Double Stake Reward Proof-of-Stake Fix - 40+ VULNERABLE So recently the Doge

1. Double Stake Reward Proof-of-Stake Fix - 40+ VULNERABLE
2.  
3. So recently the DogeCash team posted about an issue we had to patch, in somewhat secrecy. Followed by a post about why with some information.
4.  
5. But here is what is going on, there's this bug that stems from 2 codebases. Any code base of PIVX 2.7 forks are vulnerable as well as any Trittium codebase to date, currently.
6.  
7. The following was commented out of main.cpp causing a double reward to not be checked.
8.  
9. // for any real tx this will be checked on AcceptToMemoryPool anyway
10. // if (Params().RequireStandard() && !IsStandardTx(tx, reason))
11. // return state.DoS(0,
12. // error("AcceptableInputs : nonstandard transaction: %s", reason),
13. // REJECT_NONSTANDARD, reason);
14.  
15. The problem here is now we are not checking for a standard TXID allowing for a duplicate.
16.  
17. if (pindex->nStatus & BLOCK_HAVE_DATA) {
18. // TODO: deal better with duplicate blocks.
19. // return state.DoS(20, error("AcceptBlock() : already have block %d %s", pindex->nHeight, pindex->GetBlockHash().ToString()), REJECT_DUPLICATE, "duplicate");
20. return true;
21. }
22.  
23. So as you can see that we were no longer checking if the block has data and then immediately returning true.
24. There comes blocks with junk data and someone reaping double rewards.
25.  
26. During the investigation, as we said any coins forked from PIVX 2.7 are vulnerable to the double reward.
27.  
28. Any Trittium codebase is vulnerable period. With the exploit currently on their chain now. It has been reported, but we will see what occurs as we hope most fix the problem as it's active.
29.  
30. The exploiter on our chain has been blocked and his coins are essentially burned. Simply by restoring checks on duplicate inputs by checking if the previous transaction exists and was not in the previous transaction. Now we are validating again the data in the block hash and checking transactions more closely.
31.  
32. By having to do a fork and activating Spork 14 for minimum protocol enforcement, we are able to check by block height for our block reward amount with the current mint and now expected mints. Since before there was no need, next we added a check for bad address actors, those bad addresses were checked by hashing the addresses and comparing the input for a transaction to those addresses. If matched they are unable to send coins. Effectively locking out the exploiter and shutting down the operation.
33.  
34. Our code for the mitigation can be found on our github rather than reposting it all here where you can see in total revisions. This way it may be easier for other groups to glean how to.
35.  
36. https://github.com/dogecash/dogecash/commit/75a7208d520573918618788ddf5548fad8767f31
37.  
38. We hope for this news to get out to other forks than the ones we have contacted. Since there are many forks of both the aforementioned codebases we have tried to reach out to them and some main forks.
39.  
40. As these should be monitored by the forked coins and will notice and update themselves accordingly.
41.  
42. In a bear market time such as this it's terrible to see someone subject so many to some intentional mistakes. While they reap profits and watch the groups suffer.
43.  
44. I hope this information is able to help others in their ventures with developing successful cryptocurrencies.
45.  
46. Vulnerable:
47. Abet
48. Pivx
49. ByteCoin
50. APR Coin
51. Vitae Token
52. BEE Coin
53. 401k Coin
54. Venos
55. Dividend Cash
56. Divi
57. Quantis
58. Phore
59. ColossusXT
60. DRIP
61. Dash Green
62. Bulwark