Porting/implementing support for Enigma transactions represents a significant piece of work in relation to the rebasing of Cloak to the newer Bitcoin codebase. As this work will likely involve considerable code reworking and revision, it may be wise to look to decouple the Enigma related code during the porting process to decouple the Enigma related functionality from the underlying base code as much as possible.

Enigma.cpp/Enigma.h contains the top level code related to Enigma sends (see the SendEnigma method) in the aforementioned files for the start/entry point for sending an Enigma transaction.

The majority of cryptocurrency trading is conducted on centralised exchanges that provide hackers with a broad attack surface and are susceptible to a single point of failure. Trading privately and securely is increasingly difficult due to reliance on trusting a third party.

Centralised platforms are vulnerable to security threats and a single breach can compromise the assets of every user on an exchange. Many projects within the crypto space have attempted to address security and privacy issues with the implementation of a decentralised exchange (DEX).

Unfortunately, the majority of these DEX projects are not deployed to a decentralised network comprising enough individually distributed nodes. Nor do they implement any form of decentralised distribution of the user interface, the critical risk component when it comes to hacking attempts.

Despite widespread focus on the need for decentralised exchanges, efforts are wrought with profit seeking, centralisation, the unnecessary introduction of further cryptocurrencies, and of course, fees.

Introduction

While the value of privacy coins is dependent almost wholly on their ability to be privately spent, there are also many problems to be solved regarding how they are privately acquired.

Careful consideration has been given to Cloak’s current technology, upcoming developments and ongoing value proposition to both the wider cryptocurrency and general consumer markets.

Decentralised Exchange Overview

The proposed implementation of CloakX is a decentralised exchange network built atop proof of stake nodes, that reserve a fraction of machine resources to facilitate peer to peer trading. Considering Cloak already has over 100 staking nodes and migration to the new BTC codebase is approaching completion, the network is well positioned to accommodate a DEX interface embedded directly in the new hierarchical deterministic (HD) wallet.

Through each wallet connected to the network, a fraction of the exchange interface would be encrypted and stored in a distributed manner on each machine participating as a staking node. As CloakCoin does not incorporate masternodes, it naturally favours the decentralisation of the user interface, as well as the APIs of all supported cryptocurrencies.

CloakCoin Network Utilisation

The decentralised exchange would be supported by the existing CloakCoin network. In order to access and trade using CloakX, users need to hold a certain amount of $CLOAK within their wallet, as a specified percentage (TBA) of their total trading portfolio.

This encourages the acquisition and holding of CloakCoins. It is also inherently aligned with the inflationary properties of the coin, as the staking rewards of 6% per year provide the ‘gas’ required to incentivise further peer to peer trading on the network.

$CLOAK Cryptocurrency Innovation

One might consider $CLOAK serving a similar utility to CloakX, as exchange utility tokens to their respective exchanges, and in future their DEX implementations.

The upcoming release of the HD wallet and new BTC codebase, will very likely welcome integration with popular hardware wallets such as those offered by Ledger, Trezor and KeepKey. These will be a critical component for secure access to CloakX and the primary means of storage for assets traded on the network.

Unlike other decentralised exchanges, CloakX will not require the creation of an additional token and there will be no trading fees on the DEX whatsoever.

CloakX Development Summary

The first implementation of CloakX could welcome trading of most of the top 100 crypto assets as a Cloak-Ethereum client. To expedite development, scale quickly with demand and access IPFS without the need to manage infrastructure, Infura is the recommended solution.

Immediately enabling access to trading of ERC-20 tokens opens up the market for user adoption greatly and best of all, Infura is free. Also, as a truly private and decentralised implementation of a DEX, such as this on the CloakCoin network, legislative risks faced by centralised exchanges are mitigated.

The function of CloakX is absolutely peer to peer.

Reference: CIPs (Cloak Improvement Proposals) > cip-001.md

Cloak supports some additional commandline args (in relation to PoS debugging output among other things). It would be good to ensure that these args are supported in the new codebase (where applicable):

1. printcreation : debug output log PoS - called by 'GetProofOfStakeReward' and 'ConnectBlock'

Cloak and BTC have different consensus values blocks and transactions. Cloak also have a specific MAX_BLOCK_SIZE_GEN value for PoS generated blocks. This should be followed and updated in the new codebase.

MAX_BLOCK_SIZE and MAX_BLOCK_SIZE_GEN [PoS blocks] (in old codebase)
MAX_BLOCK_SERIALIZED_SIZE and MAX_BLOCK_WEIGHT (in new codebase).

It is also critical to ensure consensus rules match when validating transactions and blocks (see CheckTransaction in tx_verify.cpp and CheckBlock in validation.cpp). Any failure here could result in a fork due to transactions or blocks being accepted by a subset of nodes due to differing block/tx consensus rules.

Implement PoS mining functionality so that staking functions.

The new codebase will need a fully functional GUI to allow [novice/new] users to interact and utilise the product without interacting directly with the daemon.

There are two potential approaches to this:

1. Rework the existing Bitcoin QT GUI
Adding and extending GUI functionality where needed, so that all the Cloak specific components present in the existing [legacy] QT GUI are present. This should be fairly straightforward, if somewhat laborious. Potential sticking points for this route are likely to be related to events and messaging between the underlying code and the QT GUI side of things. There may be instances where the existing (legacy) implementation is somewhat tightly coupled in terms of underlying program code and GUI code, especially in terms of polling (for current connected Enigma peers etc). This may require some reworking during implementation, but that seems to be the order of the day in terms of updating the codebase as the BTC codebase has changed significantly since Cloak's initial 2014 release. There may also be some QT GUI elements in the BTC codebase that Cloak does not require, but this is unlikely and should be fairly trivial compared to adding new GUI functionality.

2. Create stand-alone GUI app to interact directly with a daemon instance
This solution would involve creating a dedicated front-end app that interacts with the daemon in much the same way as the monero-wallet-gui does. Such an application could be developed using something like Electron to provide a write-once cross-platform solution. Taking this approach would result in a more loosely coupled GUI as opposed to the QT route, but may well prove cleaner, clearer and easy to maintain.

Update textual 'Bitcoin' references in codebase with 'Cloak'.

Currently, we're using the old INV based sync method when connecting to older [60018] clients. It should be investigated whether header based sync can be reasonably trivially implemented for this scenario.

The regression testing network in the codebase will be a better fit for localized developer testing as it is more configurable and designed with the purpose of local development testing in mind.

The following information was received from a student research team:

Dear _________ developers,

We are writing to disclose a resource exhaustion vulnerability affecting several cryptocurrencies based on chain-style proof of stake. An attacker that connects to a victim node as a peer can send invalid blocks which are stored on disk without being validated. The consequence is that an attacker can perform a disk exhausting attack. The attack is relatively cheap to carry out since it only requires the attacker to possess a small amount of stake.

We’ve made a demonstration in the form of a test script for the regtest / python test framework on a similar PoSV3 coin. _________ codebase shares similar affected components with coin on which we performed our demo. In particular, we believe that all bitcoin core based UTXO model PoS coins suffer this problem. Though this has not been tested on _________ coin, we believe that this would likely also affect your implementation. We encourage you to study this attack and determine whether it would affect this implementation.

This vulnerability affects several(>30) cryptocurrencies, so we are making a coordinated disclosure effort to responsible developers for the affected cryptocurrencies before publishing it.

Description of vulnerability:
_________ code inherits many of its design elements from the Bitcoin codebase, which made sense given Proof-of-Work chain but do not provide adequate security in a Proof-of-Stake chain. In essence, Bitcoin checks Proof-of-Work headers before guarding disk resources, while in _________ resources are claimed even without the analogous proof-of-stake checks. In more detail, when a node receives proof of stake block not on the main chain, it does a preliminary check of existence of coinstake transaction in TxDB. The attacker can pass this preliminary check by creating invalid PoS blocks (e.g., using already-spent stake), thereby storing these invalid blocks in disk. The stake transaction is only fully verified when there is a reorg. As a result, it is possible to get nodes to store data on disk, with a small amount of stake.
The relevant methods are:
AcceptBlock(): Performs the partial validation of the blocks. This calls the CheckProofOfStake() function for the preliminary checks of the blocks and stores the block on disk in /blocks/disk files.
ConnectBlock(): This performs the full validation of the the block. This checks whether the coinstake is actually unspent. This is only called when there is a reorg to the fork chain.
CheckProofofStake(): This functions performs a partial check on coinstake transaction by checking if the coinstake input exists in txDB. This also checks if the coinstake signature is valid and whether it meets the desired PoS target. Note however, this does check the whether the coinstake transaction is unspent.
Exploiting the vulnerability:

The idea behind exploiting the vulnerability is to send invalid blocks that pass the AcceptBlock() check, even though they don’t have valid stake. Instead, the corresponding coinstake transaction is built on a already-spent output. The attacker’s block is stored on disk, but bypasses any checks that the coinstake transaction spends a valid UTXO.

To carry out the attack starting from a small amount of stake, the attacker must amplify their amount of apparent stake. Apparent stake refers to total candidate stake outputs which may already be spent. If we start with a UTXO of amount k, we can create multiple transactions spending the coins back to ourselves as shown in the figure below. Only UTXO (n+1) should be allowed for staking, but we are able to stake with all UTXO from 1 through n+1, thereby increasing the apparent stake by n*k. This increases the chances of finding PoS block since the attacker can keep on doing this to increase his apparent stake.

The only check for coinstake transaction in AcceptBlock is the one which checks whether the transaction output is present in TxDB. The check that a proof of stake transaction is actually unspent only occurs later, in the ConnectTip method, which builds on chainActive.Tip, the current best known chain. Because this check occurs later, we can reuse already spent outputs for creating coinstake transaction in the malformed blocks. Theses blocks are stored permanently in the disk and are never validated because they don’t ever form a part of the longest chain.

Refer to the attached encrypted image, it is called illustration.png.

Even with 0.01% stake in the system, the attacker only needs 5000 transactions to mine blocks with 50% apparent stake power. Note that the attacker is only paying transaction fees for those 5000 transactions which is an insignificant amount. After the attacker has collected a large amount of apparent stake, he then proceeds to mine PoS blocks at a past time using the freshly collected apparent stakes outputs. Finally the attacker fills the disk of the victim peer with the invalid blocks as those pass the CheckProofOfStake() and AcceptBlock() checks. These blocks never undergo full validation because ConnectBlock() is never called.

The only cost incurred to the attacker is the transaction fees in amplification step. The attacker can also sell of his coins at an exchange before doing this attack, meaning that the attacker is only required to have possessed a stake at some point in history, but not at present moment. A real attack might work as follows. An attacker buys some coins from an exchange and amplifies his stake by creating transactions spending the coins to himself. He then sells those back and only then performs the attack.

Mitigations:

We think that this problem is a fundamental problem to UTXO based PoS and are not aware of complete and thorough mitigation for it. However in this section, we discuss a range of possible mitigations that we know of along with their respective tradeoffs:

Accept some risk of chainsplit by not processing reorgs beyond a fixed length. For blocks under that fixed length, do a full validation of the blocks. Give a maximum ban score for a peer for sending invalid past blocks in history. A possible approach might be to keep track of pcoinstip data structure per peer so that we can easily validate the block given by a particular peer.

Heuristically detect attacking peers and disconnect them by observing some fingerprint of attack.

Have a way to remove blocks completely. Don't keep more than 1 orphan fork per peer. The challenge with removing blocks from the block files is that they are appended only, so this would require some kind of background compaction process.

Enable full validation of blocks even outside of doing a reorg. This is costly as it would require making a copy of the coins database, potentially one for each peer. This can be made more efficient through techniques such as UTXO commitments or UTXO snapshots. With UTXO snapshots we’d take rolling snapshots of the chainstate database at some prior block. With UTXO commitments, the merkle tree proofs associated with new transactions would be transmitted alongside each block/header.

Ensure that the makefiles are up-to-date and included any newly added project files. This is important when development is carried out using MSVC++ as the solution/project files no longer directly reference the makefiles in this setup.

Need to check if setting consensus.defaultAssumeValid to a certain trusted block height (whose ancestor sigs are not checked) would have any significant performance improvements.

be0a39d#diff-64cbe1ad5465e13bc59ee8bb6f3de2e7R287

Once all PoS code has been ported and tested, it would be very prudent to manually check that all the PeerCoin PoS code has been pulled across into the new codebase.

PeerCoin specific changes are marked in the old codebase like so:
"// ppcoin:"

Implement existing (PeerShares based) PoS mechanism in new codebase.

CheckStakeKernelHash fails in CheckProofOfStake: hashProofOfStake > bnCoinDayWeight * bnTargetPerCoinDay

Values should be checked and confirmed This is occuring for block #8776 (hash 125e964127c2277dc8a5d8b298ce844972ae445db612b6e98ecbb4b64db89fa2).

Cloak and PeerCoin etc use a variable called bnChainTrust (member of block index) to ascertain the current chain trust at the particular block height associated with the block index. Seeing as the code used to calculate bnChainTrust has separate paths for PoW and PoS, it is likely that this will need to be ported in some manner, even if that just involves tweaking the nChainTrust property for a block index in the new codebase.

More information to follow after some investigation...

Ensure existing tests still work in light of new code changes. The changes for signature hash generation (such as adding SignatureHashLegacy) will require some tweaks to the tests to utilize and test the new code.

The existing PoW mining functionality needs to be ported across. This is important for future testing and testnet functionality. It also enables spinning up of a test 'live' blockchain in an air-gapped test environment.

The current Cloak wallet relies on INV based syncing. The client wanting to sync, sends a GETBLOCKS message to the connected node (in this case an older Cloak wallet). The receiver then constructs an INV (inventory), which is this case is a list block hashes for a run of blocks (the caller defaults to requesting 500 entries). For clarify, we will refer to the new Cloak wallet wanting to sync as the 'Client' and the old Cloak wallet that's providing the sync data as the 'Server'.

When the Server receives an INV message for block details, it stores a reference to the last block the list and associates that information with the local peer details for the Client. The Client process the INV, handling each item in turn. In this instance, the INV data will relate to blocks and the Client will issue a GETDATA request to get the full block associated with the current INV entry. When the Server receives a GETDATA for the last block included in the current INV (it knows this my checking the data stored against the peer mentioned previously), it sends the requested block and also the top block (highest block in current chain) in order to trigger another INV request. This worked for the old Cloak codebase (and Peercoin), but is causing some headaches due to the stricter checks in the new codebase which cause the Server node to be banned when the top block is received and the Client does not have its previous block.

One possible clean workaround when connecting to 60018 instances would be to never request the last block in an INV and instead issue a new GETBLOCKS message for the next INV of block information.

The newer codebase has a plethora of changes relating to syncing (header sync, compact blocks etc) which should improve the sync process when new instances are communicating directly.

When generating the stake modifier, the current proof-of-stake algorithm backtracks from the current block, logging previous block hashes and timestamps and then uses this information to generate a stake modifier. During this process, the list of timestamps and hashes is sorted (not sure why they chose to do this as it makes little sense). This is causing some issues due to the way the equality operator for Uint256 is implemented in the newer Bitcoin codebase vs the legacy Cloak codebase.

CPubKey::Verify is currently failing for keys created using OpenSSL. This is likely related to the switch to secp256k1 in the new bitcoin codebase.

CPubKey::Verify is currently hard-coded to return [TRUE] until the issue is addressed and resolved.

The majority of PoS coins, including PeerCoin (on which Cloak is indirectly based) contain a centralized PoS checkpointing mechanism. This is essentially a centralized server that nodes connect to to determine the latest PoS sync checkpoint.

As far as I'm aware, this system is not currently setup, configured or running for Cloak. Centralized checkpointing relies on a public/private keypair (associated with the checkpoint server and with the pubkey included in the codebase) which is used to authenticate the checkpoints and determine they did indeed come from the trusted centralized server.

It needs to be determined if this centralized checkpointing mechanism is important for secuity, and if so, we will likely need to generate new keys and set-up a new centralized checkpointing server. PeerCoin is likely a good source for information on this subject and the PeerCoin wiki is an ideal starting point:

http://wiki.peercointalk.org/index.php?title=Main_Page

As an aside, decentralized checkpointing has been discussed in the PoS coin realm for some time, but I'm unaware of an deployed implementation.

Port 'trickle out' functionality for inventory messages in SendMessages.

see: main.cpp ~ln 4070 in the old CPA3 codebase.

Ensure wallet addresses adhere to Cloak format.

When generating the stake modifier, the current proof-of-stake algorithm backtracks from the current block, logging previous block hashes and timestamps and then uses this information to generate a stake modifier. During this process, the list of timestamps and hashes is sorted (not sure why they chose to do this as it makes little sense). This is causing some issues due to the way the equality operator for Uint256 is implemented in the newer Bitcoin codebase vs the legacy Cloak codebase.

I think the preferred solution would be to work around this sorting case in the PoS code (by using a custom sort that mirrors the legacy behaviour). It is only causing issues due to a run of blocks with matching timestamps early in the blockchain. However, there could be instances in the Enigma code where this crops up, but I am doubtful that it will be an issue. I much prefer this approach to the alternative of changing the Uint256 to match the legacy code.

consensus.nMinimumChainWork should likely correspond to the amount of work performed up until the last hard checkpoint. This should be addressed prior to launch.

Ensure syncing with newer nodes functions correctly and uses header sync if possible.

Change MAX_MINT_PROOF_OF_STAKE to 0.06 * COIN in policy.h

Bitcoin assigns tx fees to miners as part of the mining process. Peercoin (and likely Cloak) seem to treat fees differently. This should be investigated and mirrored (if necessary) in the new codebase.

Stealth Addresses (referred to as Enigma/Cloaking Addresses within the Cloak sphere) are utilised extensively by the Enigma transaction progress. During an Enigma send operation, the sender and participants (Cloakers) exchange stealth addresses in order to send and receive funds.

When a participant agrees to participate in an Enigma send operation, they a current Enigma/Cloaking address [CWallet::GetEnigmaAddress] in the [acceptance] response sent to the sender. This allows the sender to generate one-time payment addresses for the participant on-the-fly, to which the sender has no access to in terms of spending.

The generation of one-time-payment addresses occurs as part of the Enigma transaction generation process [CCloakingRequest::CreateTransactionAndRequestSign -> CCloakingRequest::CreateEnigmaOutputs -> CWallet::GetEnigmaChangeAddresses]. One-time addresses for both the participants (cloakers) and sender are generated and used as the output addresses for the Enigma transaction. This allows the sender to securely transmit the unsigned transaction to the participants, who can verify the presence and validity of one-time payment addresses associated with their Enigma/Cloaking address and ensure that the expected amount of funds [stealth output amounts for the participant in question exceed their input amounts] are paid to their one-time-addresses.

As per standard stealth addresses transactions, both the sender and participants are required to scan incoming transactions [within a newly received block] in order to detect received stealth payments to their Enigma/Cloaking address(es).

The code within Cloak for the current Stealth Address implementation is pretty straightforward and doesn't differ much in terms of detection and receivership from the original implementation in Vertcoin (or similar implementations). The code related to ad-hoc payment address generation is however somewhat bespoke as a single ephemeral public key (randomly generated public key, stored in OP_RETURN) is shared by all Stealth/Enigma outputs for an Enigma transaction.

NOTE: We are currently unaware of a Stealth Address implementation running against the latest Bitcoin codebase. It seems that Vertcoin removed Stealth Address support during their rebasing to a newer version of their codebase with a view to re-implementing it at a later date. As of now, it appears this work is either ongoing or on indefinite hold. There may however be an alternate implementation in a coin based on the latest Bitcoin Core codebase, and if so, this would likely make a good candidate for Stealth Address code migration.

NOTE: It is critical that Cloak/Stealth addresses (and associated keys) are stored safely and securely in the wallet in order to detect any incoming stealth payments. When HD (heirachical determinstic) support is added, Cloak/Stealth addresses should be created (and be able to be recreated) from the HD wallet master key. This will allow stealth payments to be correctly detected during a wallet restore (from a seed word list).

CloakShield is a network messaging layer that operates on top of the standard messaging layer. CloakShield messages are multi-layer encrypted, with each layer being encrypted for one or more specific connected peers. Messages are onion-routed across the network and each onion layer uses the aforementioned encryption to ensure that only specific nodes are able to decrypt the outer layer before forwarding the further encrypted payload for decryption by the next node(s) on the onion route.

The bulk of the code relating to CloakShield is encapsulated in the cloakshield.cpp and cloakshield.h files. Specific methods for routing/encrypting/decrypting/transmitting data can be found here.

Onion routed data is packaged in nested CCloakingData objects (see cloakingdata.cpp and cloakingdata.h), which contain a CCloakingDataPayload object in which the actual data resides. A CCloakingData object can store various different types of data related to the Enigma transaction process (see CloakingDataType enum for more information).

It is likely that the messaging system within the bitcoin codebase has changed (perhaps significantly) since Cloak was first created, so it is impossible to determine just what changes will need to be made during porting of the CloakShield system to the new codebase. The removal of the OpenSSL dependency will likely require some reworking of the ECDH (Elliptical Curve Diffie Hellman) code, which may also cause some compatibility issues with previous Cloak clients (QT wallets and daemons). The secp256k1 does however contain functionality related to ECDH and this can likely be leveraged for CloakShield usage,

tbc