Sidebar

Deep Chain Reorganization Detected on Ethereum Classic (ETC) From Russian Carders

D

Deadshot

Well-known member
#1
Jan 23, 2019
94
10
8
#1
On 1/5/2019, Coinbase detected a deep chain reorganization of the Ethereum Classic blockchain. In order to protect customer funds, we immediately paused interactions with the ETC blockchain.​
Updated Jan. 7, 10:27pm PT: At time of writing, we have identified a total of 15 reorganizations, 12 of which contained double spends, totaling 219,500 ETC (~$1.1M). No Coinbase accounts have been impacted by the attack.​
We will continue to monitor the status of the network and update this article with the most recent information we have. Current ETC network status can be found
Background Info
Page 3 of Satoshi Nakamoto’s, Bitcoin: A Peer-to-Peer Electronic Cash System, states the following:
“If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains.”
The “honest[y]” of more than half of miners is a core requirement for the security of Bitcoin and any proof-of-work cryptocurrencies based on Bitcoin. Honest action, in this context, means following the behavior described in the Bitcoin white paper. This is sometimes described as a “security risk” or “attack vector,” but is more accurately described as a known limitation to the proof-of-work model.
Failure to meet this requirement breaks several core guarantees of the Bitcoin protocol, including the irreversibility of transactions. Many other cryptocurrencies, such as Ethereum Classic, have also adopted proof-of-work mining.
The function of mining is to add transactions to the universal, shared transaction history, known as the blockchain. This is done by producing blocks, which are bundles of transactions, and defining the canonical history of transactions as the longest chain of blocks*. If a single miner has more resources than the entirety of the rest of the network, this miner could pick an arbitrary previous block from which to extend an alternative block history, eventually outpacing the block history produced by the rest of the network and defining a new canonical transaction history.
This is called a “chain reorganization,” or “reorg” for short. All reorgs have a “depth,” which is the number of blocks that were replaced, and a “length,” which is the number of new blocks that did the replacing.
This, on its own, might end up being nothing more than a minor inconvenience. After all, the transactions all still exist, but they might have been put into a different order, perhaps delaying some of them. However, imagine a miner who also owns a large number of coins. The miner could send those coins to a merchant in a transaction, T, while also secretly extending an alternative block history. The miner’s secret blocks do not include T, but rather include a transaction that sends the same coins used in T to a different address. Call that transaction T’. When the miner reveals this secret history, it will contain T’, not T. Because T and T’ attempted to send the same coins and T’ is now in the canonical history, this means that T is forever invalid, and the recipient of the coins sent in transaction T never even received them in the new, now-canonical history. More info on this can be found here.


What we observed
Updated Jan. 7, 10:27pm PT.
We observed repeated deep reorganizations of the Ethereum Classic blockchain, most of which contained double spends. The total value of the double spends that we have observed thus far is 219,500 ETC (~$1.1M).
Timeline of events
  • Late on the evening of Saturday 1/5, our systems alerted us to a deep reorg in ETC that contained a double spend. Our on-call engineers responded to the alert and worked to confirm the report through the night. We determined that we would temporarily halt send/receive interaction with the ETC blockchain in order to safeguard customer funds.
  • This meant that customers who tried to send or receive ETC on Coinbase Consumer or Pro were unable to complete their transactions.


Customers who tried to send or receive ETC on Coinbase Consumer or Pro were unable to complete their transactions starting early Sunday morning, Pacific Time.
  • On the morning of Sunday 1/6 we posted an update on status.coinbase.com stating (that) “Due to unstable network conditions on the Ethereum Classic network, we have temporarily disabled all sends and receives for ETC. Buy and sell is not impacted. All other systems are operating normally.”


In addition to in-platform notifications, we shared an update via status.coinbase.com.
  • We performed an analysis on Sunday afternoon/evening to confirm the pattern and determine the key details of the double-spend attacks. Beginning Sunday afternoon, we observed 8 more incidents, all containing double spends.
  • Out of an abundance of caution, we did not put up a blog post prior to legal and technical review. A false alarm could have inadvertently caused market instability.
  • On Monday 1/7 morning after legal and technical review, we finalized our public analysis and posted to our blog and social media accounts.
Note: A full blockchain analysis is beyond the scope of this article. Further research into the addresses sending the double spend transactions, the history of sends/receives from the addresses, the block fields such as timestamp, and the subsequent movement of rewards from attack blocks may shed light on the threat actor or actors behind these attacks.
We observed the following deep chain reorgs:
  • Common ancestor:. /. No double spends were observed in this reorg. We noted that this was a reorg of unusual depth for ETC.
  • Common ancestor:. /. No double spends were observed in this reorg. We noted that a second reorg of unusual depth was highly suspicious, but did not necessary indicate an attack as there was no double spend and the depth was still below the ETC confirmation limit for most services.
  • Common ancestor:. /. A of value 600 ETC in orphaned block was double spent by a in attacker block 7249361**.
We ceased interacting with the ETC blockchain upon observing this reorg. Coinbase was not the target of this double spend and no funds were lost.
  • Common ancestor:. /. A of value 4,000 ETC in orphaned block was double spent by ain attacker block 7254435**
  • Common ancestor: 7254568. /. A of value 5,000 ETC in orphaned block 7254646 was double spent by a in attacker block 7254656**
  • Common ancestor: 7255033. /. A of value 9,000 ETC in orphaned block 7255055 was double spent by ain attacker block 7255066*
  • Common ancestor: 7255204. /. A of value 9,000 ETC in orphaned block 7255212 was double spent by ain attacker block 7255225**.
  • Common ancestor: 7255476. Depth 37 /. A of value 15,700 ETC in orphaned block 7255487 was double spent by ain attacker block 7255492**.
  • Common ancestor: 7255542. /. A of value 15,700 ETC in orphaned block 7255554 was double spent by ain attacker block 7255563**.
  • Common ancestor: 7255662. /. A of value 24,500 ETC in orphaned block 7255669 was double spent by a in attacker block 7255681**.
  • Common ancestor: 7255998. /. A of value 5,000 ETC in orphaned block 7256012 was double spent by ain attacker block 7256022**.
Updates as of 10:27pm PT, January 7
  • Common ancestor: 7261497. / Length 54. A of value 26,000 ETC in orphaned block 7261492 was double spent by a in attacker block 7261497**.
  • Common ancestor: 7261603. / Length 44. A of value 52,800 ETC in orphaned block 7261610 was double spent by a in attacker block 7261614**.

  • Common ancestor: 7261676. / . A of value 52,200 ETC in orphaned block 7261684 was double spent by a in attacker block 7261690**.
Next Steps
The Coinbase team is currently evaluating the safety of re-enabling sends and receives of Ethereum Classic and will communicate to our customers what to expect regarding support for ETC. Coinbase takes security very seriously. As part of that commitment, we monitor blockchains for activity that could be harmful to our customers and take prompt action to safeguard funds. We want to emphasize to customers that Coinbase strives to be the most trusted and safest place to buy, sell, or store cryptocurrency.
* It is actually the chain with the most accumulated work, rather than the chain with the most blocks, that defines the canonical history. In most cases, these chains will be the same
** The block explorer does not properly handle reorgs and labels the transaction as confirmed. Click on the block to see that the block is orphaned.
This website may contain links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of Coinbase, Inc., and its affiliates (“Coinbase”), and Coinbase is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. Coinbase is not responsible for webcasting or any other form of transmission received from any Third-Party Site. Coinbase is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by Coinbase of the site or any association with its operators.
Unless otherwise noted, all images provided herein are by Coinbase.
 
You must log in or register to reply here.

Log in

Forgot your password?

Online statistics

Members online
1
Guests online
69
Total visitors
70
Totals may include hidden visitors.
  1. 1
    Deepfake and AI Technology in Social Engineering
    Roman Alex
  2. 2
    Ransomware 2.0
    Roman Alex
  3. 3
    AI-Powered Phishing Scams
    Roman Alex
  4. 4
    PayloadAllTheThings: A collection of various payload scripts and techniques for different stages of penetration testing.
    Roman Alex
  5. 5
    TheFatRat: A tool that generates undetectable payloads for bypassing antivirus solutions
    Roman Alex
  6. 6
    PowerShell Empire: A post-exploitation framework that primarily utilizes PowerShell for payload delivery and command execution
    Roman Alex
  7. 7
    BeEF (Browser Exploitation Framework): A tool focused on exploiting web browser vulnerabilities
    Roman Alex
  8. 8
    Cobalt Strike: A commercial penetration testing tool
    Roman Alex
  9. 9
    Veil Framework
    Roman Alex
  10. 10
    Metasploit Framework:
    Roman Alex
  11. 11
    Hey Guys
    Romanbonus
  12. 12
    I am So happy today my second deal completed Directly with Roman Alex
    Gracesmith666
  13. 13
    Amazing Outstanding i Got 1500$ PayPal transfer From Roman Alex
    mullions14564
  14. 14
    Escrow payment is Sent
    Gracesmith666
  15. 15
    Hello I'm From Bulgaria i want Western Union transfer
    Moneyneedgood112
Top Bottom