Disclosure: bitpeer module and SPV mining implementation vulnerable to DoS attacks

[0xB10C]

Improper Input Validation in the SPV mining module of the ViaBTC mining server allows a remote attacker to waste the pools hashrate by letting it mine on an old block (i.e. DoS) by sending a modified, old block via the P2P network.

The process_block() function only checks the blocks proof-of-work, but does not check that the header's merkle-tree root matches the transactions in the block. This allows modifications to the transactions in the block. As the BIP-34 coinbase height is used to determine if the block is new, and the coinbase height can be trivially changed, the pool can be tricked into SPV mining on an old block. This is essentially a DoS. If sustained and undetected, this might result in substantial financial loss for the pool operator.

To anyone that's using this pool software: I'd recommend to not use the bitpeer module (as it's half-broken anyway: https://b10c.me/observations/10-viabtc-blocks-without-witness-data/), and generally, to consider using maintained and up-to-date pool software.

More details about the vulnerability can be found here: https://b10c.me/blog/012-viabtc-spv-vulnerability-disclosure/