asoltys

Coinos Incident Report

On Tuesday January 12 from the hours of 6:25pm to 8:20pm PST, an attacker exploited two flaws in coinos' application server code that enabled them to withdraw funds from the server's lightning node that they were not meant to be able to access, to the tune of 0.24551673 BTC.

Both flaws were due to improperly implemented database transaction locks resulting in improper handling of simultaneous payment requests.

The first flaw allowed them to send a self-payment to their own username and see their balance increase by whatever amount was sent. This happened because during a self-payment, two requests would be generated, one debiting the account and the other incrementing it for the same amount, but the request that incremented the account was reading the balance of the account before the debiting request had been completed.

I happened to notice in the server logs an account sending itself payments and doubling their value each time. An emergency patch was comitted and deployed at 6:51p

asoltys

"jomego","90","2021-01-13 02:26:29","lnbc900n1p0lukjrpp5z930xaq7x3hzzjfl78k6la3a4j88z9yyvvn6c477fg7ucg2u9x3sdqqcqzpgsp523t6hy0x4ranvz329pgzeptwrdgccmqlv6u676tf3urjdf9mjdpq9qy9qsq367vqnkjgr3g0y4g4lrd5z0hfpc2jgffzjh43hragujgs2qhu2gx28r524gss3lzpetnrm55r5hm445ww2kp685slkaesglupphnx6cpwzut6k",\N
"jomego","-650","2021-01-13 02:31:59","Internal Transfer",\N
"mocaj82077","650","2021-01-13 02:31:59","Internal Transfer",\N
"mocaj82077","-650","2021-01-13 02:32:26","Internal Transfer",\N
"jomego","650","2021-01-13 02:32:26","Internal Transfer",\N
"jomego","-650","2021-01-13 02:33:44","Internal Transfer",\N
"mocaj82077","650","2021-01-13 02:33:44","Internal Transfer",\N
"mocaj82077","-650","2021-01-13 02:34:06","Internal Transfer",\N
"jomego","650","2021-01-13 02:34:06","Internal Transfer",\N
"jomego","-650","2021-01-13 02:34:41","Internal Transfer",\N

asoltys

{"level":30,"time":1610504740329,"pid":30323,"hostname":"lynnexit","msg":"creating invoice jomego lightning null null USD","v":1}
{"level":30,"time":1610504743392,"pid":30323,"hostname":"lynnexit","msg":"creating invoice jomego lightning 95 null USD","v":1}
{"level":30,"time":1610504768092,"pid":30323,"hostname":"lynnexit","msg":"creating invoice jomego lightning null null USD","v":1}
{"level":30,"time":1610504771873,"pid":30323,"hostname":"lynnexit","msg":"creating invoice jomego lightning 90 null USD","v":1}
{"level":30,"time":1610504789227,"pid":30323,"hostname":"lynnexit","msg":"lightning payment received jomego 90 0","v":1}
{"level":30,"time":1610504899344,"pid":30323,"hostname":"lynnexit","msg":"new user satoshi-e74168f1 162.158.202.250","v":1}
{"level":30,"time":1610504900165,"pid":30323,"hostname":"lynnexit","msg":"login satoshi-e74168f1 162.158.202.250","v":1}
{"level":30,"time":1610504950395,"pid":30323,"hostname":"lynnexit","msg":"new user megot88175 162.158.22.44","v":1}
{"level":30,"time":1610504

asoltys

location /electrs/ {
  proxy_pass http://127.0.0.1:3002/;
}

asoltys

regtest issuance tx hex
0200000001013d6392fc18fa1267d22c1dc27abc6713cd1f18bc9a16aa41aa039aa72bcafe69010000801716001413b5a2ea1e391fd725fab145ae4be961d7fb8208ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002540be40000040125b251070e29ca19043cf33ccd7324e2ddab03ecc4ae0b5e77c4fc0e5cf6c95a0100000000000186a000000125b251070e29ca19043cf33ccd7324e2ddab03ecc4ae0b5e77c4fc0e5cf6c95a01000000000000000000036a01000125b251070e29ca19043cf33ccd7324e2ddab03ecc4ae0b5e77c4fc0e5cf6c95a01000000012a046b600017a914a848b9503a797d4777c8e73b5c2ed3a294bc68b287012d0032f48e2dd2e8608069025bea951ec79160c323c5b56dedbd5f8e055e8a960100000002540be4000017a914a848b9503a797d4777c8e73b5c2ed3a294bc68b28700000000000002473044022002306122b62bbbe7ecde26faac7d89f17a30fa8997a09b3e832ee2978e1c7ae5022070eaf7e75bdca91f912036017913e8fbbefc67b533b843163a56563f7ce97fbe012103acbea3f305cd4398101d1caa3d8fb3c062786d9f3d9915e655bdab20a30e3145000000000000000000

hex without wi

asoltys

02000000 (version)
01 (flag)
01 (vin length)
3d6392fc18fa1267d22c1dc27abc6713cd1f18bc9a16aa41aa039aa72bcafe69 (prevout hash)
01000080 (prevout index)
17 (scriptSig vector _size??)
16 (scriptSig length)
001413b5a2ea1e391fd725fab145ae4be961d7fb8208 (scriptSig)
ffffffff (nSequence?)
0000000000000000000000000000000000000000000000000000000000000000 (nonce)

asoltys

(15:13:57) ○ [adam@zippy] ~/coinos.io t market price
=========*** Market ***==========

Current market: 6f02-ce09

Swap fee of 0.25% to be paid in asset 6f02

1 6f02 is equal to 21,131.5546875 ce09
1 ce09 is equal to 0.00004732 6f02
(15:13:57) ○ [adam@zippy] ~/coinos.io t trade

asoltys

(15:13:57) ○ [adam@zippy] ~/coinos.io tdex-cli connect https://provider.tdex.network:9945
=========*** Provider ***==========

Connection to the given provider has been successful!
Every command, such as market and trade, will be run against this provider
Current provider endpoint: https://provider.tdex.network:9945
(15:13:57) ○ [adam@zippy] ~/coinos.io t market list
=========*** Market ***==========

6f02-ce09

asoltys

{
  "network": {
    "selected": true,
    "chain": "regtest",
    "explorer": "http://127.0.0.1:3001"
  },
  "provider": {
    "selected": true,
    "endpoint": "localhost:9945",
    "pubkey": "",

asoltys

(15:13:57) ○ [adam@zippy] ~/tdex-daemon t market list
=========*** Market ***==========

LBTC-8aec                                                                                                                                                                   
LBTC-c290 (selected)
(15:13:57) ○ [adam@zippy] ~/tdex-daemon t market trade
=========*** Market ***==========

Pair not suppported by the selcted provider
(15:13:57) ○ [adam@zippy] ~/tdex-daemon td listmarket