[ANN] Counterparty Exploit Disclosure


Hi everyone, I’m known as Porqupine on Bitcointalk and Porqup1ne on reddit, My github is here https://github.com/porqup1ne - I am the sole developer/maintainer of https://xcpfeeds.info I have also contributed consistently to bug fixing the Counterpartyd reference client and it’s development.

I am announcing publicly because over a week ago I discovered a bug in the Counterparty CFD implementation which could be exploited to cause anyone making CFD’s to loose their entire wager. I have spent the entire week in attempting to make a reasonable disclosure of this issue and to implement a fix. I have been blocked on Skype by Phantomphreak, my emails have been ignored, he has denied that there is any kind of exploit or vulnerability, and my requests have been closed on Github.

I have made sure to keep Evan, Ouziel and Robby aware of this issue as well, and have CCed them in all of my correspondence with Adam. I have proposed a working fix - which anyone can verify is working. Adam claims he has done work on this issue - he has opened a ticket specifically ignoring my discussion of why that ticket will not work, his ‘example fix’ causes Sanity Errors in the protocol, he has demonstrated consistent disregard for the exploit by denying it exists or any such thing is possible.

After my initial private communications were shut off I open sourced a bot ‘CFD Camper’ (https://github.com/porqup1ne/cfd_camper) in an attempt to disclose this issue without getting jerked around again by these internal communications. These have had no effect. I cannot in good faith continue to develop or promote XCPfeeds.info or Counterparty while this remains unfixed. Those users who have lost their funds to CFD Camper (it has only been around 80 XCP worth of bets) will be reimbursed directly to their addresses.

I will now proceed to publicly demonstrate the nature of this exploit, shortly after I will post an article explaining how CFD Camper works, the nature of the exploit, the technical details of the code that led to it, and so forth, for those technically interested.

P.S. PhantomPhreak will obviously try to delete my posts and otherwise Ban me. Please believe me when I say I am making this public because this is a fundamental issue for anyone invested in Counterparty or interested in open-source finance. Protocol development I am convinced cannot be in the hands of a maniac with various eccentricties that prevent him from taking responsiblity and given considerations to opinions other than his own, Especially when it leaves users vulnerable to loss of funds.

TL:DR I am an open-source developer working on the Counterparty platform, I have spent over a week getting jerked around by Adam (PhantomPhreak) while trying to disclose and fix a security issue. I am now publicly disclosing the issue, I will prove it is an issue by exploiting it to steal an arbitrary amount of funds from any open CFD.