Disclosure on the Minting Attack
About the attack.
As stated last week, we will be disclosing the minting attack on our network that took place between Sat, 09 Jan 2021 23:15:16 UTC and Thu, 14 Jan 2021 05:01:53 UTC. Though this timeframe may seem like a long time, the exploit was only successfully executed twice.
You can identify the offending blocks by heights 763245 and 766164. If you look closely at the second transaction of each block, you will see the added amount on the inputs does not match the added value of the outputs plus the staking and Masternode rewards.
The team has concluded that these invalid transactions/blocks contributed to the sync problems that users started having last month. We found no reason to believe the chain’s consensus was exploited, as nodes were actively rejecting these blocks (hence the sync issues) and the propagation and acceptance of the invalid blocks was only achieved through the use of bootstraps, which force a node to accept the blocks included in the bootstrap.
Since the attacks were noticed, the team proceeded to close all exchanges and started continuous monitoring of the chain to react quicker if another block with these features was included in the blockchain. Thankfully, this was not the case and as of block 766164 no further attacks have been executed.
V1.7.0 Was released!
Taking all of this into consideration, the team designed and launched v1.7.0 of the Polis Core wallet addressing these issues.
- Fixing syncing issues, the two malicious blocks are bypassed so that everyone is able to sync, and all other sync issues have been properly fixed.
- We added an extra consensus validation to prevent the creation and acceptance of blocks with more than 11.52 coins created (a new block creates these coins for stakers and Masternodes).
- We ported a new difficulty and stakehashmodifier calculation algorithm that has the purpose of eliminating stake grinding from the chain. So far it has been effective, but we will keep monitoring the chain in case something happens. This was the reason a fork at block 774911 was needed, as the previous versions of the wallets calculated this differently and blocks produced by those wallets are now invalid.
- We added checkpoints and other measures so that users are sure to be synced on the right chain.
- The team created 63,000 Polis to cover the missed governance payments from December, January, and February. We believe this is the last funding we’ll get from the chain before Olympus Migration. The created governance funds were distributed as follows, and you can find the transaction here. This is the only block aside from the malicious blocks that’s allowed to create more than 11.52 coins.
- 3 months x 10,000 for Kindynos development proposal. (30,000 POLIS).
- 3 months x 2,500 for the Support Team proposal. (7,500 POLIS).
- 3 months x 8,500 for DAO market making and project development proposal. (25,500 POLIS).
What comes next.
The team does not know who the attacker is, or what its intent was, but we are working on preventing these coins from further damaging the project. Unfortunately, it is not as easy as rejecting those blocks and rewinding the chain to a point before, without further harming our users, exchanges, and partners, so those blocks will continue to be part of our chain.
We believe the chain is now secure and stable, no bootstraps will be provided from now on, and we are positive that there will not be newer versions of the wallet until Olympus.
As stated before, the only reason the team did not disclose details on the attack earlier was to prevent further exploitation, we are now sure that the attack cannot be replicated, and we want to thank every community member for your trust and patience.
We encourage you to ask any questions you may have on this Wednesday’s AMA, taking place at 20:00 UTC. See you there!