Safex Dev Update: January 6, 2020

Token Overflow Bug
On December 16th when updating safexcore we discovered some undesirable bug which exposed the blockchain to an integer overflow attack that caused 1.844 billion tokens to be generated.

244 million of these tokens have been used as mix ins and are indiscernible from other transactions on the blockchain. The remaining 1.6 billion we have been able to block as part of the patch.

Igor has also spent a good portion of his time going through the entire token stack to ensure there are no other exploitable bugs found in this code.

A detailed write up can be found as a separate post: Safex Token Overflow: January 6, 2020

Who needs to take action
If you are operating a full node, an exchange, or a mining pool you will need to be on the current version which is v6 or Hardfork 6.

This patch will cause some minor interruptions to ordinary wallet usage in the case that you are spending tokens that get mixed with the exploited transactions. You will receive an error message, you can retry the transaction with a smaller or 1 mix in count to ensure your transaction will go through.

We are urgently moving to update the wallet software to omit the problematic transactions from being included in the random selection of mix ins for the future.

Holidays Concluding
Today is Christmas Eve for the Orthodox calendar, so until tomorrow will be the last days of holidays for most of our team. Despite the holidays we have been diligently sorting out this patch and getting it deployed.

Upon return we will be back to work on the marketplace on the last stretch to get it to the public for use.

Of course we must run additional testing networks, and ensure that we are comfortable with the deployment before turning it on live officially.

Marketplace Development
We have a clear roadmap that we’ve been keeping everyone up to date on and if you’ve been following along you would already be aware of our progress. Just a refresh:

Regarding marketplace:
Improved Purchase Flow
Feedback
Price Peg

Sails Wallet:
New wallet creation key formation bug
Synchronization balance correctness
Transaction broadcast to safexd network (testing)
Sanitize Sails Wallet codebase of development artifacts

The World Marketplace API:
Safex Offer Content Hosting
Messaging
Quality Filtering
Search Engine

Getting back to the main course in this week with a clear list of objectives.

Sincerely
The Safex Development Community

8 Likes

Does the hard fork revert those 244 million generated tokens?

No, it doesn’t.

1 Like

Is there going to be 3rd party audits moving forward to help mitigate this from happening? I don’t know why we haven’t had that done. It should be done for sure before the mp or a lot of people will lose more money. That’s a lot of coins. Lec did way more damage and didn’t have that many. We saw 1 sat already this week before the news broke publicly.

1 Like

It’s open source, everyone in community can check the code, it was not found by the programming community members either which should act as a kind of audit.

Keep your eyes open and if something seems strange to you tell the community. Uf someone would have been on blockchain explorer that day and mentioned in discord thst he saw a 1.844 billion coin transaction that would have been fixed back then

1 Like

Just because it’s open source doesn’t mean they should skip 3rd party audits. Obviously this is the outcome. If we had community voting on Sft as promised we could push for this type of stuff to help protect our investment. Coins don’t get multiple chances to be hacked and taken seriously. Unfortunately Safex has been attacked repeatedly. Starting with the sfx and now Sft.

2 Likes

Typical growing pains, no sweat.

3 Likes

Truth is 3rd party audits cost a lot of money and for a reason! Safex is running on a ridiculously tight budget which explains why this kind of shit happens and why we are so far away from a usable product.
Look at Dan’s TODO list, it could be few years of work at this pace and it doesn’t include the marketplace UI.
I don’t know if it’s more sad to see the project bleeding to death of reading delusional comments of the fewer and fewer remaining believers.

1 Like

I’m not delusional and you can take the attitude elsewhere. 3rd party audits are expensive, but not as expensive as a couple hundred million sft making it into the blockchain. Which is an undeniable fact. Also, if you’re going to use not having money as an excuse to perform proper chain audits then that means you’re saying the team can’t protect our investment with their resources. If they can’t protect our money we shouldn’t put any in IMO. Would be sweet to get an update on how they plan to do that in the future because as of now we can’t do anything but hope Dan and team have the rest of the bugs covered. IMO that is too much for one team and why 3rd party audits are important to get a fresh set of eyes on things. It woulda payed for itself already just from this last attack.

1 Like

Nice catch. Good work

2 Likes

Is there something non mining SFT holders need to do at this point?

Just wait patiently :ok_hand::grinning:

2 Likes