Slashdot Mirror
A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency (bleepingcomputer.com)
An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.
"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."
"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."
One char can make big different in performance and correctness. The greatest one character code change I made and got stunning performance improvement was adding an &. It took significant effort to find it, because instrumenting the entire executable for profilers was just out of the question. But once found it was trivial. The caller was passing a std::map by value. The answers were correct and the scaling effects were not visible till the map grew to big sizes. I expected to something along these lines.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Seems like he collected an ~500k$ bug bounty. The interesting part is "Zero Coin is a project to fix a major weakness in Bitcoin: the lack of privacy guarantees we take for granted in using credit cards and cash. Our goal is to build a cryptocurrency where your neighbors, friends and enemies can’t see what you bought or for how much" per Zero Coin. It seems they succeeded in their goal and were hoist by their own petard. Of course, had they recovered the funds then ZeroCoin would have failed at its purpose. I wonder who took the loss.
I'm a consultant - I convert gibberish into cash-flow.
> A one character bug? Really?
Sure, I've seen many single-character bugs, and created a few. I imagine MOST experienced programmers have done this at least once:
if (a = b) {
When they meant:
if (a == b) {
Every language I can think of has a common single-character bug. Many Microsoft SQL users routinely leave off the semicolon which terminates a statement. Sometimes that results in buggy behavior right away, sometimes not until two years later when a change is made to the *proceeding* statement.
> What about the tests?
This is crypto-currency, the hot new thing tests are for old fogeys who still use dollars. Get with the times, young programmers are Agile, they don't plan and test their work, they release early and often. They release the Minimum Viable Product (minimum piece of shit they can get away with for a moment), it's illegal now to even think about corner cases and make code robust.
Indeed, he profited from a loophole in the system, and it's unclear whether this was illegal. The question of legality probably depends on the terms of service for Zerocoin, and on the laws of the country where the "attacker" resides.
But in human societies, when a lone wolf exploits a loophole, the lone wolf's behavior is usually unacceptable. When a group of individuals who possess social status exploit the loophole, their behavior is often acceptable. Isolated individuals with low social status have very few advantages in society. And when they figure out how to gain an advantage, society goes on the offensive against them.