The anatomy of Ravencoin exploit finding

July 06, 2020

Now, when the sources of the Ravencoin blockchain exploit fix were published in the Ravencoin GitHub I can share with you how the exploit was detected and what were the initial findings.

Last month I found a bug in my Solus explorer and while fixing it I had to modify the database structure and completely re-sync explorer. This process was over on June 29 2020 afternoon and when last blocks were synced, I’ve started to verify the Ravencoin explorer instance. After few minutes I’ve noted that there are suspected transactions with unbalanced VOUTs were detected and properly marked by the explorer.

Picture 1: “Illegal Supply” address page.

Well, having in mind that I just re-synced explorer due to the bug, I was thinking that it’s just another one… Anyway, I have started to check and was really surprised with the unbalanced coin supply which was around 275 millions RVN at this moment. What I have found was very suspicious: a “reissue_asset” VOUT in the transaction had not only asset amount, but also RVN value, which was unexpected. Looking to the list of transactions, which are grouped to the virtual “Illegal Supply” address, I found that there is a pattern for the suspected transactions: there was one transaction, injecting 500k RVN approximately every 2 hours. First transaction using this exploit was found in block #1224614 at May 09 2020 19:21:06 (UTC).

Immediately after detecting the issue we had a short chat within CryptoScope team and decided to try reaching Tron as soon as possible and in parallel to try to reproduce the exploit transaction using standard asset re-issue procedure. As we expected, we have not been able to reproduce it without making intentional changes in the wallet. So, at that moment we were sure that it was not an accidental finding of exploit, but intentionally planned activity.

Within an hour or so we succeeded to reach Blondfrogs and bring the issue to his attention. The response was fast, and problem got the highest possible priority. At the same time Ravencoin dev team asked, if possible, to reduce the probability that other intruders can find the exploit before the patch available. So, we decided to close public access to the Solus explorer for the time of the patch development. We were putting some pressure to the Ravencoin dev team (which probably was not needed) and it was perfectly understood.

The issue was announced to the community and fixed wallet went public on July 03, 2020 and thanks to the efforts of the Ravencoin team, patch was adopted fast and new protocol was enforced at block #1304352 at July 4, 2020 13:26:27 (UTC). Unfortunately, few hours before protocol enforcement another 4.8M RVN were injected to the network using the same exploit.

At the moment of the new protocol enforcement the total oversupply injected to the Ravencoin blockchain using the exploit was slightly above 301,804,400 RVN. According to the basic movement tracking we made, the big part of the coins was first split between different addresses and then transferred to the exchange using few deposit addresses. Using random checks we identified that at least 3 addresses were used:

After the Tron’s post with a call to intruders to burn the coins obtained with the use of the exploit there were few millions of RVN already burned.

Up to this moment a bit more than 3,901,988 RVN were burned and we encourage intruders to burn the remaining part as well.

I want to say thank you to Tron, Blondfrogs, Pho3nix Monk3y for their prompt reaction on the detected issue and fast resolution of the wallet software bug and all the Ravencoin community for the fast adoption of the wallet fix. Big thank you to my team members which were supporting me and contributing to the issue investigation.

unclear0122 and CryptoScope team.

P.S.: we leave it up to Ravencoin development team to share with community the details for the code bug, how it appeared in the wallet code and what are the lessons learned after this attack on the project.

P.P.S.: for those developers and crypto enthusiasts who forked Ravencoin code before the fix, please consider reviewing your code and fixing the issue to avoid unwanted experience in the future.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store