Bad Ravencoin Code Allows Attackers to Generate Coins Without Mining

“The vulnerability does not allow the stealing of RVN or assets that you own and control, but the minting did create RVN that should not exist,” said developer Tron Black.

AccessTimeIconJul 3, 2020 at 10:16 p.m. UTC
Updated Sep 14, 2021 at 8:59 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Unidentified attackers exploited a Ravencoin vulnerability to mint extra RVN “beyond the coinbase of 5000 RVN per block,” Ravencoin lead developer Tron Black wrote in a Medium post on Thursday.

According to Black, members of Ravencoin’s CryptoScope team, who developed Solus Explorer, reached out to the Ravencoin developer team recently with their findings. 

The vulnerability was caused by a community code submission. “Law enforcement has been notified and is working with us,” Black said. 

The extra coins increase the total supply of 21 billion RVN by 1.5% or the equivalent of 44 days worth of mining.

Ravencoin is an open-source fork of bitcoin that launched in 2018. It’s designed to facilitate the transfer of assets from one party to another, and users can create assets on the protocol that adhere to rules independent of those on the platform. The project’s website specifically calls out the "Game of Thrones" reference to Ravens as messengers of truth, which parallels the concept of blockchains as a technology for ultimate truth. 

The Fallout

Black suggested the Ravencoin community either absorb the economic cost of extra RVN or shift the halving of the coins 44 days sooner. Black did not return a request for comment by press time.

“The vulnerability does not allow the stealing of RVN or assets that you own and control, but the minting did create RVN that should not exist,” Black said. “Because those RVN were transferred to an exchange and traded, they are mixed with other RVN and therefore any programmatic attempt at burning them, with miner and community backing, would cause irreparable harm to innocent victims. As it stands, the burden has been shared across all RVN holders in proportion to their RVN holdings in the form of inflation.”

Black urged users to keep trading to a minimum until a fix is issued. He also said that Ravencoin would not publish the details of the vulnerability until the fix could be implemented. As of yet, there is no timeline for when the chain will be updated.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.