Speculation of the recent DigitalNote exploit has been rife in the community and creating significant anxiety between the community and the development team.
After a detailed investigation, the development team identified and analysed the exploit and can now report our findings.
The first exploit, the “Monte Spoof attack”, on DigitalNote saw the minting of 1.8 billion coins (with 925 million sold on Bittrex). This was performed with a specifically crafted PoW block. This was identified as a glitch in TX checking where inputs were not correctly checked against outputs (allowing coins to be minted). The XDN team patched this and forked the chain to fix this issue.
Recently another exploit took place that saw the funds from 2 of the burn addresses removed and sold on Bittrex. We identified the same PoW address as the first exploit linked to this. This second exploit uncovered a significant bug in the code that has been around since 2019. This bug allowed the hacker to take advantage of a transaction signature of *any* transaction into *any* wallet to craft a withdrawal transaction from that wallet.
I will say that again… ANY single transaction from ANY wallet to craft a withdrawal transaction of the same amount… And they obviously started with the big ones (to answer a few of you, yes they were burned correctly, no private key is needed to perform this exploit) This was further proofed when another (somewhat pointless) exploit was carried out on the 9th September… possibly by another person who figured out the issue.
In this case, 11 wallets (all with single large inputs) were drained and send to 8 (non-exchange) addresses This exploit occurred at block 423410, which is why some of you may have gotten stuck on block 423409 when trying to resync (the resync caught it as an invalid block). This last occurrence on 9th September is the reason why we required a chain rollback, as it sucks that our burn coins were stolen, but we absolutely cannot have community coins stolen.
We have since upgraded explorer to the new chain, but took a screenshot of this last exploit for your reference. So this is the main reason we haven't yet divulged any information, every wallet was susceptible to this exploit, and the more people that figured it out and decided to play would have spelled the end of this coin. Once we are all migrated to the new chain, we will continue to test and monitor until we are comfortable, only then will we ask exchanges to reopen deposits and withdrawals.
Finally a special thanks to some of our community members who jumped in and assisted in this issue. It was really nice to see a brain's trust being stood up so quickly. We would also like to thank the other part of the community that either stayed objective or waited until we could give solid information. This was not a great situation (and was not helped by a few) but we hope to get past this and move forward.
We will be announcing more security enhancements, code changes, and partnerships to secure the future of DigitalNote. This step will require us to totally revise our roadmap to meet our new objectives and targets. These will be relayed to the community once they have been finalised.
I love this quote that Elon Musk is supposed to have tweeted:
“Many people will panic to find a charger before their phone dies. But won’t panic to find a plan before their dream dies”
