PSA for all P2Pool users: reddit.com/r/Monero/comments/1u1tt1…psa_critical_p2pool_security_update

thanks sech1

<monerobull:matrix.org> sech1: Did you find it with Claude?

No

But I used Claude to confirm that it's real, and Claude even found an easier way to exploit it

DataHoarder confirmed it too once I sent him the description

for a critical, end-game type vulnerability, would people be willing to run signed closed source binary in the run up to the open source release?

This is not an end-game. Worst case, miners will be mining to the attacker's wallet for a while. If we detect it being exploited, we'll release the patch immediately.

I will prepare the release binaries in advance of course

But the thing is, if I release them, the binary diff will show where the fix is. Reproducible builds reduce the noise to the minimum, so it will be easy to find.

are there any on chain metrics available to see if this has been exploited previously? or more realistically - if the exploit happens after release? or can those effected prove 'it' happened?

Yes, it can be easily detected on-chain

"the binary diff" indeed, did not consider that

just add quotes from the b-movie movie in every file so the diff is larger

rot13 b-movie comment encryption*

plowsof: observer keeps historical shares so I'll be running a scan to see if any was used

I also am releasing patched versions of mine but I don't release binaries. So along other changes there will be the affected one

<plowsof:matrix.org> nice, could add a notice to your page also p2pool.observer

Yes, for that I have to release a new version I think :D

It's split from consensus code so should be fairly easy to do across all

It's now as a header field

plowsof, sech1: no historical exploitation on stored shares on observer for Main/Mini/Nano

thanks for confirming this 🙏

<4rkal> cyphergoat.com/this-week-in-monero/issue-34

<tomdooley:matrix.org> the worst that can happen with this exploit is that you wont get your mining payout? > <DataHoarder> plowsof, sech1: no historical exploitation on stored shares on observer for Main/Mini/Nano

yes, mining payouts will be smaller or completely non-existant

if it's exploited

<tomdooley:matrix.org> was this a mythos find?

<ofrnxmr:xmr.mx> no

<ofrnxmr:xmr.mx> it was found by sech1, and then confirmed by opus

<ofrnxmr:xmr.mx> opus couldnt find it

<syntheticbird> ai assisted = made by ai

<syntheticbird> even more true when its anthropic

<syntheticbird> so sech1 didn't found the vulnerability, opus did

<syntheticbird> Q.E.D AGI tomorrow

<plowsof:matrix.org> DataHoarder v 9.0 has found many vulnerabilities also

<plowsof:matrix.org> p2pool is in safe hands

across the years, porting to Go code, reimplementing, fuzzing etc.

here's a list of hardfork-possible related ones (and benign upgrades) git.gammaspectra.live/P2Pool/consen…src/branch/master/docs/HARDFORKS.md

<jbabb:cypherstack.com> DataHoarder: this is very helpful thanks. will use to update the mostly-unreleased p2pool-rs ( github.com/sneurlax/xmr-wow/tree/main/deps/p2pool-rs , never published to crates tho, as I haven't validated it working on mainnet recently)

oh! I'd recommend you take a look around git.gammaspectra.live/P2Pool/consensus in general, as I have support for all P2Pool share versions if you want historical context

and different stratum/merge mining that supports multiple addresses on one node via reserving some slots

<takane0:matrix.org> Hello,

<takane0:matrix.org> Since the website mentioned to send an introduction here, nice to meet you all.

<takane0:matrix.org> I'm Takane, i'm a cybersecurity student and currently working on my Armadillo-Node project for monero nodes. :)

<jbabb:cypherstack.com> DataHoarder: is there a 'canonical' p2pool impl in Rust yet? I also didn't want to publish a p2pool-rs crate because I don't really have the bandwidth to maintain it. I'd rather contribute to someone else's p2pool-in-rust project rather than sharing something nobody except me may ever use :)

<jbabb:cypherstack.com> I saw p2pool-v2 (I forget the repo name) for bitcoin but that seemed abandoned iirc

<jbabb:cypherstack.com> @takane0:matrix.org: and sorry to distract from your introduction. Nice to meet you @takane0:matrix.org

there isn't. I'd recommend exposing a crate that implements the underlying stuff and split the binary elsewhere (like my go-p2pool is a different repo that just consumes this)

<takane0:matrix.org> @jbabb:cypherstack.com: Oh no problem, I'm sure there's a lot of work going on here. Nice to meet you Josh

afaik my Go reimplementation (made for the observer only initially, later split into its own project) is the only reimplementation out there

that is written following original and ends up with the same bugs too :)

though many areas other than consensus are vastly different

<jbabb:cypherstack.com> I haven't worked on it in months but I'm pretty sure I got p2pool-rs connecting to mainnet

<jbabb:cypherstack.com> however

<jbabb:cypherstack.com> it's not being used for those purposes in that repo I linked, so its purpose has drifted from faithful reimpl to 'building blocks'

<jpk68:matrix.org> I have a cringe Zig implementation that will be finished in about 5 years

then you already have the software ids wrong

:)

yeah I have the building blocks that I reuse on other projects

<jpk68:matrix.org> A lot more is wrong than just that, believe me

for most monero stuff

I implement a couple more things, see... this table git.gammaspectra.live/P2Pool/consensus#libraries-in-this-package

ended up attaching quite some other monero things

<jbabb:cypherstack.com> I got sidetracked trying to see if I could optimize the mining algo to get any boosts from unified memory on apple. (I could not. 1-2% increase tops)

that's RandomX :P we had some fun looking at memory prefetch for V2

which btw. git.gammaspectra.live/P2Pool/go-randomx :)

includes JIT for amd64 as well, and JS/WASM JIT

<jbabb:cypherstack.com> mine is "just" a fork of mithril, that got mithril working, then tried to optimize for apple arm but not to outstanding results so I never published it

<jbabb:cypherstack.com> I should publish the "mithril, but working" bit though.

<jpk68:matrix.org> Mithril working? What a miracle

<jbabb:cypherstack.com> as in github.com/Ragnaroek/mithril ... I'll make a note to share back what is working

<r4v3r23> plowsof got a couple users that wanna upvote waiting on ccs account approvals

<double_z3r0:matrix.org> hello all