> After investigation I discovered that 20 different accounts had sent a transaction to the attacker’s address, but only 9 were accounts which previously reused a nonce. What about the other 11? How did the attacker get their money? I’m not sure.
Perhaps a transaction reusing a nonce made it to the mempool, but the attacker, watching the mempool, immediately submitted (or even cooperated with a mining pool to) a transaction emptying the sending account, using a much larger fee to push out the other transaction. That would leave no trace of the nonce reuse on chain.
That is a viable possibility, yes. You wouldn't need a "much larger fee" though, just 120% of the other transaction's fee would be enough to secure prioritisation over it.
One thing I would point out is that when calculating r, the equation r=k*G mod N is somewhat misleading. G is not a number, but rather an (X,Y) point on an elliptic curve. There is a way to "add" two points on an elliptic curve but it is a group operation which is very unlike normal addition. "Multiplication" still exists between a scalar and a point but refers to a number of point self-additions.
So really R=k*G generates a new point R, where k is the nonce and G is a point that is part of the ECDSA standard. Then r is taken as the x-coordinate of R.
It is easy to derive k in b=k*a mod N if you know a and b, but nearly impossible to derive k in B=k*A if B is k self additions of A on an elliptic curve.
Crypto wallet vulnerabilities related to ECDSA nonce reuse were already a thing in 2013 [1], so it's not surprising that there are bots waiting for this.
Well, yes. If you're not willing to lose 100% of your investment to any security hole that may be discovered anywhere in the entire stack of software running on any machine from which you access your crypto account, you shouldn't invest in crypto.
Arguably, bug bounties are always paid for by users. A vendor might write the bounty-winner’s check, but the source of the vendor’s funds is the vendor’s customers.
Dan: Maybe I’m like a predator in this environment where… In this case, I was a white hat hacker, but maybe I’m a black hat hacker. Maybe I’m trying to take money from a smart contract. And I think I’m so smart. Like I put a bunch of effort into figuring out this way to steal this money from it. And as soon as I go to do that, just this whale comes up from the deep and just devours me whole. I think I’m actually at the top of the food chain and I’m not even close.
I mined Bitcoin in 2012, worked in crypto and mostly stopped doing other stuff a few years ago.
I mostly don't touch, like or welcome meme shitcoins. I think NFTs are as much a grift as ICOs were in 2017, etc. etc.
I still love the tech. I still love the mindsets of the people I got to meet through crypto and while there is a lot of BS, there are also a lot of very smart people working to build things that give us a fighting chance to take back some of the control and privacy that we have surrendered to FAANG and co.
So, criticize away. Or just shit on it if you want, which is what some of HN is really doing. It changes nothing. I for one am grateful for everything constructive being said, because it paves the way to a future I and many others are hopeful and excited about.
To me the crypto anarchists seem a bit like gun enthusiasts in claiming that their passion will allow them to resist a corrupt government or powerful corporations. It doesn't end up happening, but I bet it makes your subculture feel more important than others.
> To me the crypto anarchists seem a bit like gun enthusiasts in claiming that their passion will allow them to resist a corrupt gobernment or powerful corporations, it just doesn't end up happening.
If there is something I can recommend, it is not to define a "subculture", sector or movement by its most extreme outliers. Makes for a pretty bleak outlook on life.
> I bet it makes your subculture feel more important than others though.
That's how some people think no matter where you look, including startups and VC.
I'm just having fun, but I don't feel particularly important. Yeah, thinking there is some good to be done, some meaning in the things you spend time on is part of what makes them fun, but I could find that in a dozen other industries, too.
I think it's been definitively proven that a group of ideologically devoted people can resist even the most powerful government. See Vietnam vs. USA and Afghanistan vs. Britain / USSR / USA. When people say gun enthusiasts (or privacy enthusiasts, or crypto enthusiasts, or any group) could never resist the government, it doesn't make any sense because we watched trillions of dollars spent by governments fail at exactly that.
Sure. But that requires those people to actually be ready to dedicate their lives to the fight.
Currently, the US is the closest it's ever been to losing democracy, and the gun nuts are cheering on those who are destroying it. So not going to be expecting much out of them, I'm afraid.
I started mining in 2011, blogged about how to do it with scripts as early as Ubuntu 8.04
Blog has since been wiped, most of my traffic was coming from China. I decided it was a bad idea to talk about money on the internet: see the first and second rule(s) of Fight Club. I should not enable mining bots with bash shell scripts on my blog.
We share some thoughts. The NFT's only make sense to me if you are using them inside of some meta-realm as a form of validation. ICOs were scams and the memecoins are scams and the Youtubers shilling this stuff are scammers as far as I'm concerned. I watched a video the other day of MrBeast and some other Youtubers laughing about shilling cryptopunks. Pretty sad life if you ask me.
If the market grows on its own and I didn't promote it or shill it, does that not mean it's legitimate?
I thought Ethereum was a pre-mine scam at first (kinda still do) but the market has spoken and all of these cryptos are just big pools of liquidity to swim in now. ETH has enabled and built some wild things like AAVE and AMM's but it's difficult to understand the value proposition in 2021/2022 - other than just big pools of liquidity. I think L2 scaling on Ethereum has huge potential.
I stayed off-market until 2017 and then I had to pay a few years worth of salary in taxes to the government because I got jiggy with the first ATH in 2017 as the knife was falling.
2021 has been interesting. A decade into this crypto thing, very little has stopped it. It's difficult to stop an idea once the genie is out of the bottle.
Yes, I believe Proof of Work is a race to the bottom; but it might just be the thing that fairly and accurately prices energy usage one day. I ran 16 GPUs sucking down nearly 3kW around the clock for ~24 months and then I had to shut down the operation because difficulty and I could no longer afford the electricity.
Am I destroying the planet? I don't know. I'm retired from proof of work mining.
I'm a staker now ;-)
> I thought Ethereum was a pre-mine scam at first (kinda still do)
This hits home. I really refused to acknowledge Ethereum for a long time, because I thought smart contracts and their need for oracles were stupid. Shifting around trust, instead of eliminating it. Security by obscurity, but for trust, is how I thought of it.
I agree with and share the sentiment of the rest you're saying also. Bitcoin and PoW generally are no longer interesting or useful to me, but I also feel sometimes like I haven't really warmed up to the rest of the sector yet.
I only mined with my desktop GPU. While I considered it, I never took the plunge and scaled up - instead I just bought more Bitcoin and sat on them for a little while, before I transitioned to other coins and tokens completely.
You're the most reasonable crypto-enthusiast I think I've seen on this site but your position is tainted by this fact, for me.
I saw in a sibling comment that you suggest people not judge sub-cultures for their outliers - fair enough. Can I at least express concern for them? These people are getting scammed. Full stop. Not nearly enough is being done about it from within the crypto community and even from outside of it.
I don't know how to respond to these types of arguments. For now, here's a comment I made elsewhere on HN earlier today explaining why:
> There are many crypto-enthusiasts for whom no level of rigor [counter to crypto] will ever satisfy them despite being obsessed with various "whitepapers" which are mostly marketing fluff. They endlessly defer to various whataboutism's until you find out they are taking an inherently political position (usually some sort of neo-libertarian) and hence the "merits" of the proposed currency _really_ only apply to people who are disenfranchised by existing economic systems. Usually, little is said of how to improve existing systems as that challenges the notion that the status quo is so flawed that it needs to be replaced wholesale. Any idea how to refute crypto to these folks?
Become similarly disenfranchised, or perhaps study the > $1.5T worth of users who are — instead of arguing, and telling them they're wrong (they don't care — why?).
Some degree of inflation is a really good thing for the health of an economy, as is the ability of central banks to create money as stimulus in hard times.
> You're the most reasonable crypto-enthusiast I think I've seen on this site but your position is tainted by this fact, for me.
Can you elaborate on why this taints my position? It wasn't a statement of opinion or an endorsement of Bitcoin, or proof of work. I was just giving a timeline on how long I have been involved with crypto currencies.
It implied a degree of success in the crypto markets to me but I'll admit I was reading into things a bit much - I have no idea how much Bitcoin was worth back then vs. now. Apologies.
All good, thanks for clarifying! I remember watching Bitcoin prices around $10 when I was like 16 years old. Felt like a smart guy selling my 11 mined Bitcoin at $45-ish. I didn't keep any from that time because I never really thought of any what-ifs or future scenarios. I just thought it was cool that I could move money around so freely, so that's what I did. Gambled them away, bought stuff, sold low and bought high on Mt Gox. The whole shebang. It wasn't until a couple years later when I had some money saved up that I got into crypto in a financial context. Hasn't made me rich by any means but you are right in that there are plenty of experiences that I would use the word 'success' for, financial and otherwise. It sure has been a fun journey that has affected me in many ways, left me with many fond memories and the occasional sleepless night!
Funnily enough, the inverse seems to be true as well: saying things about blockchain technologies that paint them in a good light is taboo for people not making money on them.
The author of the article, Robert Miller, is a leading authority on MEV (Miner/Maximum Extractable Value). Those involved in MEV are quite a different bunch from most of the crypto crowd.
For one, they don't rely on "number go up" to make money, they use strategies similar to those used by HFT firms to make money from market inefficiencies. They generally don't have loyalty to a particular crypto platform, they just go wherever they can find a competitive advantage. They also tend to be much less politically outspoken and often left-leaning, in contrast to the vocal libertarian views that permeate the rest of the field.
They also most certainly aren't "imagining" making money. Most of their strategies are essentially elaborate forms of arbitrage, which are risk-free sources of profit by nature (until out-competed). Their only losses come from fees paid for deploying strategies that turn out to be unsuccessful. Even fees for failed transactions are pretty much a non-issue these days because of Flashbots.
> for people making money (or imagining making money) on them
This is a minority of the people in tech and on HN. It's not taboo in general (as those groups only make up a tiny fraction of the population), nor even taboo for those specific groups - so I think that makes calling it a "taboo" at all a stretch.
Sorry for maybe asking a stupid question, but if i understand correctly, the nounce is just a secret as the private key. But the nounce is not needed for the signature check? So, it can be choosen random and then simply forgotten after signature generation?
After first quick google search, it looks like there is also the term nounce use here but it is deterministic and just counted up which does not seem to fit with the article: https://developpaper.com/the-nonce-of-ethereum/
Am I missing something?
The nonce used for ECDSA signatures is not the same as the nonce used for Ethereum signature. The term "nonce" is a general term that is used in any number of systems to mean a value which should only be used once, and might apply to any number of layers or protocols in a given system.
There are various techniques people use for them: a careful counter, a precise timestamp, a hash of the rest of the data, or a random number. Often you can choose as the user... as long as you don't use the same value twice; alternatively, your choice of nonce might be verified by your counter-party (as with Ethereum's account nonces).
The consequences of using the same value twice will also differ: your request might be rejected/ignored, you might be penalized or cause an error, it might expose your identity to a system where you were otherwise anonymous, or it might allow someone to calculate your private key. The high-level idea is what matters, not the specifics.
Wait, how does it work? What is signed is hashed, including the nonce.
People use some kind of "replace by fee" transactions all the time, as far as I know these broadcasted transactions, typically with higher fees, have the exact same nonce as the previous one.
If simply reusing the same nonce allowed someone to crack the private key, it'd be a much bigger issue than a few wallet emptied. It'd be a tremendous amount of wallets emptied, daily.
You are thinking of the nonce at the Ethereum account level, not the nonce used as the ECDSA signature level. This has nothing to do with Ethereum other than that Ethereum uses ECDSA signatures for security. Search for "ECDSA nonce" on Google and most of the articles and videos you will find will be explaining nonce reuse issues.
The Ethereum transaction nonce you are talking about is not the same nonce in the article. It is talking about the cryptography signing process, not the transaction ordering one.
Re-reading the article it's not when the nonce is reused, but when in the (r,s) of the signature the 'r' is reused. To end up with the same 'r' twice you must reuse the nonce but, I think, not only that. If you reuse the nonce but change any other parameter (for example putting slightly higher gas fee), then I'm pretty sure the 'r' changes (I'll go test that now out of curiosity).
I thought Ethereum used something like EdDSA where the nonce is deterministically derived from the secret key and message hash using a one-way function
There is no way for someone who receives the signature to know you used deterministic k, so the system can't enforce it; I guess the assumption is that once in a blue moon you find someone with a bespoke implementation of the signature algorithm that failed to implement deterministic signatures.
That makes sense. I'm just surprised that this many people have apparently rolled their own signature algorithms with this flaw that running a bot to check for it is affordable. It's one of the most well-known mistakes to make in EC signature algorithms, and anyone researching how to implement these signatures should stumble upon high-profile cases such as the Sony private key leak, which should scare them enough to not trust that they can implement a reliable PRNG that won't generate the same nonce twice (with non-negligible probability). But I guess these bots check for a whole catalogue of mistakes, and this is a fairly cheap check to add if you are checking every transaction anyway.
I would guess someone is looking for an opportunity to compromise a shared implementation, and then hoover up the proceeds as the compromised implementation is used.
Yup, this. I don't understand either. The transaction (amount / gas fee / max gas / to / from / code if any / nonce) is hashed using Keccak, then that hash is signed. The transaction also contains the data in the clear. Nodes take the data in the clear, recompute the Keccak hash, recover the signing address from the keccak hash + r,s,v then, if there are enough funds on that signing address, the transaction goes on.
How could reusing a nonce once lead to a full compromise?
Or is it only if the nonce is reused, but for the exact same transaction, with all the parameters identical, then signed using the same private key but some other random point?
It's an inherent property of Schnorr-style signature schemes commonly used for elliptic curves. These rely on the signer generating a random nonce for each generated signature. The nonce is used as a blinding factor, and is necessary to avoid leaking secrets in the generated signature. If the same nonce is used for signing two different messages with the same private key, then anyone can trivially derive the private key. See https://en.m.wikipedia.org/wiki/Elliptic_Curve_Digital_Signa... for details - this was famously how Sony accidently revealed the private key used to sign Playstation 3 releases, because they had just used a hardcoded nonce. Anyone could then derive the key without use of brute force via a few modular arithmetic computations.
Modern signature schemes such as EdDSA do not have this footgun as they specify a completely deterministic procedure for deriving a fresh nonce for each pair of (message, private key), simply by applying a cryptographic hash function to their concatenation. This is MUCH safer for the implementor, and also simpler to implement because one doesn't have to bother with maintaining a stateful PRNG
Not to take anything from cryptocurrencies but... Is there some proof-of-stake chain which copies, for free or nearly free (nearly free as in, for only the price of a normal transaction on that chain), all the "valuable" NFTs from Ethereum? For example something where everybody could have has many "yacht apes" (or whatever they're called)? I'd like myself a copy of everything, but without paying anything for it (I'm not talking about the copies where you still have to send valuable ETHs to get a cheaper price: I'm talking 100% free stuff). I know I could do it myself, but that's not the question: my question is if it already exist. I think it'd only be fair game. Pirate's life, aye!
NFT content is 99% of the time already available free. You can think of it as one person paying the cost for everyone else to get free access. They are usually stored on ipfs or arweave so you can just follow the content id for the file you want.
Beyond immediate metadata which you can access the use of the nfts are like keys to services (chatrooms, merch, club memberships) which you cant copy anyway because they are behind the private key of the owner of the nft.
So there would be very little reason to duplicate a chain for that. You can already get the free stuff and you can’t copy the rest because clubs will look at their register not yours.
This could be interesting. Value is assigned by people, so the fact the credentials for a given work reside somewhere else with 'less legitimacy' would mean yes - you could copy it. However this other chain would be entirely illiquid.
But...the interesting part. What happens when cross-chain asset movement is much simplified? I don't see there being any issue with legitimacy (original owners could still verify ownership, you couldn't). But if you flooded original chain with fakes, uh...
Flooding the original chain with fakes doesn't make them look real: they are different tokens. It isn't like computers are squinting at the hashes and timestamps and public keys and getting confused as to their identity.
This idea has been floated. Scammer Richard Heart is trying to this with Pulsechain, and somewhat more seriously, Avalanche wanted to run such a forked Ethereum as a subchain, but this appears to have been abandoned.
It is an interesting scenario to think through, in particular what happens with stablecoins etc. which would not be redeemable.
Ultimately, I predict such efforts to fail badly. The fact that e.g. Ethereum NFTs are copied will in fact work against such a fork getting traction.
The author is wondering why the creature is waiting. If it was my creature (just for the record: it is not!) I would perhaps try* the following: set up a few transfers so that IF someone tries to empty their account, immediately make a two-three or four competing transfer. As it is longer, it may win the other (just one transaction). So if e.g. account A is compromised (private key found), perpetrator sets up transaction from A to B, from B to C, from C to D. If the original owner tries to do a transaction from A to Z, immediately throw the A->B->C->D transactions.
*Would this actually work? Not a Ethereum/Bloclkchain guy myself.
1) Why multiple transactions? you can give higher fees for a single transaction which will still give it higher priority
2) Unless you are a malicious BTC\ETH mining node that got the future transaction (which uses the nonce again), it will be too late. You will learn about the re-use only after the blockchain update propagates.
This is very interesting, thanks! It reminds me of a friend's adventure, he found a contract containing some ETH that could be called with some more ETH and would send the entire sum back to the caller. He analyzed it a bunch of ways to make sure it wasn't a scam, and then sent some ETH to it.
It was a scam.
I wonder how it was done, Etherscan didn't show anything and compiling it led to a few bytes of difference between what was compiled and what was deployed.
There are so many clever ways to code honeypots using obscure peculiarities of Solidity and/or Etherscan that there's little hope of being sure that it isn't a scam just by looking at the code and transaction history.
Fortunately, there are tools like Ganache, which you can run with `ganache-cli --fork` to reliably emulate locally what will happen when transactions are sent to mainnet. I would accept no substitute approach when dealing with suspect contracts.
Interesting, it might use a flaw in the Etherescan contract verification[1]. But in any case, when you expect a honeypot you can and should execute the contract off-chain[2] and examine the resulting state (specifically your account balances) before committing a real transaction. Wallets should really do this by default, but unfortunately there doesn't seem to be a lot of resources available for common goods projects like wallets, so we are stuck with primitive tools.
Perhaps a transaction reusing a nonce made it to the mempool, but the attacker, watching the mempool, immediately submitted (or even cooperated with a mining pool to) a transaction emptying the sending account, using a much larger fee to push out the other transaction. That would leave no trace of the nonce reuse on chain.