Recently our community members from the CryptoScope team, developers of Solus Explorer [https://rvn.cryptoscope.io], reached the Ravencoin team with the findings that Ravencoin blockchain has a vulnerability which was used by unknowns to mint RVN that goes beyond the coinbase of 5000 RVN per block.
Thanks to the CryptoScope team that brought it to our attention and kudos to them and their technology for detecting the exploit. After identifying the vulnerability, Ravencoin development and CryptoScope team coordinated to avoid the leakage of the possibility to exploit the vulnerability and Ravencoin development team immediately started code review to detect, isolate and fix the issue.
A community code submission caused a bug that has been exploited. Law enforcement has been notified and is working with us.
The vulnerability does not allow the stealing of RVN or assets that you own and control, but the minting did create RVN that should not exist. We’ve discussed the impact of the extra RVN and what can be done. Because those RVN were transferred to an exchange and traded, they are mixed with other RVN and therefore any programmatic attempt at burning them, with miner and community backing, would cause irreparable harm to innocent victims. As it stands, the burden has been shared across all RVN holders in proportion to their RVN holdings in the form of inflation.
The vulnerability does not impact Ravencoin assets, so all asset balances are safe. As we are transitioning from the vulnerable code to fixed code, there may be some chain instability. Please keep transactions to a minimum until the chain is stabilized and miners are using the updated software.
The open-source and decentralized nature of this project prevents a quick and easy fix as we only develop source code, and do not operate the network. We are notifying the exchanges so they can determine whether to pause their deposits, withdrawals or trading. We are requesting that mining pools immediately upgrade to the latest binaries available at: https://github.com/RavenProject/Ravencoin/releases/latest
This should only require updating your ravend.
What about everyone else? It is wise to be on the newest Ravencoin version, but once the miners have updated, then fraudulent transactions will not be included in mined blocks, and so the original Ravencoin binaries will work without requiring an upgrade.
The extra RVN represents approximately 1.5% of the final 21 billion. The exact final number isn’t known yet. Another way to think about it is that it represents about 44 extra days’ worth of mining. These extra RVN appear to have been sold into the market shortly after minting, so the economic damage has already been absorbed by the Ravencoin ecosystem. As it stands, the RVN will continue to exist and that new total RVN number will be 21 billion plus the exploit minted RVN. Another option for adapting to the excess issuance is shifting the halving 44 days sooner which would offset the minted RVN and put the total issuance back to 21 billion should the community and miners consider this a better option.
We are choosing not to publish the exact details of the vulnerability until the fix is distributed and the Ravencoin blockchain is stabilized. It’s our intention to first release details of the fix to developers that have forked Ravencoin code, and then shortly thereafter we will publish complete information about the exploit.
As you can imagine, this is difficult and embarrassing for the Ravencoin team. There are hundreds of tests that automatically run every time new code is submitted but this critical flaw was not caught. The team understands this incident’s impact, as trust is such a critical element of the space. A full report of how this happened, and what steps will be taken to prevent something like this from happening again will be released as soon as the network is stabilized.
There is no mechanism to notify everyone at once. Ravencoin is, at its core, a complete ledger of all transactions, so if the network can’t be stabilized, it will be restarted at a specific block. Minimizing transactions until network stability is reached is recommended.
I’ll provide more information as we learn more.