Resolved: D̶o̶ ̶n̶o̶t̶ ̶u̶s̶e̶ ̶G̶r̶i̶n̶ ̶(̶g̶r̶i̶n̶-̶w̶a̶l̶l̶e̶t̶,̶ ̶G̶r̶i̶n̶+̶+̶,̶ ̶I̶r̶o̶n̶b̶e̶l̶l̶y̶)̶ ̶u̶n̶t̶i̶l̶ ̶f̶u̶r̶t̶h̶e̶r̶ ̶n̶o̶t̶i̶c̶e̶!̶

Just wanted to share a general summary as there still seems to be some confusion in this thread.

A potentially catastrophic attack was carried out against the Grin network with block 1136081, hash 0002897182d8cf7631e86d56ad546b7cf0893bda811592aa9312ae633ce04813 by exploiting insufficient rangeproof cache verification logic.

This was a worst-case scenario attempted attack for any privacy coin: potentially undetectable inflation.

Fortunately, the attack was detected and mitigated by our community before any significant damage was caused.

The Grin ecosystem is diverse and robust with multiple implementations, notably Grin++, where logic was able to detect this attack and the creators were able to help mitigate the attack network-wide. With multiple implementations, critical flaws in one implementation may be caught in another, at a risk of potentially diverging on a single valid block etc due to differences across implementations.

Grin requires rangeproofs to ensure that negative commitment values do not create inflation scenarios. Without rangeproofs, it would be possible to create transaction outputs that artificially inflate the supply by using negative values. Without a valid rangeproof to verify that an output is not negative, it is possible for a malicious actor to create transactions containing negative-value outputs along with high-value outputs that appear to balance out to zero new coins being created.

In this case, insufficient validation in an optimization for caching verification for rangeproofs was used to attempt an exploit.

This attempt was discovered by a grin++ user due to their verification process and was relayed to the rest of Grin team by David Burkett as well as a fix to mitigate the faulty rangeproof caching logic.

In addition to fixing the underlying caching validation issue, network nodes needed to perform the following to recover:

  • Rewind block 1136081 that contains invalid rangeproof
  • Rewind headers with bad blocks built on invalid rangeproof block
  • Improve peer banning around serving invalid blocks/headers

As a result, the Grin team released a series of hotfixes addressing the above issues as quickly as possible to minimize downtime for the ecosystem. Initially v5.0.3 was released to address the block rewinds, which was followed by v5.0.4 to address the header sync to properly filter “good” and “bad” blocks for all nodes.

With any coordinated, critical security fix like this we reveal the strengths and weaknesses of our ecosystems. These necessary upgrades were successfully deployed to one of the most decentralized networks in the blockchain ecosystem and are a testimony to the level of talent we have invested in Grin.

We are working to publish a CVE report with all of the technical details in grin-security.