duke
/
backdoors
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Update 'vrsc.md'

master
Duke Leto 2 years ago
parent
e47a2bcfff
commit
1baa2fd98e
1 changed files with 16 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      vrsc.md

16
vrsc.md
View File

@ -20,6 +20,22 @@ What stops Mike or a future VRSC developer from removing the restriction of this
When myself and jl777 discovered this, I was quite unhappy about it. I started to tell the VRSC community and was immediately asked to leave their Discord. Mike then proceeded to rewrite history and tell people it's not a backdoor, it's a "txid reclaimer" and eventually told new users that he asked older users if it was OK to do such a thing. In reality, there was no consent, Mike did what he wanted and informed users later, when his trick was unveiled.
# Low-level Explanation
Ok, this section is going to mostly be for developers who maybe don't believe what is said above. Or for enterprising individuals who want to learn more. It's ok if you don't understand everything here, you will likely still get some more understanding out of it.
The VRSC backdoor is spread out across a few different functions and files. This makes it hidden better. It could have been written all in one file in one place, but then it would be very easy to see what is going on.
Here we can see a very important part of the backdoor, the address which is allowed to spend from other addresses:
https://github.com/veruscoin/VerusCoin/blob/master/src/veruslaunch.cpp#L9
This address is `RCZyeg6eofQUBKJE5LWuiYkgBPCafheDc8` and if you use https://explorer.verus.io/search you will see that it never appears on the VRSC explorer. Sneaky! This is because this address only needs to *sign* the transaction where it spends funds from another address. An explorer shows when funds move from one address to another, so the explorer will only show the address funds are coming from and where the funds are going to. Mike created another address where these funds are sent to. That address is not in the source code.
The list of "jumbled" txid's starts here: https://github.com/veruscoin/VerusCoin/blob/master/src/veruslaunch.cpp#L719
The list is not encrypted, it actually just masks each txid with a fixed number, which are listed here: https://github.com/veruscoin/VerusCoin/blob/master/src/veruslaunch.cpp#L11
So the code, to recover the real transaction id, applies the mask to each "jumbled" txid to get the real txid. The purpose of this is so you cannot search the source code for transaction id's AND you cannot look at the source code and look something up on the explorer.

Write Preview
Loading…
Cancel
Save