Ravencoin — Forged in Fire — Security Update

Ravencoin is an asset platform based originally on the code from Bitcoin. Since its launch on Jan 3rd, 2018, code updates added asset capabilities, messaging capabilities, Restricted Assets, tags, memos, and more.

On August 6th, there was an exploit related to assets. The vulnerability related to the absence of the necessary checks in a coinbase transaction. A coinbase transaction is the perfectly valid transaction that allows RVN to be issued to the successful miner every minute. There is only one coinbase transaction allowed per block, and it has slightly different rules because the inputs don’t need to equal or exceed the outputs.

When the coinbase transaction was combined with an asset transaction, it allowed for extra assets to be issued. The exploiter used this vulnerability to create extra BRAVECOIN which was being used by Unicorn X for their project and traded on the platform. The exploit was caught quickly enough that Unicorn X and its customers were protected.

Because the BRAVECOIN was issued in an unusual way, and because Ravencoin assets are based on UTXOs (unlike ERC-20 tokens), it was possible to track all counterfeit BRAVECOIN, and blondfrogs wrote the code to do so. We briefly considered adding this token tracking code to the system to eliminate the counterfeit BRAVECOIN, but after further…