<mrcyjanek0:matrix.org> @ofrnxmr: Yep

<mrcyjanek0:matrix.org> Also if I’m reading that correctly github.com/CoinSpace/CoinSpace/blob/master/server/lib/csFee.js their fees are fetched from database, including amounts and addresses.. so a server (because they insist it’s not a node lol) compromise could technically drain users wallet (or at least impose insanely high fees)

<ofrnxmr:xmr.mx> its not a server either 💢, we are an offline, magic-based wallet

<sgp_> @mrcyjanek0:matrix.org: They do impose high fees: coin.space/all-about-fees

<sgp_> "Network fee + 0.5% (min. $0.30, max. $100) "

<sgp_> Could it charge more without a user reasonably knowing? Maybe but I've looked at enough of their code already and I can't be bothered to look at more :p

<mrcyjanek0:matrix.org> It could 100%, it stores the maximum and minimum server side

Guarda is listed as closed source , maybe remove that too 😆 there is a closed issue on site for the coin wallet listing iirc

exit

<ofrnxmr> plowsof: 2

<monerobull:matrix.org> I can do that > <@sgp_> @monerobull:matrix.org: do you have the ability to edit the pinned weekly discussion for r/monero? I finally took a look at the CoinWallet code, and it's really bad for privacy. I think it should be removed

j-berman full-time development (4 months) is now fully funded! ccs.getmonero.org/proposals/j-berman-4months-full-time-11.html @luigi1111

hinto-janai full-time work (3 months) is now fully funded! ccs.getmonero.org/proposals/hinto-5.html @luigi1111

<plowsof:matrix.org> the rest of us have hope 🙏

<longtermwhale:matrix.org> i can tell you that swapuz is a scam front for whitebit > <@monerobull:matrix.org> mrelay.p2pool.observer/m/matrix.org/cwOtPGFhcjHckQUxQcWIuyCw.png (image.png)

<longtermwhale:matrix.org> they dont have any liquidity. they claim they will do the AML check and refund money if necessary. they just forward the money to whitebit and claim without proofs that their partner whitebit needs more info (on totally clean coins, yeah...). its a classical "not my fault". of course with very small amounts you likely wont enc [... too long, see mrelay.p2pool.observer/e/-rWF2LUKNjVmWDlC ]

<longtermwhale:matrix.org> the only non dex in the market with own liqudity + history that actually process larger transactions are infinity and wizardswap

<longtermwhale:matrix.org> and whitebit itself are also just ukrainian scammers but thats another topic. just wanted to add 2 cents because i read swapuz

<plowsof:matrix.org> @longtermwhale:matrix.org: any experience with godex? issue to remove it monero-project/monero-site #2430

<longtermwhale:matrix.org> @plowsof:matrix.org: i do not have personal experience on godex, can only tell you that anything that doesnt disclose their current AML partner and all their criteria is shady in the first place. for most legally based enterprises depending on the reason for the bad rating its impossible to take a coin thats bad and then j [... too long, see mrelay.p2pool.observer/e/6q-72LUKampET2pi ]

<longtermwhale:matrix.org> there is also groups other than the big KYT providers, they are hired by private individuals that got phished etc. they will mail exchange providers with address blacklists. those might turn up as 0% risk in the well known KYT providers but end up being frozen by exchange due to information from partners. the usual procedure h [... too long, see mrelay.p2pool.observer/e/v7DD2LUKMkNiazlD ]

<plowsof:matrix.org> @mrcyjanek0:matrix.org: here is the closed issue on site for coin wallet monero-project/monero-site #2143#issuecomment-2002555434

sometimes i feel that reading IRC scrollback isn't good for my health

<plowsof:matrix.org> instead of "It never happened" people should like DataHoarders site which provides evidence that Qubic are responsible for invalidating peoples transactions xcancel.com/c___f___b/status/1967877575021301841

<plowsof:matrix.org> s/like/link

In total 115 transactions were invalidated paste.debian.net/hidden/5ea3d92e

All these transactions invalidated by the malicious attacker by producing the 10+ reorg get effectively "refunded" which has given a free double spend to any of these senders. Due to how the mempool works, they may have to wait some time before spending these again.

Spending the funds will use a different set of decoys. This has bad consequences for the users who were affected by the attacker.

This reveals the true spend of the transaction input, decreasing the user privacy permanently as a direct consequence of the malicious attacker invalidating the transaction.

Relevant blocks that included transactions that got invalidated

3499670 blocks.p2pool.observer/block/d3ed1c…0e883df54f99c0e9da6df92c0a6c36d5c7b

3499671 blocks.p2pool.observer/block/021ac5…d0430c1c5cbcf23b19c56fe92ee2fbb2d84

3499672 blocks.p2pool.observer/block/66736b…a5dac2c55c11d076684975fa62476f74e9d

3499675 blocks.p2pool.observer/block/9be23f…fb57411ffb2ccb0e0dc6b3e3b46a3903483

3499676 blocks.p2pool.observer/block/948992…451b2dc625ba1cb9d2f4d6c352689c5ac7d

A pool description/alert is placed on every qubic block now blocks.p2pool.observer/block/06beef…fb01d5f73616a5fdff5167c799725ce6db1 irc.gammaspectra.live/86cd04aea1ad4d91/image.png

Each block involved also has a short description of what it means. rucknium is working on making a visualization

All invalidated transactions were archived fully. Endpoint to get the blobs is blocks.p2pool.observer/tx/1ddccf341…84b04a7f6be7d455b4ca206a99ec7f/json (replace txid)

<plowsof:matrix.org> We're excited to announce that it actually happened , Buckle up! a thread 1/12 🧵 👇️

Additionally, some of these blocks in the chain were confirmed in Tari network (they were merge mining) also interleaved with Qubic's attacking chain. This links both together and proves these blocks were available at the time Qubic was mining, with their included transactions

All of them can be validated by manually walking monero into the alt chain. All block headers are also archived and can be downloaded via the buttons directly (and imported into monero)

To deny it happened just shows how big of a panic caused CfB. From Discord messages, they seemed to completely misunderstand how transactions work in monero, even after quoting our own messages why they shouldn't do 10+ blocks just a week earlier, and we verified this situation would occur in a testnet experiment.

Yet when it happened basically believed that transactions could be copied (they didn't copy them either), and this is also not doable due to several reasons detailed in #monero-research-lounge (see logs), for example, not accounting for coinbase shifts, or their withheld transactions, or them mining ahead of the chain (they'd need to replicate the

transactions in the EXACT order. usually these are randomly shuffled).

<plowsof:matrix.org> pinging all analysts to spread this far and wide cc @lordx3nu:matrix.org

There's the "blogpost" :D

<plowsof:matrix.org> thank you

not really, more information will come from others.

made it more obvious and clicking on the invalidated transactions in the block page will actually get you to the json endpoint

Double spending ""attempts"" will start appearing in a week

That's the time transactions more or less take to get cleared from mempool

<monerobull:matrix.org> whats going on with the mempool

<monerobull:matrix.org> 400 pending

<monerobull:matrix.org> > <DataHoarder> To deny it happened just shows how big of a panic caused CfB. From Discord messages, they seemed to completely misunderstand how transactions work in monero, even after quoting our own messages why they shouldn't do 10+ blocks just a week earlier, and we verified this situation would occur in a testnet experiment.

<monerobull:matrix.org> it would be really funny if the CIA claims monero as their important infrastructure and classifies this as a terrorist attack

<longtermwhale:matrix.org> > <DataHoarder> All these transactions invalidated by the malicious attacker by producing the 10+ reorg get effectively "refunded" which has given a free double spend to any of these senders. Due to how the mempool works, they may have to wait some time before spending these again.

<longtermwhale:matrix.org> free double spend? i had 10+ tx affected on the 115 tx, no one i was sending money too accepts at 10 confirmations at this point. thats the actual trouble with the events, it weakens the whole ecosystem and slows it down. kraken 30+ confirms while constantly disabling and enabling withdrawals due to circumstances, besides withdraws failing here and then

the transaction sent was refunded, and in a week, it's possible to spend again

yes, the actual ecosystem damage goes further than that. talking in technical points there

<longtermwhale:matrix.org> DataHoarder: yes of course, but that means its not spent in the first place

In your case quite probably the harm is limited that the outputs you used as inputs cannot be spent until a week from the attack (or txpool is flushed everywhere/new tx is mined), and that the true spend is revealed permanently decreasing your privacy. This transaction will also display as a double-spend attempt after it's re-spent (as it has to

reuse the key image)

For an atomic swap, the damage would have been greater.

There is also no way for the attacking chain to know the purposes, so going with it hoping nothing is affected (which isn't the case) is true peak YOLO behavior

<longtermwhale:matrix.org> DataHoarder: yes, due to for example unstoppable or however that shit (sorry) is called now, doesnt go with current events (and fails constantly any way and bugs etc.)

basically cfb saying "just raise conf times to 30 or 70" that doesn't matter

<longtermwhale:matrix.org> everyone should rather understand the current happenstance as an opportunity to work on possible and real problems. they existed before qubic brought them to attention

monero code is 10, and no matter what others set, there WILL be issues on 10 reorgs or past that

<longtermwhale:matrix.org> (am not defending the dude)

indeed. it has brought attention to existing PRs talking about the problem and FCMP as well :)

it's not like bitcoin or others where a reorg means txs go back in pool, and if attacker is not double spending willingly it doesn't happen

(and it's referred by id)

in monero decoys are used so regardless of how old your original confirmation is, you can be affected

they are also referred by the global output index, meaning that the transaction gets invalidated even if one transaction output is out of order. to achieve this Qubic would need to mine BEHIND monero and include the same transactions, and same exact order and number of miner outputs (p2pool can have many)

it is technically infeasible for them due to the limit of size of their templates

As listed on github.com/qubic/outsourced-computing/tree/main/monero-poc they are max 896 bytes

without accounting for miner tx and rest of header, that allows maximum 28 transactions

they are doing 20 now. they are already at the limit.

meanwhile other pools are doing +100 txs per block

or p2pool doing 700+ outputs in their coinbase txs

717 outputs here

48 KiB block.

they'd need 54x their current space to fit this block outputs to ensure global output indices not change while selfish mining. ofc, they'd need to do this behind monero all the time

<spirobel:kernal.eu> @longtermwhale:matrix.org: in pow the only way to inflict long term damage on an attacker like this is to sue them. With asics there is some sunk cost into asic hardware (that is decaying over time as well, as older mining hardware has little economic value, but is still useful for this kind of attack). There is no way to solve this problem if people are not willing to think openly.

<monerobull:matrix.org> qubic is a centralized botnet that drops and runs executables to its miners

<monerobull:matrix.org> its probably built using actual botnet code

<spirobel:kernal.eu> (I am not suggesting to sue them)

we could get the official Monero twitter account to tweet something like "We are super excited to announce that WE ARE GOING TO SUE YOU!"

Served!

<lordx3nu:matrix.org> We could take them to kleros court

<spirobel:kernal.eu> there is a strong sentiment that is expressed here and elsewhere that something should be done. I agree with this sentiment. Bitcoin will run into the same situation in the next 2-5 years. When old asics become so cheap that this attack becomes feasible.

Here's the reorg SVG (it gets generated from live block data on each startup) blocks.p2pool.observer/event/reorg_sep14_18/plot.svg

<kevino:tchncs.de> @spirobel:kernal.eu: But difficulty increases with new asics ?

<spirobel:kernal.eu> @kevino:tchncs.de: the difference between old and new asics is already at 3 to 4x for the same amount of TH. The only difference is that the newer ones are half as energy efficient. For the attack energy efficiency does not matter because you can do it in bursts

<spirobel:kernal.eu> the difficulty increases with price.

<spirobel:kernal.eu> the cost of the actual attack comes down to game theoretics. will there be a bitcoin defense fund that will mine at a loss when push comes to shove?

<spirobel:kernal.eu> we saw the game play out a bit now on a smaller scale + the added difference that CPUs can be resold / dont lose value and there is no way to outbid the attacker for general purpose CPUs compared to how bitcoin maxis speculate it will be possible to outbit attackers on old miners.

<spirobel:kernal.eu> people want to stick to their convictions.

<spirobel:kernal.eu> Eventually a decision will have to be made between sticking to outdated beliefs around proof of work and solving the issue.

<spirobel:kernal.eu> for the record: I dont like proof of stake. I think it does not have a good answer for the high amount of stake needed.

<spirobel:kernal.eu> the empirical evidence shows that higher amount of stake does not lead to more security.

<kevino:tchncs.de> Bitcoin is not a very good example of this, there are institutions involved in to "protect" it.

<kevino:tchncs.de> They will rather just make bitcoin less usable than outright attack it

<spirobel:kernal.eu> @kevino:tchncs.de: but what can they do? especially if its decentralized. we can crowd source this after we implemented a fix and use it as a marketing campaign. Everyone buys a few old bitcoin miners and we all mine on a selfish mining strategy in bursts.

<kevino:tchncs.de> And who funds us ?

<longtermwhale:matrix.org> @kevino:tchncs.de: every worthy CCS gets funding no?

<spirobel:kernal.eu> who funds qubic? this should be profitable by itself. Especially if the bitcoins start bidding the old asics

<spirobel:kernal.eu> so either you resell the miner for roughly the same price, or its a success and you sell it for more + the mining profits

<spirobel:kernal.eu> *the bitcoiners

<satoshicfb:we2.ee> @spirobel:kernal.eu: Satoshi

<spirobel:kernal.eu> @satoshicfb:we2.ee: nobody is going to buy your shitcoin cfb. getting craig wright vibes here

<satoshicfb:we2.ee> @spirobel:kernal.eu: Qubic is only trying to help...

<satoshicfb:we2.ee> We should work together. Peace!

<spirobel:kernal.eu> the difference between qubic and us doing it would be that our narrative would make sense. A decent marketing campaign is useless if the target is something as goofy as mining agi with cpus.

<satoshicfb:we2.ee> AI has to learn like human

<satoshicfb:we2.ee> Why you do not trust satoshi?

<spirobel:kernal.eu> they would have done better if they at least took an open source ai and added a lora. instead of presenting this downy ai anna to the world.

<spirobel:kernal.eu> massive own goal

<satoshicfb:we2.ee> I will not talk to satoshi hater. Only peace blocked!

<satoshicfb:we2.ee> AIgarth is the future

<satoshicfb:we2.ee> Like Monero ->>>>>>> transform ->>>>>> Qubic 😁🤩

<spirobel:kernal.eu> @satoshicfb:we2.ee: sell your qubic now and join monero instead. we will do a much better job. qubic is down only from here. nobody trusts that you can mine ai with cpus. There is a reason why nvidia is investing heavily in networking as well. Not only is a CPU much less efficient when it comes to processing large amounts [... too long, see mrelay.p2pool.observer/e/uavx4LUKRVB3UUY0 ]

<spirobel:kernal.eu> > satoshicfb left the room

<mbyuvi:matrix.org> @spirobel:kernal.eu: This made me buy Qubic NGL

<mbyuvi:matrix.org> Monero devs are now resorting to cope

<spirobel:kernal.eu> cfb says ai will grow in the ai garden. If this answer satisfies you, go ahead. People that believe that can not be helped. The marketing campaign has reached its TAM and its effectiveness will only decay from here. Betting on qubic is a bet against nvidia. It is a bet against the fundamentals of information theory. Anyone wit [... too long, see mrelay.p2pool.observer/e/pNzQ4rUKOWpHSVU5 ]

don't fall for the trolls

<spirobel:kernal.eu> okay just saw he spammed other channels as well. Best to get rid of it

he mistakenly posted the AI prompt text too

lol

<monerobull:matrix.org> lmao whats that

see #monero :)

selsta part-time monero development (3 months) (18) has moved to funding! ccs.getmonero.org/proposals/selsta-18p.html

I have made this Timeline of Monero 18-block reorg on September 14th, 2025 github.com/WeebDataHoarder/Monero-Timeline-Sep14

<rucknium> DataHoarder: Wonderful! Thank you.

there are more columns hidden with data sources linked

then after the big log... there's another bigger one

if you have any suggestions on changes or wording, feel free to reach out

[CCS Proposals] Lu Lason opened merge request #612: Master repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/612

[CCS Proposals] Lu Lason opened merge request #613: Federation Market Nodes repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/613