Bad Ravencoin Code Allows Attackers to Generate Coins Without Mining

ravenhack
3 July 2020

Unidentified attackers exploited a Ravencoin vulnerability to mint extra RVN “beyond the coinbase of 5000 RVN per block,” Ravencoin lead developer Tron Black wrote in a Medium post on Thursday.

According to Black, members of Ravencoin’s CryptoScope team, who developed Solus Explorer, reached out to the Ravencoin developer team recently with their findings. 

The vulnerability was caused by a community code submission. “Law enforcement has been notified and is working with us,” Black said. 

The extra coins increase the total supply of 21 billion RVN by 1.5% or the equivalent of 44 days worth of mining.

Read more: Rappers, Ravens and Lord of the Rings: The Race for ‘Dope’ Coin Names Is On

Ravencoin is an open-source fork of bitcoin that launched in 2018. It’s designed to facilitate the transfer of assets from one party to another, and users can create assets on the protocol that adhere to rules independent of those on the platform. The project’s website specifically calls out the “Game of Thrones” reference to Ravens as messengers of truth, which parallels the concept of blockchains as a technology for ultimate truth. 

The Fallout

Black suggested the Ravencoin community either absorb the economic cost of extra RVN or shift the halving of the coins 44 days sooner. Black did not return a request for comment by press time.

“The vulnerability does not allow the stealing of RVN or assets that you own and control, but the minting did create RVN that should not exist,” Black said. “Because those RVN were transferred to an exchange and traded, they are mixed with other RVN and therefore any programmatic attempt at burning them, with miner and community backing, would cause irreparable harm to innocent victims. As it stands, the burden has been shared across all RVN holders in proportion to their RVN holdings in the form of inflation.”

Black urged users to keep trading to a minimum until a fix is issued. He also said that Ravencoin would not publish the details of the vulnerability until the fix could be implemented. As of yet, there is no timeline for when the chain will be updated.