It is unfortunate that today we are announcing the closure of Maxiopool due to an exploit in the Official Pooling Protocol discovered by our team recently. This exploit puts all pools following the protocol PPS or PPLNS under significant financial risk. Attackers can force shutting down any pool in the matter of a few days undetected.
We had communicated this issue to the team that manages the blockchain, but the response received was disappointing. The only suggestion to us was 1) We should ignore the risk because there is cost associated with the attack. However, the cost of this attack seems low and can be repeatedly applied to pools one at a time quickly 2) We, pool operators have to manage their own risks – for a risk that comes from a flaw in the design of the Official Pooling Protocol, which pool operators have zero control over with. Also due to the nature of this flaw, we do not believe there is going to be a fix.
We have every reason to suspect this attack is already happening to our pool based on results from detection methods that we put in-place. However, these detection methods are ineffective and attackers have ways to work around it if they choose to. To other pool operators, if your pools’ luck is low and staying low for a long period of time. There is a possibility that the same attack is also happening to your pool. If you would like to know the details of this attack, we are happy to share with you.
No proper business can or should be built ignoring risks that may cause the business to shut down tomorrow. Following the conversation, we have decided to stop of all existing and future projects for this blockchain. Here is what is going to happen next.
- Farmers will receive any unpaid balance above 0.01 XCH tomorrow at the usual daily payout. Pool is now paying everything out-of-pocket due to the attack.
- Pool will no longer accept new members effective immediately.
- Pool will no longer reward farmers with XCH. Please switch to a different pool today.
- Pool related services are going to run until most farmers have switched away.
Thank you for being with us. We hope we did not let down your trust and expected level of service.
Team from Maxiopool
“We should ignore the risk because there is cost associated with the attack.”
It’s fine for a bank to be robbed because there’s an associated costs to robbers - guns, bullets, life. What kind of logic is that?
Oh man! This is concerning! I have a few questions, if you don’t mind answering.
1.So does this affect Spacepool also??
2.Space pools luck is currently at 91%! Which is really good. Maybe your pool users were just unlucky?
3.Do you have proof of this attack or are you simply leaving Chia behind because of the low profit? I think it’s a fair question to ask.
Finally I think people need to know more about this exploit… is there anything you can share with us? Can you please tell us what the issue is, obviously without explaining how to do the exploit…
If it’s cost associated, does this mean users can use multiple machines to affect a pool somehow? Help us understand please.
Cut all the bla bla, the real unspoken reason behind is:
simply leaving Chia behind because of the low profit, or more like “no profit, even loss”.
As a business owner myself I totally understand if they decide to stop the project because of the low profit or no profit… So I don’t blame them. But they should say if this was one of the reasons why they chose to stop or the main reason.
If they did find exploits, I think they should share those finding with the community… If we are all at risk to lose resources/time/money associated, etc, we should know about it.
Maxiopool, please explain the exploit the best you can without going too much into details.
Somebody who has been on Maxiopool was writing on the forum that even he was adding more plots (say his plotted capacity is 60TiB,), his average estimated on-pool capacity was getting lower and lower (say 40TiB, 30TiB). The pool’s answer to that guy is no better than any answer the pool received from the blockchain owner.
PPS is always going to be a financial risk, you are paying out of your own pocket on the assumption that almost all of your members are actually farming blocks rather than just farming partials, which might not be true for both malicious and non malicious reasons.
For PPLNS with a 0% fee, I’m not sure how there can be any financial risk from any kind of exploit short of direct theft, other than burning through funding for infrastructure/marketing etc.
I’ve assumed from the first days of pooling that all of the pools offering 0% fees, PPS models and other out-of-pocket incentives to farmers are going to burn through any initial investment fast, a real exploit would just speed that process up.
If Maxiopool wrote:
Sorry, we are closing the pool because it is not profitable at all.
The above text would be an honest reason, that may help others (pool operators included) to think twice.
True, but I’d be honestly surprised if it was profitable - 0% for 3 months (0 fee income for the pool) and PPS (high risk of the pool losing money).
If it’s the exploit I think it is (based on that response about cost incurred), it mostly affects PPS pools, and is more a way for big pools to shut down small pools than a means of farmers extracting extra value from pools.
Well that’s not good news, curious to know other pool operators opinion and more details on the exploits (not how to do it, but what the effects are. i can see how it affects pps, but insure how it creates a fonancial risk for pplns)
Anyway i’m not jumping to conclusions yet. But it does seem like a problem that should be addressed properly
Yo now it’s FindChia pool timeeeeeee!!!
@maxiopool.io Why is there such a hard shutdown? No info was published some days before, so there will be a lot farmers that farm for your pool and get no rewards.
What is with new won blocks by members that haven’t left your pool…?
Interesting I have noticed my effective capacity has dropped from time to time in my current pool. Maybe there could be something to this? Atleast it should not be hanging in the air like this. We need more information.
@Eysteinh That’s probably mostly down to the poor farmer software and/or some minor hardware issue.
It’s very unfortunate that you are forced to shut down and the Chia Network response is the usual “not our problem”. Zero sympathy…
No, I don’t mean the exploit, I mean Eysteihn’s issues. The exploit can of course happen and it’s not so costly to do.
I will not disclose further here. I think most pool operators are aware of issue now. It is up to the blockchain maintainer to resolve this issue.
apology I take back my comment
So, turns out that this is the exploit I thought it was, based on information that appears to now be public.
This is a known problem for PPS pools with existing cryptos - in my opinion the Chia team have at least tried to make this a less viable attack by having a 0.25XCH individual farmer portion. If there was zero cost, it would only be worth doing it if you were the owner of a larger pool/mega-whale - the only reason to do it if you are not a pool operator or mega-whale is vandalism - and making that have a cost is supposedly a deterrent.
Do you have proof that bigger pools are doing this deliberately, and that it’s not just misconfigured farmers?
What would you propose as an acceptable solution?