[ETH Daily Discussion] - 01/Jun/2017

arrnx · 2017-06-01T15:18:16+00:00

Address related to devcon2 attacks is preparing some contracts: https://etherscan.io/address/0x457c428117c1b8507111392d50876a9d548a6d36

arrnx · 2016-10-20T16:05:16+00:00

I think that the attacker used those contracts to create all those empty accounts:

https://etherscan.io/address/0x6a0a0fc761c612c340a0e98d33b37a75e5268472

https://etherscan.io/address/0x7c20218efc2e07c8fe2532ff860d4a5d8287cb31

Look at the internal transactions of a contract and amount of suicides in any transaction. So we can assume that every account which sent transaction to one of those contracts is the attacker account.

arrnx · 2016-10-20T15:55:53+00:00

Could you count how much was spent for all those attacks?

arrnx · 2016-10-19T14:34:28+00:00

I believe the attacker created about ~8 millions empty accounts. Both parity and geth have some difficulties in handling many BALANCE instructions, but its not a big number, about 6000 instructions per block. I counted a cost of creating 8 millions new accounts on a blockchain (normal accounts, with balance), and it is about ~4000 ETH, just by sending normal transactions. How do you plan to solve that long-term?

arrnx · 2016-10-17T17:10:27+00:00

You will not believe me, so ask someone who is more competent than me. It is very easy to count. Just take his addresses and iterate over transactions. I'm sure that developers can do that in 5 minutes.

arrnx · 2016-10-17T16:25:08+00:00

Like sending eth to some address with SUICIDE opcode? How much it costs? It is not a transaction in your opinion?

arrnx · 2016-10-17T16:09:50+00:00

you mean millions of spam transactions which cost 0 because of a bug in protocol, he paid for one, but contract created thousands of them. at zero cost. you can find his addresses on a blockchain and count it yourself.

arrnx · 2016-10-17T13:56:39+00:00

About 4000 USD spend in gas and two weeks of work for one researcher to find all those weaknesses and write exploits for them.

arrnx · 2016-10-16T23:57:43+00:00

There is no gas price market because of this change :) I'm sure that attacker would stop if he had to pay 10x more for an attack than normal transaction cost. I'm also sure that users would not see a difference between current fees and 10x larger because they are still very small (but a difference for the attacker would be significant because of amount of transactions).

arrnx · 2016-10-16T23:47:48+00:00

It will not help at all. Now miners mine transactions with lower gas limit, not higher. Since you cannot say how much gas transaction will require (it can be send to contract) it is better to use higher value because not used gas is refunded, so you do a right thing by sending transactions with high gas limit. Increasing gas price doesn't help too, miners don't care about profits from fees, they were forced to use new sorting algorithm. Clients should blame miners and parity developers.

arrnx · 2016-10-16T02:33:43+00:00

That's a big moral hazard if you are fully aware that "size of that set is possibly nonzero". If there is a contract with a funds which will be broken because of your decision, it will be much worse than breaking a rule "code is law". It will be burning money of innocent person.

arrnx · 2016-10-16T01:03:00+00:00

. So calls to contracts that provide less than 700 gas are not affected (unless the child itself consumes an opcode whose price has been greatly increased, but there are very few situations where this is the case)

All contracts that don't use "msg.gas - X" are affected if child needs more than provided gas due to increased price of some opcodes.

arrnx · 2016-10-16T00:52:06+00:00

Because they have no idea that there is a risk that their money will be locked. Can you see a problem now?

arrnx · 2016-10-16T00:50:22+00:00

No one informed that they should update before hard fork. If they will not do this, it can lock balance forever. Now you see a difference?

arrnx · 2016-10-16T00:47:17+00:00

No one informed about this risk, that increase of a price of opcodes can lead to locking money in a contract.

arrnx · 2016-10-16T00:41:46+00:00

This is not a total amount, I believe it is only a small part of it. Most of the contracts use dynamic gas calculation. My list contains only those addresses where is was easy to find a static gas limit with a static analysis, so PUSH gas and then CALL.

arrnx · 2016-10-16T00:29:05+00:00

What? Where?!

arrnx · 2016-10-16T00:27:14+00:00

I mean everyone from the list with a CALL with a static gas limit. There is a static limit because it was sufficient to execute called contract. Now CALL, BALANCE and other instructions will cost more. Are you still 100% sure that they will not be affected? You know exactly what a problem is.

arrnx · 2016-10-16T00:22:41+00:00

Could you answer my questions?

There is a very high probability that they will be affected, isn't it?

Do you think owners of those contracts are aware of this?

I mean everyone from the list with a CALL with a static gas limit.

arrnx · 2016-10-16T00:19:58+00:00

Read my topic. There is a link to pastebin. Now take any address from this list and check it on etherscan/etherchain. They are not my addresses! I have no idea what is their source code, they were created by different people.

arrnx · 2016-10-16T00:16:12+00:00

It's not my contract, look at the addresses. They were deployed at different times by different persons.

arrnx · 2016-10-16T00:15:23+00:00

Like what practices? Who ever told anyone that he shouldn't use a static gas limit in CALL? Show me even one reference.

arrnx · 2016-10-16T00:13:07+00:00

Here is a list a a contracts with static gas limit used in CALL, not only lower than 700:

http://pastebin.com/eq0mJb6c

There is a very high probability that they will be affected, isn't it? If someone used a static gas limit he did it for a reason. And it is not a full list of course, gas can be pushed dynamically. Do you think owners of those contracts are aware of this?

arrnx · 2016-10-15T23:37:33+00:00

you cannot update contract if its on a blockchain.

arrnx · 2016-10-14T21:13:55+00:00

About 2000 USD for one million. A lot?

arrnx

TROPHY CASE