Monero logs

03:26:58 usagirabbit: hello! i was wondering what the hackerone bounties are, the reporting document links to a old page thats now a dead link which has the bounty pool amount (1500 xmr in apr 2025 was the last snapshot, wow) and i was wondering if there was like a new forum or anything for it

03:27:24 usagirabbit: https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md

03:28:03 usagirabbit: luigi1111 i'd figure you'd know as your one of the security contacts :)

04:07:38 usagirabbit: anyone here?

04:11:37 rottenwheel:unredacted.org: usagirabbit yeah, apparently...

04:14:33 luigi1111: The hackerone fund is more or less just case by case. A few xmr up to like 100+ depending on severity

04:16:27 usagirabbit: i see thanks for letting me know

04:16:33 usagirabbit: i reported a high severity :)

04:27:06 BoBeR182: usagirabbit: what did you find?

04:27:10 BoBeR182: high level?

04:27:17 BoBeR182: RCE? or protocol issue

04:30:29 usagirabbit: BoBeR182 im not too sure im supposed to disclose it, but its not a rce which would be critical :)

04:31:07 BoBeR182: is it remotely exploitable

04:31:10 usagirabbit: wdym

04:31:14 BoBeR182: I'll shutdown my node until a patch comes out

04:31:19 usagirabbit: oh noo

04:31:21 usagirabbit: its not that scary

04:31:23 usagirabbit: well

04:31:27 usagirabbit: it involves nodes yes

04:31:28 usagirabbit: but

04:31:29 usagirabbit: yeah

04:31:34 usagirabbit: im not gonna disclose more than that

04:31:39 BoBeR182: so shutdown my node or not?

04:31:44 usagirabbit: dont

04:31:49 usagirabbit: it took me a while to discover it lmao

04:31:51 usagirabbit: u should be sage

04:31:53 usagirabbit: safe*

04:31:56 BoBeR182: sounds like something an attacker would say

04:32:00 usagirabbit: LOL

04:32:07 usagirabbit: dont worry

04:32:10 BoBeR182: there's agencies working 24/8 to compromise xmr

04:32:16 usagirabbit: Im Totally Not State SponsoredTM

04:32:17 BoBeR182: if you as a single user figured it out...

04:32:35 usagirabbit: i submitted it to hackerone responsibly

04:32:43 usagirabbit: im not a threat actor i swear!1!!!!!11

04:32:58 usagirabbit: however i did use ai to look for potential weaknesses

04:33:05 usagirabbit: (disclosed on the report, dont worry!)

04:33:10 usagirabbit: so yeah

04:33:25 usagirabbit: i just got like gpt 5.4 to scrape the entire codebase and look for stuff that could be high/critical

04:33:35 usagirabbit: so far i havent found a critical yet, but only time will tell

04:33:39 BoBeR182: were you able to reproduce it independently

04:33:44 BoBeR182: or is it just theoretical

04:33:48 BoBeR182: and a hallucination?

04:33:53 usagirabbit: yes

04:33:59 usagirabbit: i reproduced it independently

04:34:00 BoBeR182: GPTslop has ruined many bug bounty programs

04:34:04 usagirabbit: LOL

04:34:22 usagirabbit: welp

04:34:25 BoBeR182: did you offer a patch to fix it+?

04:34:27 usagirabbit: yes

04:34:33 BoBeR182: that is awesome!

04:34:44 usagirabbit: well not really a patch

04:34:51 BoBeR182: well go make one

04:34:52 usagirabbit: i just told them what they could do to patch it

04:34:55 BoBeR182: that would actually help

04:34:58 BoBeR182: you should open the PR

04:35:00 usagirabbit: it has a PoC and everything too

04:35:03 usagirabbit: im not gonna open the pr cuz

04:35:08 usagirabbit: i dont want it exposed

04:35:09 usagirabbit: YET

04:35:11 usagirabbit: it could take down uh

04:35:15 usagirabbit: some nodes

04:35:18 usagirabbit: forcefully

04:35:23 BoBeR182: you can mark sensitive PRs

04:35:26 BoBeR182: those exist in github

04:35:28 usagirabbit: does it private it?

04:35:29 usagirabbit: ahh

04:35:29 BoBeR182: sounds like DoS

04:35:34 usagirabbit: dang it!

04:35:36 usagirabbit: ya figured it out LOL

04:35:50 BoBeR182: that could be used to deanonymize certain actors

04:36:00 BoBeR182: is it a memory corruption that can be DoS leading to RCE

04:36:10 usagirabbit: uuhhhh

04:36:11 usagirabbit: no

04:36:14 usagirabbit: no code injection

04:36:45 usagirabbit: the closest thing i can get into about it thats somewhat nontechnical is a ram leak

04:36:51 usagirabbit: a threat actor can crash likee

04:36:53 usagirabbit: a shit ton of nodes

04:36:57 usagirabbit: esp if they are state sponsored

04:37:32 usagirabbit: i think gpt 5.4 found another high/critical

04:38:04 usagirabbit: but its kinda weird

04:38:22 usagirabbit: its related to multisig

04:39:52 usagirabbit: the first bug i found on monero is exactly CVSS 3 score 7.5!

04:53:09 ufo808:matrix.org: There was multisig issue before

04:53:28 ufo808:matrix.org: It was fixed

04:53:50 usagirabbit: ahh

04:53:52 usagirabbit: when?

04:53:58 usagirabbit: yesterday?

04:54:04 ufo808:matrix.org: And I think I already saw some monero DoS on hackerone before, like multiple of them

04:54:13 ufo808:matrix.org: usagirabbit: Years ago

04:54:17 usagirabbit: oh

04:54:20 usagirabbit: years ago?

04:54:24 usagirabbit: no these are recent

04:54:26 usagirabbit: unpatched

04:54:28 usagirabbit: ive tested them

04:54:34 ufo808:matrix.org: @ufo808:matrix.org: But maybe I’m trippin balls

04:54:39 usagirabbit: no ur right

04:54:47 usagirabbit: i have the latest repo

04:54:50 usagirabbit: for monero

04:54:52 usagirabbit: from the github

04:54:53 usagirabbit: it works

04:55:24 ufo808:matrix.org: Interesting

04:55:35 usagirabbit: a state actor can like

04:55:42 usagirabbit: nuke a shit ton of nodes

04:55:47 usagirabbit: if they are in the right place

04:55:52 usagirabbit: so if they do a sustained attack of this

04:55:56 usagirabbit: it can be basically wraps

04:55:57 usagirabbit: soo

04:56:40 usagirabbit: and i found another dos

04:56:41 usagirabbit: omfl

04:57:25 ufo808:matrix.org: Can you nuke spy nodes then? Thanks

04:57:32 usagirabbit: i cant uhh

04:57:34 usagirabbit: select them

04:57:37 usagirabbit: its kinda indiscriminate

04:57:38 usagirabbit: LOL

05:01:11 usagirabbit: uhm

05:01:14 usagirabbit: i think i found another one

05:01:16 usagirabbit: Rough CVSS: 8.6 High

05:01:20 usagirabbit: ih wait

05:01:27 usagirabbit: i found the one i already reported

05:01:28 usagirabbit: LOOOOOOOOL

05:01:34 usagirabbit: profound stupidity

05:01:37 plowsof: the good thing about spamming this chat is that you would have disclosed the vuln already and not eligible for reward

05:01:42 usagirabbit: ?

05:01:43 usagirabbit: wat

05:01:58 usagirabbit: ohh

05:02:01 usagirabbit: about the one im looking for

05:02:02 usagirabbit: LOL

05:02:03 usagirabbit: nah

05:02:06 usagirabbit: if i found one

05:02:09 usagirabbit: ill just say ill found one

05:02:18 usagirabbit: i wont go into detail abt it if its that bad

05:02:24 plowsof: your report is "gpt 5.4 to scrape the entire codebase and look for stuff that could be high/critical"

05:02:30 plowsof: lol

05:02:38 usagirabbit: 😭😭

05:02:39 usagirabbit: i mean

05:02:41 usagirabbit: ur not wrong

05:05:03 plowsof: you're welcome

05:07:43 usagirabbit: broo

05:07:47 usagirabbit: im using copilot write

05:07:54 usagirabbit: dude

05:07:57 usagirabbit: im genuinely fried

05:08:01 usagirabbit: i just wrote right as write

05:08:07 plowsof: yeah stop spamming

05:08:10 usagirabbit: its 12 am😭💔

05:08:34 usagirabbit: gpt 5.4 keeps stopping

05:08:42 usagirabbit: #OPENAIISLYINGABOUTMULTIHOURCODEXRUNS

05:18:54 usagirabbit: hes back

05:19:03 usagirabbit: the nsa killed him and he ressurected

05:20:30 BoBeR182: did you DoS me

05:20:33 BoBeR182: i'm telling

05:20:44 usagirabbit: yes i did bober

05:20:48 usagirabbit: i work for the nsa

05:20:55 usagirabbit: #rced #itswrapsforyou

05:21:08 usagirabbit: (joke obviously)

05:42:20 Guest17: hello

05:57:42 kiersten5821:matrix.org: dos is high?

06:01:01 ravfx:xmr.mx: dos=high,umb

06:04:28 kiersten5821:matrix.org: umb meaning?

06:05:27 ravfx:xmr.mx: Upper High Memory

06:05:35 ravfx:xmr.mx: oh non, Upper Memory Block... I think

06:07:56 kiersten5821:matrix.org: and what does that mean

06:08:30 ravfx:xmr.mx: You too young

06:08:31 kiersten5821:matrix.org: feel like you're trolling me

06:08:34 kiersten5821:matrix.org: but i dont get it

06:08:54 kiersten5821:matrix.org: 😔

06:11:23 ravfx:xmr.mx: Back in the days, one would ideally want to load dos in HIGH and the left over in the UMB, that and as much drivers as possible.

06:11:23 ravfx:xmr.mx: The UMB where block of memory that could be freed Between A0000-FFFFF, usually between C8000-EFFFF.

06:11:23 ravfx:xmr.mx: Doing so would free conventional memory (the first 640K). So DOS games that need a lot of it would have enough memory

06:12:27 ravfx:xmr.mx: Things like QEMM would allow remapping the BIOS out of F0000-FFFFF, adding an extra 64KB

18:01:08 waks: On my node I'm getting error "Transaction not found in pool" every minute or so. Is that cause for concern?

19:03:36 ofrnxmr:xmr.mx: Are you mining?

19:20:50 waks: Yeah, with p2pool connected to my node

19:28:39 ofrnxmr:xmr.mx: Other p2pool peers are mining blocks that have txs that youe node doesnt have

19:29:18 ofrnxmr:xmr.mx: Your node tries to broadcast them hut shows that error because your node is missing txs that are in the submitted block

19:37:25 waks: What would cause that happen? Is that normal? Am I not syncing fast enough or something?

19:44:40 ofrnxmr:xmr.mx: Selfish mining of txs

20:05:51 waks: So it's other nodes that are causing that to appear?

20:30:40 omurad:matrix.org: Yes

20:58:41 ofrnxmr:xmr.mx: Its p2pool peer's node that are causing it to appear*

20:59:00 ofrnxmr:xmr.mx: Not nodes that your node is directly connected to