Skip to content

Debrief on July 3, 2018 Syscoin Trading Activity on Binance

Jump to bottom
Brad Hammerstron edited this page Jun 11, 2019 · 1 revision

On July 3, 2018, the Syscoin team detected unusual transactions on the Syscoin and Binance platforms. Syscoin takes its security (and the protection of its customers) very seriously; as such, we requested all exchanges temporarily cease trading Syscoin until we could determine the cause of these aberrant transactions.

In the interim, speculation was rife (as is common in the crypto community) as to the reason for this request:

  • Was Syscoin hacked?
  • Was Syscoin otherwise compromised or attacked?
  • Or was it something else entirely?

While not as sensational as the first two options, the truth turned out to be "something else entirely" -  a combination of (mostly) ordinary events that we've gone into detail about below.

We go into quite a bit of detail below, so if you want to read this later, the short version is that after our investigation, we've determined that:

  • Syscoin was not hacked.
  • The Syscoin chain was not attacked.
  • The Syscoin chain is fully operational as per design.

The longer version follows.

1. We released Syscoin 3.0.6 10 days ago.

The release was a mandatory update fixing a governance superblock fee calculation bug. Once a superblock with transaction fees was hit, it would not validate clients that hadn't moved onto the mandatory update.

2. July 3rd saw a large rise in the price of Syscoin, with trading volume and Syscoin values rising to all-time highs.

Prior to the price movements on Binance, our team and the Syscoin community detected large buy walls across exchanges. As we watched the action unfold, we noticed the following additional irregularities:

  • Blocks being processed were not including transactions regularly.
  • Masternodes were expiring and the difficulty was dropping due to large miners not mining with their ASICs. This particular issue was determined to be unrelated.

3. At approximately 1:00pm PST a Superblock was created as Syscoin's decentralized governance payouts were issued, causing some miner nodes to halt.

This was expected and prepared for weeks in advance. Masternodes/Miners/Clients that had not upgraded were now required to pull the 3.0.6 tag from the master branch, build, and deploy as per the normal upgrade procedure.

4. Several large Bitcoin+Syscoin mining pools that had upgraded had set fee policies above the default rate for Syscoin. This caused only transactions that specified these higher fees to be accepted, and other transactions to "back up" in the mempool. When miners with a lower fee rate won a block, transactions held in the mempool were mined in batches, resulting in the appearance of larger than normal amounts of Syscoin to be transacted in a single block. This is the expected behavior; we have urged miners to set their fee policies to the default to further alleviate delays in transaction processing.

5. Large block output values of 544 million SYS and 1.2 billion SYS begin to appear on the Syscoin block explorer.

This resulted from majority miners having higher fee policies and the smaller miner picking up transactions when it won a block at a lower fee. We saw hundred of transactions bunched up in these blocks with high output values.

The atypical thing about these blocks at this time were that someone was using the top address of 46 million Syscoin (we speculate that this was an exchange wallet) to send withdrawals of Syscoin. The transactions were chained as Syscoin allows up to 25 chained unconfirmed transactions to exist as per the limitancestorcount / limitdescendant rule (same as Bitcoin). If you where to look at these blocks you will see that they contain only the normal 34.65 SYS newly generated coins not 1.2 Billion.

This was a non-issue and also unrelated to activities of the price on exchanges, but obviously a chained transaction set of a 46 million Syscoin output could quickly add up to a large amount, possibly much larger than the existing supply. This is precisely what happened in these blocks.

6. We recognized the large 46 million Syscoin used to send out funds and chained as unconfirmed transactions; hinting to possible suspicious activity and we immediately requested a halt to trading on all exchanges to protect users.

Normally these would be placed in cold wallets and in this case it seemed as though it was being used as a hot wallet. For precautionary reasons we told exchanges to halt; we felt if exchanges were under attack that we would mitigate the attacker from moving funds across exchanges to conceal traces of theft.

7. Binance reset API keys and resumed trading.

All other exchanges also resumed trading (though not resetting their API keys) once we had identified that exchanges were not under attack.

8. The Syscoin Team identified that transactions were not being mined simply because of miner policy and miners not having upgraded to 3.0.6. The transactions were going through, but were taking a little longer - Approximately 1 hour, instead of 1 minute.

As all of these events coincided with each other, they understandably spawned a fairly dramatic response in the crypto community. As Syscoin 3 and Blockmarket Desktop 3.0 recently just launched, there has been an increased awareness of Syscoin in the space. It is very possible that the early speculation was a natural phenomenon. Our observations conclude that the later action was extremely aberrant and as stated, we've determined:

  • Syscoin was not hacked.
  • The Syscoin chain was not attacked
  • The Syscoin chain is fully operational as per design.

Syscoin values its community very highly; we wanted to mention how appreciative we've been of that community during a very interesting & volatile 24 hours! Hopefully this post provides some clarity to the events of July 3rd.

Clone this wiki locally