GOSSIP

The truth about PIVX’s PoS exploid

24 Mins read
  • Insider Foul Play Involved?
    • This just appears to be inflationary FUD at best.  Mr. Yoon pieced together a lack of Developer response in < 24 hours, a false statement about PIVX not fixing the fake stake attack, a misrepresentation of issues caused by BITG (their own code edit) as a PIVX network error, and a coincidental decrease in the observed aberrant behavior around the time that Mr. Yoon brought up these issues into the PIVX discord as a way to say “PIVX Developers can’t be trusted.”
    • All of these factors then Mr. Yoon attempts to lead the reader that the PIVX developers are somehow “involved” – in what we can only surmise as an attempt to cast FUD and doubts onto the PIVX developers (and project as a whole).
    • As for the “manner” in which one of the PIVX developers responded to him – I’ll say this: To suggest that him or any other core developer is deliberately exploiting the chain that they work tirelessly on securing, so that they can exploit what equates to a few thousand dollars, when they are paid more than that, is possibly libel.
      • Furszy is a superstar developer. We all have our strengths. Just because he came across as harsh, does not mean the data and what he said is wrong. 
      • PIVX Devs do not work for Bitgreen or for PIVX forks.
      • Expecting a full and documented response to a question within 36hrs is funny. This is open-source, not free labor.
  • PIVX is responsible for every other project that uses its codebase and has forked from PIVX
    • That’s akin to saying that if you downloaded a free copy of adobe illustrator, then made edits (or never made edits actually), and then after a period of time, start banging on the door of Adobe saying “hey, why didn’t you fix my software?  I made changes to it….it’s not working, so now you fix it.” Adobe would look at you like “really mate?”.
    • In reality, PIVX is under no obligation to produce or work on behalf of any other project but PIVX.  From an endeavor standpoint (and for the community of PIVX), this is what you WANT from your developers.  To be focused on the project. To be ever updating the code. Why? Because after all, PIVX is open source. Projects are free to use its codebase (or not).  Projects are free to update their codebase as PIVX updates it’s own. Many members of the PIVX community actively work with PIVX clones and forks as well (on their own).  However, to say that PIVX is responsible for the 700+ other projects that have on their own elected to use PIVX’s codebase? That’s not taking responsibility for one’s own work.
    • Additionally, the fact that Mr. Yoon wrote this article (presumably coming to the rescue of all PIVX forks and PoS networks), and went public to expose a possible frailty in not only PIVX but ALL forks (by the authors claims) because he didn’t receive a response from core devs shows the authors disregard for ALL other PoS projects. The ethical and wise route would be to align a bunch of the developers and projects FIRST, to ascertain what (if any) the issue, behaviors, and possible exploit and or bug could be, BEFORE going public.  Otherwise, you are potentially just opening the door for attackers to further take down networks

In summary:

  1. PIVX users’ funds/PIVX are NOT at risk.
  2. PIVX network’s stability or chain trust has NOT been compromised. 
  3. PIVX solved the “fake stake” exploit back in February.
  4. There is aberrant behavior occurring on the PIVX network where low stake values are receiving more of the rewards (which is not a fair reward consensus model). This behavior is NOT affecting the coin emission or reward emission of the PIVX network.  
  5. The aberrant behavior is NOT a resurgence of the “Fake Stake” attack from earlier this year, as the article falsely claims.
  6. BITG did NOT fix the issue of fake stake or the behavior being observed on the PIVX network.
  7. BITG created their own network issues and vulnerabilities when they removed a very important consensus check from their own code.
  8. The PIVX Discord is not a “dev only” discord.  It’s a community discord, in which many of the PIVX developers (and many PIVX clone/fork developers) reside.

CONCLUDING THOUGHTS ABOUT ALL OF THIS

There are a LOT of factors at play here.

PIVX is one of the most cloned/forked projects in crypto (I think there are over 700 copies in the wild).  On top of that, there are an unknown amount of Forks of the PIVX Forks. This means that at any given point, projects out there are using a wide, wide range of the PIVX codebase.  Now, by “using” I mean, were copied and put into a new repo. After that exact moment, unless someone is actively working on that repo, they begin to fall behind from the most up-to-date codebase.  A few members of the PIVX community work with these projects and have tried to align them to work together, helping one another keep their codebases up to date. These folks also tend to stand as a bridge between the PIVX developers/codebase and these other projects.  Why? Well, let’s face it – there are 700+ clones of PIVX. We want the PIVX devs to be able to shine and excel in their work, which is focused on PIVX. This is just smart. Not just for the community of PIVX, but for the greater crypto ecosystem.  

If the PIVX developers are consistently working on “solving” the issues of these 700+ clones, then the core/main codebase becomes neglected, and thus “all” are affected.  As the core PIVX developers improve, fix, and expand the PIVX codebase, every other single clone has the incredible opportunity to benefit from this work as well. Thus, the beauty of open-sourced work.  

Yes, I can imagine, as a smaller team with maybe only a singular dev (if that), it can be frustrating to have to be waiting on PIVX to push updates or potential solutions.  However, this is the nature of the industry and ecosystem in which many willingly joined. PIVX developers are PIVX developers primarily…and we’re thankful for that.

PIVX is also in a stronger position than a lot of other Proof of Stake coins.  This isn’t a judgment, as much as it is to say, the network distribution of stakers (and coins) – combined with the current monetary value of a singular PIV, makes it more resilient and less susceptible to attacks than less secure, less distributed, less costly to attack – projects.  It’s the nature of the beast … which, is also, why many in PIVX do encourage the PIVX-forks and clones to collaborate and work together, sharing resources even.

As for how Mr. Yoon was addressed by one of the developers – I cannot speak on behalf of the developer for the manner in which he replied.  I tend to be someone who can see multiple sides at the same time. Of course, I have a bias to PIVX (and relationship with many of the community members and developers).  I can only imagine that as a developer in PIVX, having weathered the past year, the numerous code updates, etc, on top of having 700+ clones asking for advice, support, etc, on top of wanting to just code and not “deal” with the public enquires 24/7…that at some point you just get fed up with the amount of noise and you fire back a quick retort.  This becomes even more frustrating when that response is used to insinuate that you as a developer are hiding something. I’ve worked with dozens of developers. Most developers don’t communicate in the same ways many of us non-developers communicate. Reading into that and making meaning of that rarely serves anyone, let alone the PIVX community nor its clones (as Mr. Yoon tends to indicate he was looking out for).  

I personally haven’t talked with Mr. Yoon and I certainly don’t wish him any harm or ill will.  I don’t know his modus operandi for writing the article. That said, I (as a member of the PIVX community) felt compelled to write the above article to address the statements and assumptions by Mr. Yoon, and hopefully provide the other side of the coin to the world.  Crypto development is probably one of the hardest endeavors in the tech realm right now. Genuine, bona fide, cutting edge stuff (the stuff that PIVX does). I was saddened to see the conclusions Mr. Yoon drew on his own rather than waiting/dialoguing with more of the PIVX community (and or other developers) – and now we’re here playing correct the errors and re-attune the narratives that are out in the webs.

There does appear to be some aberrant behaviors in the PIVX network which are being investigated, and as of the time of writing this, there were already some solution sets viable to correct this.  Of note with all of this – I’m not sure this is as much a PIVX specific issue as it appears to be a Proof of Stake consensus issue. The “overlapping” variable here is that 700+ projects have cloned the PIVX codebase at some point in the past.  However, my gut says there is a fundamental issue in the way in which the consensus mechanism rewards which is being “gamed”, and that this is not exclusive to the PIVX network, but rather is in the nature of the Proof of Stake itself. THUS, the continual expert work needed towards a more fair consensus method in Proof of Stake.

Rolling out any network update takes careful testing and verification in PIVX as the developers are committed to putting forth the best possible solution that maintains the integrity and stability of the PIVX network.  Once these are fully validated, then (as is responsible) the PIVX developers will provide the world with the solution sets, which all are then free to use.

Till then, I gladly welcome any dialogue here or in discord, and look forward to seeing what the PIVX developers roll out next.  If history is any indication, PIVX will push something else that “quietly” becomes another part of the backbone of the crypto/blockchain ecosystem – yet another testament to the quality of work being done by those individuals working on PIVX.  

Sources of the Articels:

https://hackernoon.com/pivx-and-all-pivx-forks-vulnerable-in-a-pos-exploit-several-chains-already-under-attack-vx13xf3vqy
https://pivx.org/a-response-to-the-article-pivx-and-200-pos-chains-currently-vulnerable-chains-already-under-attack/

Related posts
GOSSIP

Chasing Down Discord’s Biggest Crypto Scammer in 2020

11 Mins read
GOSSIP

Masternode Blockchains for Beginners

7 Mins read
In our article Masternode Blockchains for Beginners, we want to explain with simple words which role masternodes play in a blockchain network.
GOSSIP

Official Transcendence (TELOS) Discord shut down by the CEO

3 Mins read
I was surprised to discover this Sunday morning when I was looking at my discord servers that I was no longer logged…
×
Stake and Nodes

Graveyard - They are no longer with us