was adding an &. It took significant effort to find it, because instrumenting the entire executable for profilers was just out of the question. But once found it was trivial. The caller was passing a std::map by value. The answers were correct and the scaling effects were not visible till the map grew to big sizes. I expected to something along these lines.

  • Seems like he collected an ~500k$ bug bounty. The interesting part is "Zero Coin is a project to fix a major weakness in Bitcoin: the lack of privacy guarantees we take for granted in using credit cards and cash. Our goal is to build a cryptocurrency where your neighbors, friends and enemies can’t see what you bought or for how much" per Zero Coin. It seems they succeeded in their goal and were hoist by their own petard. Of course, had they recovered the funds then ZeroCoin would have failed at its pu

  • attacker has already sold 350,000 (Score:3)

    by frovingslosh ( 582462 ) on Sunday February 19, 2017 @11:37AM (#53895877)

    the attacker has already sold 350,000

    By which we mean he has already moved it into other accounts that he likely controls.

  • The story says " allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price". I seriously doubt 370,000 Zerocoins is worth anywhere near $592k now that the news is out and trading has been suspended. If you can't spend it, it's worth is zero, which kind of makes sense for something named Zerocoin. The name should have been warning enough.

