06:12:02 <sech1> PSA for all P2Pool users: https://www.reddit.com/r/Monero/comments/1u1tt1p/psa_critical_p2pool_security_update/
06:47:49 <plowsof> thanks sech1
06:51:34 <br-m> <monerobull:matrix.org> sech1: Did you find it with Claude?
06:52:20 <sech1> No
06:52:41 <sech1> But I used Claude to confirm that it's real, and Claude even found an easier way to exploit it
06:52:55 <sech1> DataHoarder confirmed it too once I sent him the description
06:53:25 <plowsof> for a critical, end-game type vulnerability, would people be willing to run signed closed source binary in the run up to the open source release?
06:54:11 <sech1> This is not an end-game. Worst case, miners will be mining to the attacker's wallet for a while. If we detect it being exploited, we'll release the patch immediately.
06:54:32 <sech1> I will prepare the release binaries in advance of course
06:55:00 <sech1> But the thing is, if I release them, the binary diff will show where the fix is. Reproducible builds reduce the noise to the minimum, so it will be easy to find.
06:55:09 <plowsof> are there any on chain metrics available to see if this has been exploited previously? or more realistically - if the exploit happens after release? or can those effected prove 'it' happened?
06:55:32 <sech1> Yes, it can be easily detected on-chain
06:55:33 <plowsof> "the binary diff" indeed, did not consider that 
06:57:43 <plowsof> just add quotes from the b-movie movie in every file so the diff is larger
07:00:46 <plowsof> rot13 b-movie comment encryption*
07:10:21 <DataHoarder> plowsof: observer keeps historical shares so I'll be running a scan to see if any was used
07:11:07 <DataHoarder> I also am releasing patched versions of mine but I don't release binaries. So along other changes there will be the affected one
07:11:44 <br-m> <plowsof:matrix.org> nice, could add a notice to your page also https://p2pool.observer/
07:12:39 <DataHoarder> Yes, for that I have to release a new version I think :D
07:13:09 <DataHoarder> It's split from consensus code so should be fairly easy to do across all
07:41:45 <DataHoarder> It's now as a header field
07:48:30 <DataHoarder> plowsof, sech1: no historical exploitation on stored shares on observer for Main/Mini/Nano
08:16:57 <plowsof> thanks for confirming this 🙏
12:17:42 <br-m> <4rkal> https://cyphergoat.com/this-week-in-monero/issue-34
17:20:22 <br-m> <tomdooley:matrix.org> the worst that can happen with this exploit is that you wont get your mining payout? > <DataHoarder> plowsof, sech1: no historical exploitation on stored shares on observer for Main/Mini/Nano
17:21:02 <sech1> yes, mining payouts will be smaller or completely non-existant
17:21:06 <sech1> if it's exploited
17:22:26 <br-m> <tomdooley:matrix.org> was this a mythos find?
17:22:44 <br-m> <ofrnxmr:xmr.mx> no
17:22:58 <br-m> <ofrnxmr:xmr.mx> it was found by sech1, and then confirmed by opus
17:23:11 <br-m> <ofrnxmr:xmr.mx> opus couldnt find it
17:28:20 <br-m> <syntheticbird> ai assisted = made by ai
17:28:23 <br-m> <syntheticbird> even more true when its anthropic
17:28:33 <br-m> <syntheticbird> so sech1 didn't found the vulnerability, opus did
17:28:37 <br-m> <syntheticbird> Q.E.D AGI tomorrow
17:29:25 <br-m> <plowsof:matrix.org> DataHoarder v 9.0 has found many vulnerabilities also 
17:29:47 <br-m> <plowsof:matrix.org> p2pool is in safe hands
17:29:48 <DataHoarder> across the years, porting to Go code, reimplementing, fuzzing etc.
17:30:18 <DataHoarder> here's a list of hardfork-possible related ones (and benign upgrades) https://git.gammaspectra.live/P2Pool/consensus/src/branch/master/docs/HARDFORKS.md
17:33:28 <br-m> <jbabb:cypherstack.com> DataHoarder: this is very helpful thanks.  will use to update the mostly-unreleased p2pool-rs ( https://github.com/sneurlax/xmr-wow/tree/main/deps/p2pool-rs , never published to crates tho, as I haven't validated it working on mainnet recently)
17:34:48 <DataHoarder> oh! I'd recommend you take a look around https://git.gammaspectra.live/P2Pool/consensus in general, as I have support for all P2Pool share versions if you want historical context
17:35:21 <DataHoarder> and different stratum/merge mining that supports multiple addresses on one node via reserving some slots
17:48:45 <br-m> <takane0:matrix.org> Hello,
17:48:45 <br-m> <takane0:matrix.org> Since the website mentioned to send an introduction here, nice to meet you all.
17:48:45 <br-m> <takane0:matrix.org> I'm Takane, i'm a cybersecurity student and currently working on my Armadillo-Node project for monero nodes. :)
17:50:43 <br-m> <jbabb:cypherstack.com> DataHoarder: is there a 'canonical' p2pool impl in Rust yet?  I also didn't want to publish a p2pool-rs crate because I don't really have the bandwidth to maintain it.  I'd rather contribute to someone else's p2pool-in-rust project rather than sharing something nobody except me may ever use :)
17:50:43 <br-m> <jbabb:cypherstack.com> I saw p2pool-v2 (I forget the repo name) for bitcoin but that seemed abandoned iirc
17:50:56 <br-m> <jbabb:cypherstack.com> @takane0:matrix.org: and sorry to distract from your introduction.  Nice to meet you @takane0:matrix.org
17:51:32 <DataHoarder> there isn't. I'd recommend exposing a crate that implements the underlying stuff and split the binary elsewhere (like my go-p2pool is a different repo that just consumes this)
17:51:33 <br-m> <takane0:matrix.org> @jbabb:cypherstack.com: Oh no problem, I'm sure there's a lot of work going on here. Nice to meet you Josh
17:52:16 <DataHoarder> afaik my Go reimplementation (made for the observer only initially, later split into its own project) is the only reimplementation out there
17:52:30 <DataHoarder> that is written following original and ends up with the same bugs too :)
17:52:43 <DataHoarder> though many areas other than consensus are vastly different
17:53:21 <br-m> <jbabb:cypherstack.com> I haven't worked on it in months but I'm pretty sure I got p2pool-rs connecting to mainnet
17:53:21 <br-m> <jbabb:cypherstack.com> however
17:53:21 <br-m> <jbabb:cypherstack.com> it's not being used for those purposes in that repo I linked, so its purpose has drifted from faithful reimpl to 'building blocks'
17:53:31 <br-m> <jpk68:matrix.org> I have a cringe Zig implementation that will be finished in about 5 years
17:53:54 <DataHoarder> then you already have the software ids wrong
17:53:59 <DataHoarder> :)
17:54:24 <DataHoarder> yeah I have the building blocks that I reuse on other projects
17:54:26 <br-m> <jpk68:matrix.org> A lot more is wrong than just that, believe me
17:54:27 <DataHoarder> for most monero stuff
17:54:58 <DataHoarder> I implement a couple more things, see... this table https://git.gammaspectra.live/P2Pool/consensus#libraries-in-this-package
17:55:13 <DataHoarder> ended up attaching quite some other monero things
17:55:14 <br-m> <jbabb:cypherstack.com> I got sidetracked trying to see if I could optimize the mining algo to get any boosts from unified memory on apple.  (I could not. 1-2% increase tops)
17:55:41 <DataHoarder> that's RandomX :P we had some fun looking at memory prefetch for V2
17:56:00 <DataHoarder> which btw. https://git.gammaspectra.live/P2Pool/go-randomx :)
17:56:27 <DataHoarder> includes JIT for amd64 as well, and JS/WASM JIT
17:56:58 <br-m> <jbabb:cypherstack.com> mine is "just" a fork of mithril, that got mithril working, then tried to optimize for apple arm but not to outstanding results so I never published it
17:56:58 <br-m> <jbabb:cypherstack.com> I should publish the "mithril, but working" bit though.
17:57:46 <br-m> <jpk68:matrix.org> Mithril working? What a miracle
17:57:57 <br-m> <jbabb:cypherstack.com> as in https://github.com/Ragnaroek/mithril ... I'll make a note to share back what is working
21:06:23 <br-m> <r4v3r23> plowsof got a couple users that wanna upvote waiting on ccs account approvals
21:39:06 <br-m> <double_z3r0:matrix.org> hello all