A security patch has been rushed up following an attack on the Darkcoin network which temporarily allowed an attacker to gain control of the Masternode list, according to an official statement on the Altcoin’s homepage on Tuesday.
“This attack was a simple exploitation of the fact that we were not checking that the signing key correctly, and it was possible to sign with an invalid key,” writes Evan. “This resulted in the attacker gaining control of the majority of the Masternode list for a short period of time.” Evan Duffield, Darkcoin core developer.
Although the vulnerability was patched rapidly, this does raise questions about Darkcoin’s claims to providing full anonymity.
The Implications of a Hack on Darkcoin’s Masternodes
In Darkcoin, Masternodes are used to ensure that network analysis cannot be used to deduce the identity of actors on the network. It does so by mixing individual transactions together into a single block transaction with multiple outputs. As there is no public information on inputs, and only partial information about who received Darkcoins from the block transaction. Each publicly available blockchain then shows a “many-to-many” transfer, which helps to preserve the anonymity of specific transactions.
Compare this with Bitcoin, where the public blockchain holds unique public keys that link inputs to outputs in a direct way. Although the blockchain itself does not include personally identifiable information, this data can be used with other sources to link transactions. E.g. a website advertising a wallet address, or substantial numbers of transactions coming in to a single address, all provide data that can be triangulated to reveal the source and destination.
To avoid a single breach de-anonimising the network, Masternodes share out the information in a way that must be recombined to see the complete picture. However, if a single actor does control a majority of Masternodes this would pose a real difficulty to Darkcoin’s anonymity.
To avoid this the Darkcoin community has placed a premium on providing a Masternode; it costs 1000 Darkcoins to set up, which is paid back by a 20% bounty over time. However, Tuesday’s vulnerability allowed access to the Masternodes by a single malicious attacker. This allowed that attacker, at least temporarily, to pull enough information from the Masternodes to split out inputs and outputs from the blockchain. Hypothetically, this in turn would have allowed the attacker to de-anonymise some of the people using the network through triangulation with other public sources.
It’s not at all certain that this has happened. Network analysis is difficult, time consuming, and ultimately unprofitable unless you have specific question in mind. It’s been used successfully in the past, for example, to identify where stolen bitcoins have gone; it’s not provided any information that could be used to take value directly out of any network.
The Impact of the Attack on Darkcoin
The overall impact of the attack on Darkcoin is therefore unclear. It would not have resulted in theft, but may yet result in some users being identified. The impact on Darkcoin’s reputation is also mixed. Although trading on it’s anonymity, which certainly has been undermined, the rapid fix and roll-out will have added credibility to the team’s ability to respond to emerging threats.