The truth about PIVX’s PoS exploid

24 Mins read

Here the officially statement from PIVX

A Response to the Article: PIVX and 200+ PoS Chains Currently Vulnerable; Chains Already Under Attack

By: Bryan “Snappy” Doreian | Global Ambassador, PIVX

On August 12th, Han Yoon – the CEO of Lunar Digital Assets posted an article stating that PIVX and all of the crypto projects that had forked the PIVX codebase were under attack and vulnerable.  The article makes a number of statements, accusations and draws a significant number of assumptions (especially about PIVX and the developers working on PIVX, as well as clones/forks of PIVX). 

Before launching into the article itself, this statement from PIVX Developers:

We (PIVX Developers) were made aware of some suspicious behavior on the PIVX network last week (The week of August 5th) and have since been investigating the claim that our proof-of-stake algorithm is under attack.

At this point, we can confirm that the behavior is in fact NOT a resurgence of the “Fake Stake” attack from earlier this year, as the article claims.

PIVX users funds/PIVX are NOT at risk.

The network’s stability or chain trust has NOT been compromised. 

Investigations are still underway as to the aberrant behavior, and a more detailed findings report will be issued once investigations are concluded.

We are in communication with other projects and will seek to include as many as possible as our investigations progress and report to them how to properly fix any problem(s).

Of note: the author of the article (Mr. Yoon) was informed of the investigation by PIVX, but chose to jump to false conclusions instead of wait[ing] for the proper response.

Whenever people make claims and/or statements into a public space, it doesn’t matter if you are in crypto or not, any business, corporation, DAO, or movement, has to ascertain how to best address the issue, not just from the codebase side, but also the public statements and “marketing” side of things.  What we’ve observed (again, crypto realms or not) is often those who scream the loudest (or have the most salacious headlines) tend to get the immediate limelight, while the real work being done and truth of the matter is sometimes lost because folks are just diligently working away. The balance of spending time/energy on rebutting every piece of media or attack is what I would dare say MANY endeavors go through and struggle with.  I mean, let’s face it…it’s possible to absolutely BURY a project by pushing out negative media and optics, despite the very possible reality that the project is actually decent and is producing something good. Case and point – how many companies deploy grey/dark marketing tactics against competitors. If it wasn’t “viable” as a means to attain some internal goal, they wouldn’t do this.

So projects/endeavors have to figure out what to respond to, when, and how.  Now, inside of the crypto realm, there are a whole different set of rules and standards.  Let’s face it, one of the first rules many of us learned (back in the era of cryptsy/polonix/mt. Gox/btc-e trollboxes) is: 

Don’t feed the trolls. 

Why? Because that’s what a troll wants.  Their “victory” comes by gaining energy as you expend yours trying to correct their FUD.  Now you’ve spent time there, instead of on actual productive tasks (like coding, bug squashing, developing, etc).  Notice I said elements specific to what developers do.

That’s one of the other elements in crypto that’s unique – developers (especially those working on the core codebase) are now the ones REALLY being called to the table to respond.  Someone can make a flippant statement like “Your code sucks” and yes, of course, that’s probably not worth a lick of a response. But then, people can piece together a narrative based on various bits of information which gets picked up by others, and suddenly there is a maelstrom online based on misinformation, and you have to figure out is it worth responding vs continuing to develop, build, and deploy.  

So put yourself in a developer’s shoes.  You are tasked with maintaining, developing, and building the core technology for this new frontier.  You are pinged 100x’s a day from scammers, bots, trolls, and the like with messages including “Hey, I need your help” or “How do I fork PIVX” or “there is an error, I need help” or “your codebase sucks” or “you have a bug…click here”.  In almost NO other sector are those who are working on this level of the codebase that “accessible” to the general public. 

THEN…on top of that, part of (good developers) role is to provide the security and safety of the codebase.  OPSec (Operational Security). Imagine a hypothetical scenario where a potential vulnerability is found. The developers (again, good ones) begin the process of ascertaining the BEST course of action.  Do you make a knee jerk reaction, yanking some code or slapping some quick fix patch in? Often this course of action results in a massive catastrophe later (and we’ve observed a number of projects that have done this).  Do you immediately tell the world (and thus open up a larger potential attack vector) before you have finalized the solution? These and probably a thousand other scenarios are what developers (I imagine) face on a daily or at least often basis.  And probably 99% of the time, you never hear about it.  

Often – whenever a potential bug or exploit is found, developers will work amongst themselves (even cross projects) to come up with solutions, before ANY knowledge hits the public sector.  This is nothing new to bug reporting, where individuals submit potential vulnerabilities and exploits to companies (in hopes of receiving a reward) instead of just posting them online without any validation and confirmation that there is indeed an issue.

What I’ve observed in the past from PIVX devs is they take legitimate vulnerabilities and code exploits VERY seriously.  So much so, that they will lean on the side of ensuring they validate the claim FIRST, before coding a solution SECOND. Then and only then do they go public and make a statement.  I personally value this, because if the developers had knee jerk reactions to everything, the codebase would end up in a spaghetti scrambled mess putting the community at an even bigger risk.

Related posts

Chasing Down Discord’s Biggest Crypto Scammer in 2020

11 Mins read

Masternode Blockchains for Beginners

7 Mins read
In our article Masternode Blockchains for Beginners, we want to explain with simple words which role masternodes play in a blockchain network.

Official Transcendence (TELOS) Discord shut down by the CEO

3 Mins read
I was surprised to discover this Sunday morning when I was looking at my discord servers that I was no longer logged…
Stake and Nodes

Graveyard - They are no longer with us