-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pool is not properly checking the SetCustomMiningJob message received #1053
Comments
Oh, a tiny detail/suggestion I missed. |
As I understood the specs, the |
Can take this up |
Pool should just verify if the token is valid:
|
@Fi3 these are the messages exchanged between JDC and JDS during Job Declaration:
none of these messages contain any information about what if JDC sends a that could be a bug or an attack from JDC... but either way, the pool is going to reward JDC for shares that are actually worthless and that was the discussion I had with @GitGab19 , where we both arrived to the conclusion that a pool should only respond with a |
IMO pool should not enforce the prev hash. Miners will chose on which chain to mine and be rewarded accordingly. This to lower the effectiveness of selfish mining. |
Are you suggesting here that responsibility about checking the prev-hash is on JDS, right? |
While I and @plebhash were working on #923, he made a good point, which I'm going to try to summarize here.
When JDC declares a mining job to JDS, theoretically JDS should check it, and approve/deny it. After that, JDC communicated to Pool the job it's going to be used through the
SetCustomMiningJob
message.But in our current state, Pool is not checking fields contained in that message, and so a malicious JDC could try to cheat the Pool by using a wrong field (such as the
prev_hash
). In addiction to that, while looking at Pool handlers, I found this function which calls thecheck_set_custom_mining_job
one, which always returnstrue
(so doing no checks at all).So we need to implement those checks on Pool side, in the places I linked in this description.
Please @plebhash feel free to expand if you think I missed something 🙏
The text was updated successfully, but these errors were encountered: