1%
1 words - 1 min read.

You can subscribe to this blog here.
Click here to skip to the numbers that's all you're interested in.

Week 21 Recap

Halfway to 365 days! I hate Bon Jovi but...

Bon Jovi Sucks

The portfolio is now sitting at a 500% net gain since August, and this week alone it grew twice as much as the original investment (+640.25 USD). Only one asset in the portfolio has lost money at this point, which honestly tells me that there is literally no logic left whatsoever in the alt space, and I'm totally fine with that.

Although these gains have been great, the theme this week is security, security, security, and I'm not even going to be discussing Spectre or Meltdown! It was revealed this week that Electrum wallets running v3.03 or lower have a severe security vulnerability that is extremely easy to exploit.

***If you are running the Electrum wallet, shut it down IMMEDIATELY.***


Why? Because any website running a short snippet of javascript could easily steal your wallet seed **IF** 1.) you have not protected the wallet with a password (in which case...you deserve it), and 2.) if Electrum is running in the background. Losing your wallet seed to an attacker means game over, say goodbye to all your money. It may be shocking when vulnerabilities these things happen, but security holes like this are a dime a dozen in most apps, and often go unnoticed for years.

The Details


Your Electrum desktop wallet runs a JSON RPC server on a random port in the background to communicate with other applications. Many merchants will run a web server that uses PHP or something similar to handle sending and receiving payments from their website (i.e. [purchases via Electrum](http://docs.electrum.org/en/latest/merchant.html). For example, let's pretend you run a website that sells Bitcoin related paraphernalia (t-shirts, etc.), and during checkout a customer chooses to pay in BTC. Your website will make a JSON RPC call to your desktop Electrum wallet to generate an address to accept the payment, and will respond to the request with a valid wallet address and other relevant details that your customer will need to send you BTC for their purchase. The Electrum JSON RPC interface is unprotected by default, but if your wallet is password protected then you have nothing to worry about.

So why are regular users of the Electrum wallet in danger? The answer is Cross-Origin Resource Sharing (CORS). A "cross origin" HTTP request happens when a website wants to access a domain, protocol, or port other than the websites current domain, protocol, or port. For example, if you have a website called http://imstilloscar.com/, it will be able to loada images, javascript, and css files from other domains (i.e. a CDN, or imgur.com, etc.), but it cannot make fetch and XMLHttpRequests to other domains.

At this point you might be asking, what does CORS have to do with the Electrum vulnerability? Remember that Electrum runs a JSON RPC service that accepts requests from a webserver without authentication (other than the wallet password if it's set). A properly configured CORS header and a same origin policy would typically ensure that the only application able to communicate with this JSON RPC service is one from the same origin, i.e. a local application. Unfortunately Electrum's CORS policy is as follows:

self.send_header("Access-Control-Allow-Origin", "*")

The "*" at the end tells the Electrum wallets JSON RPC service that it should accept requests from ANY website. The net result is that an attacker could craft a javascript fetch request to localhost until it finds the port that the Electrum JSON RPC service is running on (remember that the RPC port is random unless defined by the user). Once it knows that, it can request your wallet seed. If you have no password on the wallet, the attacker will immediately gain access to your seed. Remember that the JSON RPC port is random unless defined by the user, so it could take the attacker awhile to find the right port, but not much longer than a minute or two.

This vulnerability has existed for almost 3 years. It was pointed out in November 2017, and became a serious concern after Tavis Ormandy wrote an exploit and explained how serious a bug it was. So what are some concrete steps you can take to prevent something like this from happening in the future?

  • Use a paper or hardware wallet.
  • If you decide to use a software wallet like Electrum, don't run the application in the background; access it as infrequently as possible. If you do access it, don't browse the web while it's running (not all wallets run a JSON RPC server, but this is still sound advice).
  • Open source doesn't mean bug free; never blindly trust any one person or application.
  • For the love of god, never use online wallets!

Week 21 Results

XDN was the winner this week with a gain of +$111.15 USD (+147%), while NXT was the the worst performer with a loss of -$14.22 USD (-22%). The portfolio gained a whopping +$640.25 USD (57%)! Insane when you consider that the current portfolio is comprised of a ton of crappy assets.

Week 21 Summary

week21_positions

week21_usd

week21_usd_percent

week21_btc

week21_balance

week21_balance

week21_multiline

Since inception:

week21_positions

week21_positions

Symbol Quantity Price December 31st January 7th Week Change $ Week Change %
AEON 12.4 8.23 72.66 102.05 29.39 40%
BCN 8500 0.01483 49.30 126.06 76.76 156%
BTC 0.002483 16463.9 34.57 40.88 6.32 18%
BNT 3.42 7.98 17.51 27.29 9.78 56%
DASH 0.035 1166.71 35.82 40.83 5.02 14%
DCT 8.221 3.05 20.80 25.07 4.27 21%
DNT 47.75 0.3587 6.73 17.13 10.40 155%
DOGE 6000 0.01683 53.84 100.98 47.14 88%
EDG 11 2.84 24.75 31.24 6.49 26%
EOS 7.524 10.14 57.71 76.29 18.58 32%
ETC 0.701 35.39 18.31 24.81 6.50 35%
ETH 0.029 1091.8 21.47 31.66 10.19 47%
LSK 3.31 40.12 68.62 132.80 64.18 94%
LTC 0.2 275.52 46.02 55.10 9.08 20%
MAID 20 1.12 18.14 22.40 4.26 23%
NXT 94 0.5438 65.34 51.12 -14.22 -22%
OAX 5.587 2.2 7.21 12.29 5.08 71%
PLBT 1.346 12.17 7.60 16.38 8.78 115%
PPC 5.618 6.47 26.57 36.35 9.78 37%
QAU 59.229 0.4804 23.94 28.45 4.51 19%
SC 1400 0.08462 41.90 118.47 76.57 183%
SNC 112.863 0.3747 27.11 42.29 15.18 56%
STRAT 1.844 17.1 25.76 31.53 5.77 22%
STX 4.167 1.66 3.84 6.92 3.08 80%
XDN 3700 0.05049 75.66 186.81 111.15 147%
XEM 38 1.78 38.38 67.64 29.26 76%
XMR 0.12 398.67 39.77 47.84 8.07 20%
XRP 62 2.75 123.38 170.50 47.12 38%
ZEC 0.04 752.45 19.18 30.10 10.91 57%
ZRC 7.808 1.67 17.41 13.04 -4.37 -25%
ZRX 28.066 1.41 24.35 39.57 15.23 63%
Totals: 1113.65 1753.91 640.25 57%

Want to follow along?

If you're Canadian and want to try the same thing, I use QuadrigaCX (wire transfer, interac online) and Coinbase (VISA, Mastercard, AMEX) to purchase bitcoin, ethereum, or litecoin to transfer to an exchange that supports all these alternative currencies. I used HitBTC to buy all 31 currencies, but many exchanges will work just as well.

Click here for details about this experiment and what the rules are.

© 2018. All Rights Reserved.

Proudly published with Ghost