PIVX, Contelegraph, and a question about journalism these days

On August 16th, Cointelegraph published a new “news” story with the headline.

“Crypto PIVX Denies Vulnerability Allegations, Says Users’ Funds Are Safe “

This appears to be a continuation of the “narrative” by Cointelegraph despite a few attempts to provide the journal with data/facts about the original piece they reported on by Mr. Yoon which included the observations of the PIVX network, and the assumptions and statements made by Yoon (and others now) that have continued to propagate.

Let’s see if we can’t set records straight:

First:
PIVX has issued no such statement denying that there is an aberrant behavior that was observed occurring.

Second
PIVX HAS issued a statement that the aberrant behavior is in fact NOT a resurgence of the “Fake Stake” attack from earlier this year.

Third:
Yoon (and BITG) was claiming that He/BITG had uncovered some nefarious behavior from the PIVX developers in that the PIVX developers had lied about fixing the Fake Stake vulnerability because the exploit was “back”. This was the meat of Yoon's postulations and accusations/assumptions, which has been refuted.

In fact, it was the PIVX developers who built an entire testing environment to properly diagnose the Fake Stake Attack vulnerability and engineering a proper solution/fix for the vulnerability (which many projects have gone on to merge into their codebase).

Fouth
Cointelegraph in its recent article write “They(PIVX) argued that there has been no resurgence of attacks on its proof-of-stake (PoS) algorithm, and that neither PIVX nor its users’ funds are at risk.

What is true: neither PIVX nor its users’ funds are at risk.

Indeed, the public statement was made:

PIVX users’ funds/PIVX are NOT at risk.

The network’s stability or chain trust has NOT been compromised.

What is false (and/or misleading): They(PIVX) argued that there has been no resurgence of attacks on its proof-of-stake (PoS) algorithm

PIVX has not made any statement about there being or not being an attack, vulnerability, or the like.

What HAS been stated is the following: The behavior is NOT a resurgence of the “Fake Stake” attack from earlier this year, as the article claims.

→ Again, as stated above, this is a VERY important point to make because what Yoon was claiming (And what cointelegraph propagated) was the lie that PIVX developers had NOT fixed the “fake stake” attack, lied about it, used this to somehow siphon funds from PIVX and other projects, and that now only because of Mr. Yoon/BITG, the world knows.

Here’s the deal:

  • PIVX developers became aware of the aberrant behaviors that had started on the PIVX network the week of August 5th.
  • PIVX developers immediately began the internal process of identifying what the observed behaviors were, how they were occurring. At this point, there was no “public” statement or announcement. Why? Proper security and OPSEC — in software development when you are either alerted to and/or become aware of behaviors, the BEST course of action is to diagnose, identify, provide a solution, and THEN make an announcement.
  • So again, once the observation was made by the PIVX Developers that week of August 5th, the focus then became on properly identifying (not just observing) what is occurring.
  • It was concluded that this is not related to the Fake Stake attack (again, which was fixed back in February).
  • It was concluded that no users funds were at risk, the chain was secure.
  • Back to PIVX Developers: Once the behavior was observed and identified, the solution was developed. Again, at this point, no public discussion. Why? To minimize the risk for PIVX and any other chain (think about it this way. If you draw attention to something, more eyes are on it, and thus more nefarious actors might try and go that route).
  • On August 10th Han Yoon enters the PIVX discord stating there is a bug and for someone to DM him, and then later emails 2 PIVX devs. At this point, the PIVX developers were already well on their way of providing the solution for what they had observed and identified.
  • Han asks the PIVX developers for a “quick fix” for his “client’s coin”
  • Han is informed a solution is coming, and to wait for the official explanation/diagnosis/solution (again, PROPER OPSEC. The developers were still testing and wrapping up the codebase. You don’t release that prior to ensuring the solution is stable and working. And then, as has ALWAYS been the case, PIVX alerts as many forks and necessary parties of any updates that might be required).
  • Han threatens to “make public” the observed behaviors (presumably not liking that he/BITG is not given some quick fix at that point).
  • A PIVX developer tells Han to get lost (my words)
  • Approximately 24 hours later Han writes an article with material misrepresentations and outright falsehoods.
  • Cointelegraph (and other crypto journals) picked this up, propagating the falsehoods and assumptions.
  • Attempts to have the records set straight have still fallen on deaf ears.

So, breaking all that down.

YES, Mr. Yoon/BITG did observe the same occurrences that the PIVX developers had become aware of the week prior and were already working on a solution set for. While we’re unsure of the reason (at this point) for Mr. Yoon contacting PIVX, what we do know is that he was looking for a quick fix for his client/BITG — to which he was told there IS a solution coming.

Instead of being patient (or perhaps Mr. Yoon / BITG had ulterior motives as well?) published articles < 24 hours from these dialogues setting off a maelstrom of misinformation online.

What’s potentially worse, is that instead of seeking to work together and or waiting for the solution set from PIVX (which, as the past demonstrates, PIVX has delivered and delivered in a professional manner and delivered in a way so as to ensure the security and stability of the PIVX network AS WELL AS the security of any fork choosing to use the PIVX codebase,) by publically shouting about an observed behavior in online articles has put countless projects at a higher risk. (A reminder of why this is a KEY point. Just observing something does not = you have identified the issue and/or that you have a solution for it, and what’s worse is now you open up other possible attack vectors to chains that might already be at risk).

If anything, the inner dialogues/workings of the BITG/ Mr. Yoon discussion (as reported here) appear to indicate there were, or later became, ulterior motivations to try and draw attention to both Lunar Digital Assets and BITG. Whether or not Mr. Yoon indeed was trying to play nice at first, he bypasses the disclosure to him that:
- PIVX was aware
- PIVX had a solution
- PIVX would release the solution

By “pushing” his “observations” into the public limelight (combined with a slew of false statements, misrepresentations, and wrong assumptions) he, whether he realized or not — potentially ending up un-necessarily putting other projects at increased risk.

What’s Next?

Like any responsible software development team, PIVX developers continue to finalize the testing, writeups, and documentation about the identification of the observations, the solution/developed fix, and what’s next.

This will ONLY ever come public until:

  • Proper identification of any observation is completed
  • Proper replication and/or testing is done
  • Proper solutions(s) are developed
  • These solutions are tested
  • The superior solution is verified and appropriate documentation is complete
  • Exchanges, 3rd parties, and all relevant projects are given notification as is reasonably responsible
  • The push is made live.

I expect to see this is the next day(s).

Remember, we are but 10 or so days from the first reported observations of the aberrant behavior in PIVX.
That means in the past 10 days, the PIVX developers:

  • Identified what/how someone could be causing the observed behavior
  • Identified and coded plausible solutions to reduce and/or prevent this behavior from occurring in the future
  • Tested these solution sets
  • Validated these solution sets
  • Worked to properly document and describe

All in <10 days.

Quick fixes/patches in crypto only end up biting you in the rear end. There are countless stories of projects that have put “quick:” fixes into their codebase only to open up more avenues of exploits.

Some might be shouting “well, it’s the DUTY of a developer or team to disclose what they know!” Yes, you are right…which is what will be coming from PIVX shortly. It is ALSO the duty of the developer and/or team to ensure both the security of the network AS WELL AS the security and safety of ANY code upgrade/update.

This takes time, proper procedures, and a level head.

While I know many are anxious to see what PIVX releases, I hope that those reading these articles I’ve recently posted can see the work being done by PIVX developers.

On a personal note — makes me appreciate the quality of developers inside of PIVX, let alone quality developers in general. I can empathize why they err on the side of caution when sharing/talking about anything pertaining to the code, because of how rapidly others misconstrue what is being said.

Lots of lessons being learned, lots of dialogue. Hope this only serves to strengthen the crypto community as a whole, and I hope we can uplift the quality of what is presented to the public for consumption (crypto-media & journalism). Again, this isn’t to point fingers at anyone — I get it. It takes a LOT of effort to dive into the nuances of a scenario, and we tend to take “people’s word”.

We all have room to grow. Let’s try and do it together.