by Chandler and Adam Wyatt
On July 24, 2014, bitcointalk.com member BitcoinEXpress (“BCX”) replied to a thread on the bitcoin-focused forum indicating that in under two hours he had discovered and gained possession of an exploit in the codebase of Monero (XMR). He gave no indication that he intended to use the exploit to attack the coin until other forum members started to confront him as to the veracity of the claim. Don’t worry, it gets MUCH stranger...
Fast forward July 26 when BCX posted a reply reiterating that he had no intention of attacking the coin, although he did assert that he had large amounts of hashing power available to him. He ended the post by telling readers to mine and buy Monero because he saw potential in it.
In the few weeks that followed, BCX continued to receive ridicule and provocation from forum members. In a thread BCX started on September 17, he specifically mentions that he was being “trolled” by forum member MoneroMan88. In this post, he again stated that he had no need or desire to attack Monero, but in the same breath claimed that he had found several specific exploits in CryptoNote (and thus Monero), one of which was a “coin killer”, and that he had the resources and ability to execute the attack at any time.
In the first reply on the same thread, Monero core developer “tacotime” asked of BCX, “Can you disclose this vulnerability privately to us so we can fix it?”, to which BCX never responded directly. As the thread progressed, BCX stopped posting while Monero core developer smooth and well known forum member, TheFascistMind (previously known as Anonymint), began discussing the potential nature of the exploit.
Early on September 19, TheFascistMind (“TFM”) posted in the thread the details of his initial hunch, but stated that he was too tired to work through the math at the time. About an hour later, BCX replied, having just caught up on the thread, and seemed perturbed by the fact that there had been 10 pages worth of posts discussing the exploits, incuding suppositions that he planned to attack Monero. He went on to state that he had successfully sandboxed and tested a “very lethal” Time Warp attack, and claimed it was deployable. He concluded by stating that no one should hold too much in Monero because there are many open vectors for attack.
About 6 hours later, prominent Bitcoin core developer gmaxwell quoted a portion of BCX’s previous post which stated that the exploitable flaw was not in the cryptography, but rather in CryptoNote’s (and thus Monero’s) specific implementation of it. To this, gmaxwell replied, “This is in direct contradiction to your original claim that it cannot be fixed without giving up on anonymity. I call bullshit.”
Early on September 20, TFM made a post implying that the issue could lie in ring signature overlaps, meaning that if a malicious party were to own a large number of the signatures that are used to anonymize Monero transactions, they could deduce the identity, and possibly the private key, of certain users. [EDIT: TFM later pointed out to me that the possible vulnerability he discovered does not require the attacker to own any inputs used in the ring signature in order to compromise anonymity. He also noted that it is unknown how effective, if at all, his algorithm is, as it has yet to be tested in a simulation]. Shortly thereafter, well known senior forum member “jl777” offered a 5 Bitcoin bounty for the discovery of any vulnerability along those lines and proposed a fix to mitigate said vulnerability, and twenty minutes later another senior forum member, “Brilliantrocket”, posted a 10 Bitcoin bounty for proof that the vulnerability exists. Near the middle of the day, TFM posted that his initial hunch must have been incorrect, as he could find no such weakness in the math, and he did not have time to go hunting through the implementation for bugs, “Not even for 50 BTC” he said.
2 hours later, TFM asked “Can anyone loan me Monero? How much and what are the terms? PM me please.” No one responded publicly, but 2 hours after that TFM posted again saying that he no longer wanted to short monero and for holders to rest easy. He claimed to have found an exploit that he thought might be the one BCX has discovered. Eight minutes later, BCX closed the thread and posted a link to a new one he had started, entitled “Monero Exploit Confirmed Independently”.
The new thread began with BCX posting a private message (PM) that had been sent to him by TFM that read as follows:
“I had a sudden epiphany while at dinner which is BCX's exploit, well at least I can find the i == s and from that it may be possible to factor 'x' the private key.
I am trying to think of a fix. So far I can not think of any fix. I think BCX is correct, this is a coin killer.
I will also be contacting BCX to see if he wants to buy it from me since he wrote publicly that someone offered in 100 BTC for this.
BCX, do you have any interest in buying this from me instead of me selling to James, smooth, or BrilliantRocket?”
Other posters began to question the authenticity of the PM that BCX had posted in the OP, but TFM soon openly announced that the PM was indeed authentic and he was simply looking to get compensated for his time and effort, but saying shortly later, “I probably did the wrong thing and should have only announced my discovery to the developers…”
Early on September 19, a user with the handle “BitcoinEXpress” began posting in the chat box (a.k.a. trollbox) of Poloniex, a cryptocurrency exchange that has seen the largest Monero trade volume for the past several months. The user started by making a post concurrently in the bitcointalk thread and asking others in the trollbox to verify his identity. He said it needed to be clear that his identity be certain because of the gravity of something he was about to declare. It was clear that this was the same BCX from bitcointalk. He subsequently stated that he did not turn over the details to the Monero developers because he found them cocky and wanted to force them into fixing the vulnerability on their own, but still refused to provide any details as to the nature of the exploit.
A few minutes later, after declaring that he was in no way motivated by money, but rather because he “loved the game”, he made the following posts in the trollbox:
At this point, it should be noted that rpietilla is one of the most vocal major holders of Monero and BCX has a proven history of successful coin attacks (AuroraCoin). rpietilla did not accept the bet, and the bitcointalk thread that BCX had started exploded with alarmists, accounts pitching other coins, trolls posting in large red letters and general mayhem. A website was created to countdown to the proposed destruction of the coin: http://itsalmo.st/#timetokillxmr
As rumors and accusations spread, TFM made a post imploring thread participants not to provoke BCX as he and the Monero devs likely would need the full 72 hours promised to investigate, to which BCX replied “You have your 72 hours, I keep my word”.
At the end of that same post, BCX implied that he was playing the catalyst in a forced evolution of the coin, and then posted a link to a youtube video of The Joker burning a pile of cash to communicate his motivation behind the decision to attack Monero. He also announced that he had begun taking shots of Stoli Elite and “loves this shit.” Bond Villain anyone?
Forum members began theorizing that TFM and BCX were playing “good cop, bad cop” to take advantage of situation. A series of heated confrontations followed, and TFM announced that he had an epiphany and discovered an amplification to the exploit. After smooth stated rather bluntly that TFM had discovered nothing and posted a link to a paper published by the Monero Research Lab proving that such an attack was not possible, TFM lost it. He first claimed that he was going to give the mitigation only to the Boolberry devs (another CryptoNote coin) on the condition that they keep it secret from the Monero devs, then he eventually stated that BCX was the least of Monero’s worries. “You’re dealing with me. Capice?”, he said confidently.
smooth managed to talk TFM off the ledge in a series of private messages. He claimed to have read the Monero Research Lab (MRL) paper that covers the ring signature weakness he’d found, and said the he felt confidently that what he found was not considered and was far more harmful. He communicated what he’d found to smooth over a secure channel and they began working in private*.
In the meantime, the hashrate of the monero network grew dramatically and the recently formed MEW (Monero Economy Workgroup) task force comprised of major monero holders and developers (no core team members), including TFM, began looking into fixes for the code, and announced confidently that no coin-killing exploit was possible in the way BCX implied (or TFM supposedly discovered).
More speculation from the forums generated yet another rumor that the attack would simply be a 51% attack, concurrent with DDoS (in attempt to take down other pools so the attacker can quickly gain a large portion of the network hashrate, or take down exchanges).
Early today (~12 hours from destruction), BitcoinEXpress stated on the Poloniex trollbox that Poloniex would be going down for about 5 minutes while he “lines up a few things”. He said it would happen 3 minutes later, and it did. Monero trading was down for about an hour, and the chart went flat.
BitcoinExpress then stated on the trollbox that this was a test. He then went back to the BCT thread, vehemently denying that he DDoS’d Poloniex and that it was an imitator. Members immediately questioned that claim due to the verification process used in the initial threat and bet.
The matter of the exchange attack is unsettled, and the exact nature of BCX’s attack (if any) is still not known for certain. The price of Monero is now trending up after a significant drop below 0.0029, which seems to indicate that the market does not think a coin-killing attack is going to occur, but of course no one knows for sure. We are now only a few hours from the deadline, and all we can do is wait (and fire up our solo miners to brace for the potential attack!).
The accusations and conspiracy theories continue to abound in the crypto community, but at this point most of us are relegated to watching from the sidelines. This is a fluid situation, so we will be updating this post periodically.
Also, follow our Chief Analyst @AKWAnalytics for up to the second reporting.
*-Several hours later TFM came back to the forum to post a simple overview of what they had discovered, and it was basically that “rings are allowed to mix with the same set of inputs too many times,” which can reduce anonymity if a malevolent party owns enough of those inputs. smooth chimed in to say that it was an interesting discovery that will benefit the CryptoNote technology overall, and that TFM deserves credit for coming up with it. A major point of this is that reducing anonymity is really all that can be done, it is clear that, at least using this exploit, compromising user’s private keys is not possible.
**Update 1** : GMT 20:20 - TheKoziTwo quotes BCX from another thread saying, according to him, the attack won't start for another ~5 hours:
**Update 2** : GMT 20:30 - Poloniex Exchange tweets that, as a precaution, all XMR deposits and withdrawals will be frozen and funds will be put into cold storage for 24 hours.
**Update 3** : GMT 21:29 - Full nodes with external ports open and are getting an unknown top block from several peers on the network. This occurred almost immediately when the original 72hr timer expired. It's so far unclear what this means and the core team has stated they are looking into it on the #monero-dev IRC channel, but it could be an attempt to create a fork:
**Update 3 Edit** : Spam stopped. Seems like it could've been an accident - someone firing up many nodes behind a NAT and letting them start to sync. In the #monero-dev IRC channel, @fluffypony stated of the event: "that was short lived and boring."
**Update 4** : BCX's postponed deadline has now also passed and no attack has occurred. He stated in the bitcointalk thread that the symptoms of a timewarp attack can take several days to manifest, but the price has held above 0.0033 for several hours now and it is now strongly suspected that this was a scare campaign to acquire cheap coins and no attack is going to occur. We will still be watching developments closely for the next few days and updates will continue to be posted here.
**Update 5** : We still have no evidence of an attack at this point. The developers continue to work on medium term fixes so that regardless of if/when the attack happens, they will be ready (innovative checkpointing is the proposal atm). Also, deposits and withdrawals remain frozen on Poloniex and most major exchanges, however trading is still active and BTC deposits are working properly. FYI, prices are up an additional 6.5% overnight. More to come...
**Update 6** : There is good reason to believe that BCX's real-world identity would be easy to uncover, if it is not outright known by some already. This adds an additional layer of complexity to the situation for a few reasons: (1) DDoSing a U.S. based business is a federal crime. (2) Whether or not BCX follows through with attacking Monero, this episode will have a serious impact on his or her reputation that could follow them forever if their identity were to become publicly known. NOTE: I acknowledge that this has nothing to do with XMR itself or the underlying technology, but is nonetheless part of the still unfolding story.