Menu
The Chia Plot
  • Blog
  • How-To
  • About
  • Contact
  • Security
  • Discord
The Chia Plot
dust storm

Interview with the Chia Dust Stormer

Posted on November 3, 2021November 3, 2021 by Chris Dupres

Yesterday afternoon I put out a call, first on Keybase and then on the blog, offering to tell the Chia Dust Stormer’s side of the story. This morning that individual contacted me via one of the channels I published. I established the identity of the attacker cryptographically using a transaction to an address I have never used and will never use again. I then confirmed that using both XCHScan and ChiaExplorer that it led back to the massive coin splitting before the news about the Dust Storm broke. It is possible that there was more than one actor here, but I think this is definitive enough to show that this person was splitting coins into gigantic piles before the dust storm became news. I am not going to expose the transactions in order to protect the identity of the actor.

I only asked the person a few questions, and I will avoid paraphrasing and publish their words unmodified. They have also asked that I publish the code used to perform the storm, and I have done so below.

For one I wanted to expose all weaknesses of Chia blockchain/node, because Chia Network seems to have their priorities all wrong.

They rushed to the market developing all tools (node, wallet, harvester) using the worst language there is to do this job (Python — an essentially single threaded language due to its Global Interpreter Lock), just because its faster/easier to work with…

Dust Storm is the most simplistic attack there is in the blockchain, that means Chia Network didn’t even take the time to stress test the software before making all of us guinea pigs. I don’t like being a guinea pig for a Venture Capital funded company. That tells me they are running against the clock.

I do believe they have a strong theory behind it and Chialisp was a great idea but again they are rushing everything and not giving the importance for a rock solid blockchain in the first place, they are trying to run before they can walk.

Another point is the pool situation. In my opinion they have designed it wrong, there is no incentive for people to not concentrate on a single pool. Centralization is not an issue with pooling protocol, everyone could farm in the same pool and the blockchain would not be at risk of centralization. That means a few pools rule it all and there is no incentive for people to jump between pools. That is an unfair market. There are several bad examples of that, we had EcoChia which had been lying and doing shady things and we all thought it would cease to exist however they got renamed to EcoXch and have close to 70PiB now. Poolsar.io completely fakes their netspace as we saw during the storm and wins about 10 times less than they were supposed to win with their claimed space, but they are still there.

Chia Network released the pool reference code simply as a very crude starting point and completely stopped supporting it so know the pools that already had a big advantage for being at the top have an even greater advantage because they have resources to continue keep supporting it. With that I also wanted to show that no pools were ready for the storm or to have fees in place for their transactions to have priority. So Pool.space earns around $USD 440k/year at current low Chia prices but didn’t have it in place either and had to implement it afterwards. How would smaller pools that are fighting to not lose money to stay operational face this?

I also asked them if they had made any money from this activity, and they said no. It cost them some mojo in performing the storm and they did not think the price would go up. They had assumed that the price would go down on news of a problem or attack, but of course no publicity is bad publicity and the exchange supply restriction had the opposite effect.

The last thing they said resonated with me, especially in context of the post on reliability and blockers to adoption this morning.

Its also a bit ridiculous that one single person, from one single node could launch this attack.

That’s true. It might be an inherent reality with blockchains and cryptocurrencies, and with public distributed systems in general, but it is true. This kind of malicious actor disruption (without calling this person’s intent malicious but using a security term of art) will be a risk that organizations need to take on when dealing with very distributed systems like Chia. And that there are advantages to having a more hub-spoke architecture that would make performing similar disruptions far more difficult.

That said, I think that the risk is relatively minimal and the impact fairly low. I think the real value of the data gathered by putting their production network under a full load test outweighs the annoyance that Chia Network may have made here. I agree with many of the points made by the Dust Stormer, especially around pools. I don’t have solutions in place, but there are trade offs to every decision and some are articulated well here.

I also asked if they were going to continue the storms or if they thought fees would be a part of Chia going forward and this was the reply.

I am not going to do it again if Chia Network take it seriously and address all the issues in a satisfactory way.

I dont think fees will be part of Chia, there is simply no demand. However I would like to raise attention to everyone reading that the minimum fee for a Chia transaction to through before other ones is around 0.00025 XCH, anything below that is the same as a 0 mojo fee. I think very few people know this.

People may use it for a transaction to go faster but 0 mojo will be the standard fee for a long time unless people decide to attack the network again, which as we all know it is very very very cheap.

Which is the reason I think its absurd that Chia Network released all their software without proper fee support.

Also, this creates a major barrier for people new to Chia. How can a beginner farmer create a Plot NFT if it requires ~0.001 XCH? He will have to buy the coin to start farming.

I certainly agree with the last point, and Chia Network has already announced that they will be solving that in the next release. I don’t agree with everything the Stormer says, but I do agree with some of it. And I think there are valuable lessons learned here for Chia Network as they go forward.

The Stormer also shared the code used to both create the mojos as well as send the transactions. It is above my head, but it looks pretty clean. Its out there now. Please use responsibly.

Related

8 thoughts on “Interview with the Chia Dust Stormer”

  1. Anonymous says:
    November 3, 2021 at 1:12 pm

    Thanks for your good work, both of you 😉

    Reply
    1. Anonymous says:
      November 3, 2021 at 1:47 pm

      agree

      Reply
  2. Anonymous says:
    November 3, 2021 at 2:26 pm

    Aspy68 says:

    Great work thechiaplot!

    The attack was kept short and there seem to have been no mal-intent so job done, I guess.

    Dust Stormer, I get that you wanted to expose some weaknesses but If I was going to disrupt so many people I would have made a public announcement of my stress test before hand both on Keybase, the Chia Forum, and elsewhere.

    Was it a game that spun out of control or did you just not care how much chaos you caused?

    Reply
  3. Anonymous Mouse says:
    November 3, 2021 at 5:12 pm

    Thankyou Thechiaplot

    Reply
  4. Bonito says:
    November 3, 2021 at 8:22 pm

    I don’t like python either

    Reply
  5. Anonymous says:
    November 4, 2021 at 2:44 am

    I also don’t understand why the Team uses Phyton for all the demons. I would have choosen Golang for some reasons. Fast, easy to learn, ez crosscompiling, perfekt for the demons.

    Reply
  6. Anonymous says:
    November 4, 2021 at 12:45 pm

    Anyone find it slightly ironic that they criticize the chia devs for using python, then uses python to launch the attack?

    Reply
  7. DrunkFarmer says:
    November 5, 2021 at 5:37 am

    Thank you for interview!!

    Reply

Leave a Reply Cancel reply

Advertisement

Recent Posts

  • Crypto is burning down – Chia seems fine
  • Chia CAT upgrade fiasco part 2 – Was I wrong?
  • WTF just happened?? CAT1 to CAT2 “upgrade”
  • The era of the Chia NFT is upon us
  • Chia Blockchain 1.4.0 released – NFTs and DIDs oh my
  • Discussion
  • Facts About Farmers
  • How-To
  • Information
  • News
  • pools
  • Security
  • Trademark
  • Trading
  • Uncategorized

Dark Mode Switch

©2021 The Chia Plot - Donate XCH / MRMT / SBX @ xch1p4440d6zwu9ryta2vx073lq2ge3s29d37kskz6t34jp085e8srjqnk0gcr
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-advertisement1 yearThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONIDsessionUsed by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
CookieDurationDescription
na_id1 year 1 monthThis cookie is set by Addthis.com to enable sharing of links on social media platforms like Facebook and Twitter
na_rn1 monthThis cookie is used to recognize the visitor upon re-entry. This cookie allows to collect information on user behaviour and allows sharing function provided by Addthis.com
na_sc_e1 monthThis cookie is used to recognize the visitor upon re-entry. This cookie allows to collect information on user behaviour and allows sharing function provided by Addthis.com
na_sr1 monthThis cookie is set by Addthis.com. This cookie is used for sharing of links on social media platforms.
na_srp1 minuteThis cookie is used to recognize the visitor upon re-entry. This cookie allows to collect information on user behaviour and allows sharing function provided by Addthis.com
na_tc1 year 1 monthThis cookie is set by the provider Addthis. This cookie is used for social media sharing tracking service.
ouid1 year 1 monthThe cookie is set by Addthis which enables the content of the website to be shared across different networking and social sharing websites.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
CookieDurationDescription
d3 monthsThis cookie tracks anonymous information on how visitors use the website.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
__gads1 year 24 daysThis cookie is set by Google and stored under the name dounleclick.com. This cookie is used to track how many times users see a particular advert which helps in measuring the success of the campaign and calculate the revenue generated by the campaign. These cookies can only be read from the domain that it is set on so it will not track any data while browsing through another sites.
_ga2 yearsThis cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_199099757_11 minuteThis cookie is set by Google and is used to distinguish users.
_gid1 dayThis cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT16 years 4 months 5 daysThese cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
CookieDurationDescription
advanced_ads_browser_width1 monthThis cookie is set by Advanced ads plugin.This cookie is used to measure and store the user browser width for adverts.
anj3 monthsNo description available.
CMID1 yearThe cookie is set by CasaleMedia. The cookie is used to collect information about the usage behavior for targeted advertising.
CMPRO3 monthsThis cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMPS3 monthsThis cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMRUM31 yearThis cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMST1 dayThe cookie is set by CasaleMedia. The cookie is used to collect information about the usage behavior for targeted advertising.
DSID1 hourThis cookie is setup by doubleclick.net. This cookie is used by Google to make advertising more engaging to users and are stored under doubleclick.net. It contains an encrypted unique ID.
i1 yearThe purpose of the cookie is not known yet.
IDE1 year 24 daysUsed by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
KADUSERCOOKIE3 monthsThe cookie is set by pubmatic.com for identifying the visitors' website or device from which they visit PubMatic's partners' website.
KTPCACOOKIE1 dayThis cookie is set by pubmatic.com for the purpose of checking if third-party cookies are enabled on the user's website.
mc1 year 1 monthThis cookie is associated with Quantserve to track anonymously how a user interact with the website.
test_cookie15 minutesThis cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
uid1 year 1 monthThis cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
uuid3 monthsTo optimize ad relevance by collecting visitor data from multiple websites such as what pages have been loaded.
uuid23 monthsThis cookies is set by AppNexus. The cookies stores information that helps in distinguishing between devices and browsers. This information us used to select advertisements served by the platform and assess the performance of the advertisement and attribute payment for those advertisements.
VISITOR_INFO1_LIVE5 months 27 daysThis cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSCsessionThis cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devicesneverThese cookies are set via embedded youtube-videos.
yt-remote-device-idneverThese cookies are set via embedded youtube-videos.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
__gpi1 year 24 daysNo description
adImpCountpastNo description
C3UID5 yearsNo description available.
C3UID-9245 yearsNo description
fc5 months 27 daysNo description available.
pfpastNo description
pxs5 months 27 daysNo description available.
SAVE & ACCEPT
Powered by CookieYes Logo