Update (06-03-2021): The number of exploited coins has been updated.
As you are probably aware, the Particl team has proceeded with an emergency hardfork on Thursday the 25th of February, 2021, that temporarily disabled RingCT and CT transactions to fix a critical vulnerability in the code. This announcement will disclose the nature of the vulnerability and provide preliminary details surrounding the event.
Above all, if you haven’t already done so, please urgently download the new Particl Core (Particl Core 0.19.2.5) client which can be found here. If you run a cold staking node, please update it immediately by typing the partyman update
command. If you use the Particl Desktop client, launch it as soon as possible so that it can automatically be updated with the new Particl Core version. If it's already opened up, please shut it down completely and restart it.
Note: Trading on exchanges will be safe to resume after updating their nodes to Particl Core 0.19.2.5.
Table of Contents
- What Happened?
- How Did This Happen?
- The Solution
- Investigating the Attack
- FAQ and our Commitment to Transparency
What Happened?
On the 20th of February, 2021, a significant discrepancy between the expected and real supply of Particl was observed and confirmed. This prompted the team to hastily look into the source of this discrepancy, which led to the discovery of a critical vulnerability that allowed coins to be anonymously created by defeating the verification code of plain-to-anon transactions. It can be confirmed that this vulnerability has been exploited by a malicious party which led to the creation of an unknown number of anon coins. It can also be confirmed that at least 768,767 exploited PART coins have been successfully transferred from anon to public balances since the beginning of the attack, according to traces on the blockchain.
The vulnerability is now fully fixed and cannot be exploited anymore as of the release of Particl Core 0.19.2.4.
How Did This Happen?
Understanding the vulnerability requires one to be aware of the two issues in the code which led to it.
The first and main issue is located in the verification code of plain-to-anon transactions. It caused the commitment sum not to verify when sending coins from public balances to anon ones. This means an attacker can pick his own made-up output values, which aren’t required to sum to the amount of the inputs used. This vulnerability was located here in Particl’s code and has now been patched.
Additionally, a related issue was discovered that prevented the blind sum from being set when sending PART coins from public to anon balances. This means that all public to anon values would fail the commitment sum check even if their inputs and outputs summed. For this reason, it isn't easy to determine, with absolute certainty, which RingCT transactions were exploited and which ones are legitimate. In this case, any anon output or blinded output descending from an anon output could, in theory, be holding millions of illegitimate PART coins. This vulnerability is located here in Particl’s code and has been patched as well.
At the time of this writing, and since July 2019, it is confirmed that at least 768,767 exploited PART coins have been successfully transferred from anon balances to public ones. As per the nature of the RingCT privacy protocol, it is unclear exactly how many anon coins were created in total or remain in anon outputs. Still, the Particl team is continuing its investigation. Any additional coin added to this estimate would be the total number of legitimate PART coins the community holds in anon balances.
Be assured; the Particl team is in the process of determining the new supply and preventing any remaining exploited coins from being transacted. Once the investigation concludes, the total circulating supply of Particl will be adjusted to its new, post-inflationary bug value with full certainty, effectively restoring the chain’s integrity.
Note: Although the protocol, cryptography, and libraries of the RingCT and Bulletproofs protocols have been thoroughly audited by the renowned Quarkslab security firm, the specific portion of the code that was exploited, which is its implementation, didn’t fall under the scope of their audit or mandate.
The Solution
The solution to address this attack and restore the blockchain’s integrity can be separated into two specific objectives.
- Fix the vulnerability to prevent exploited coins from being created and transacted. (SUCCESS)
- Re-enable anon and blind transactions but permanently block exploited anon coins (IN PROGRESS)
To complete both of these objectives, the Particl team has pushed forward a contingency plan that requires two hardforks.
Hardfork 1
The first hardfork, which has been successful already, fixed the vulnerabilities to prevent more coins from being created. It also temporarily disabled RingCT and CT transactions on the Particl network, preventing anon and blind coins from being transacted. This made it impossible for the attacker to convert more exploited anon coins into public balances, effectively putting a full stop to the attack.
The new client to make this hardfork happen (Particl Core 0.19.2.4) has already been pushed out publicly, but a new version (Particl Core 0.19.2.5) has been released a few days after. Particl Core 0.19.2.5 introduces a checksum mark preventing any rollbacks and permanently invalidating the old chain to get ready for the second hardfork.
If you haven't updated yet, it is essential that you immediately do so by installing the new Particl Core version or, at the very least, the 0.19.2.4 version.
Hardfork 2
The second hardfork aims at restoring full RingCT and CT functionalities as well as restoring the integrity of the chain by disallowing exploited anon outputs from being used in the future but allowing legitimate ones. The conclusion of the second hardfork will also confirm the newly adjusted supply of the Particl blockchain and adjust it to its true post-inflation value.
Once this hardfork is completed, it will let you privately transact with other people once again, including when using the Particl Marketplace. To ensure that no exploited coins can be used post-hardfork, all the anon and blind outputs originating from before the hardfork will be frozen. It’ll then be possible for legitimate users to unfreeze them by going through a series of manual steps to prove their legitimacy.
The Particl team is currently evaluating various strategies to “whitelist” these legitimate outputs while keeping exploited ones unusable. These strategies vary in impact, intrusiveness, and level of complexities, but each has its pros and cons.
While they are not yet ready to be announced, the team will present to the community its game plan as soon as possible. We would like to request additional time to ensure all the necessary data is collected and that the strategies are as efficient as they can be. Thank you for your patience and support!
Note: The second hardfork will also include a few other minor improvements and changes the team had been looking into adding for a while now, some being unrelated to this particular exploit event. The full changelog will be available on the new client’s Github release page.
Note 2: The second hardfork will reveal the new inflated supply of the Particl blockchain. As a side effect, please take note that this will cause staking rewards to increase proportionally to how much the circulating supply has inflated.
Investigating the Attack
Since the day of the hardfork, the Particl team has been collecting data and collaborating with exchanges to determine whether the attacker can be identified and whether he still holds coins on there. However, due to the nature of RingCT, it may be impossible, with total certainty, to come to definitive conclusions. In any case, the investigation continues, but the findings can not yet be disclosed publicly. We will keep you informed as soon as possible.
If you believe that you’ve tracked suspicious activity on the blockchain, you can submit your findings to Cryptoguard, which will then relay the information to the rest of the team for the investigation. We appreciate every bit of help and would like to thank everyone who participates in this effort.
Note: Trading on exchanges will be safe to resume after updating their nodes to Particl Core 0.19.2.5.
FAQ and our Commitment to Transparency
We understand that you may have questions related to this announcement; we are here to help! The Particl team is committed to full transparency and user support through this evolving situation.
To that end, we will publish a follow-up blog post later on that will contain more data and up-to-date information about the attack as we gather it.
From that point, the team will then hold an FAQ session on our sub-Reddit to answer any remaining questions. Cryptoguard will be available for answers with support from the Particl Core developers. This thread will be pinned on Particl's sub-Reddit and serve as the go-to FAQ resource for people with questions about this event.
Thank You!
We want to thank you for your support and patience as we work on collecting more data, preparing for the second hardfork, and building the tools required to validate legitimate anon outputs. As this is an evolving situation, the Particl team will keep you informed as more information is gathered, so keep an eye out for any new blog post on Particl News!
Particl is Participation
Get recognized as someone that cares. With your help, we become more noticed out there. It takes seconds, and you are making a statement by giving us a follow and hitting the bell icon.
YouTube Twitter Mastodon Reddit
Join the instant messaging chats. There's no need to be active, but it’s good to be in the loop.
Discord Telegram Element / Matrix
Gain deep knowledge about Particl by reading.
Last but not least, a list that shows an infinite number of links clearly categorized and on one page.