On the recent Noso outage

**DP News-Robot**

To me this outage comes with no surprise. To be fair, I'm actually astounded that it hasn't happened before.

You see, the code that drives the entire chain is done in Pascal. Not even in Object Pascal, which is the most recent and Object Oriented Programming version of the Pascal dialect.
It's written in a dialect version of Pascal that has been out of fashion since the early 1990s.
While this is not a bad thing in itself, as can be proven for the more than 4 years of operation of this coin, it's not a good thing due to lack of easy ways to scale it or even maintain it.
And, mainly due to that, no one as ever wanted to actually dive into the code and find any relevant security issues.

Welp... Looks like someone finally said: Hold my beer!!!

I'm not quite sure what that person found that is so easy to attack and provides such a devastating effect, but from my own foray into the code, it's not that hard to find.
All the code was done with standards from the early 70s, which is when the Pascal language started with only the command line as it's target.
Alas, the current wallet is made for a GUI target. And the necessary glue to make it work with the command line in sight, but being a GUI app, was not the best of the glues!!

Now, we all know that we have a very dismissive person at the centre of this all. And we all know that this person's ego will never allow to take the blame for this outage.
Someone else has to be the culprit, just because he can do no wrong.
That person has been saying that another dev has one, or multiple, backdoors in the NosoSova application. This is him trying really hard to set some rumours in order to shift the blame.
But, as we all know, this type of person has glass roofs and is throwing rocks into the air...

Let me tell you about my foray into the code, specifically in the context of backdoors...

One thing that the author decided to add to the wallet is what he calls directives. These are commands that can be activated remotely, by someone that has a master key.
If you look at these lines of code:

https://github.com/Noso-Project/Noso....pas#L585-L587
Those lines of code are constants with accounts that are allowed to perform admin tasks. This in itself doesn't mean that much.
But it is the seed of doubt that most of us kinda don't like:

Why does a wallet have an admin account in it's code?
And what is considered an admin task?
Can this be used to allow remote commands to be run on my node?
How much code is this, and what does it do?

All valid questions when we think that one of the principles of cryptocurrency is decentralisation, right? So, in that context, why do we have a mention to some account as being admin anything?

Well, let me tell you, at least 2 ways, where it's been used, with me actually witnessing it:

Forcing the entire network to issue the upgrade command right after a new release
Forcing the entire network to issue a restart command after an upgrade has been done

I'm not sure both these commands are still in place, but if we analyse the PTC_AdminMSG procedure, located here:

https://github.com/Noso-Project/Noso...tocol.pas#L952
In that procedure, we see that there are quite a few commands being parsed in the context of them being Admin.
From line 996 of that procedure, we see that we have a list of admin related directives:

UPDATE
RESTART
SETMODE
ADDNODE
DELNODE
ADDNTP
DELNTP
ADDBLOCKED
DELBLOCKED
ADDNOSOPAY
DELNOSOPAY
CLEARCFG
RESTORECFG

For a piece of software that should be as decentralised as possible, having this amount of directives that can only be executed by someone owning the private key of that account present in the AdminHash constant, is rather fishy, amirite?

I've not given you a comprehensive look at more code that exists to serve the author's need for power and control, because most of us just glaze our eyes when code is presented.

Now, all this was a long winded road to get to the matter of things with these rumours of a backdoor on NosoSova.
I can't fully guarantee that there is none, since I've not looked at the code. But one thing sets NosoSova apart from the GUI wallet:

NosoSova only works with outside access to a node, or a set of nodes.
NosoSova does not interact directly with the blockchain, only the wallet does.
Even if NosoSova had a backdoor, it would never be able to mess the blockchain if the main wallet disallows it.

And due to all the above statements, the rumour that NosoSova has a backdoor is kinda moot, cuz the only piece of software that touches the delicate parts is the GUI wallet, not NosoSova!!!

To conclude this, already, long rant, I just want to say that this is something that was bound to happen sooner or later.
It hasn't been done sooner because the coin never quite enjoyed that much attention and the usual bad actors weren't that much interested.
Nonetheless, someone did take the time to sift through a very bad piece of code, with roots in ideas/implementation from the late 70s and look at what could brake.
Then, took the time to tailor some code to actually prove that nothing is safe, especially a piece of code that it's author has a complete nonchalant attitude towards security.

And here we are. The very delicate house made of playing cards comes tumbling down with ease.

Update from the author of the attack (1 Sep 2024)

The author of the attack has made his reasons clear:

https://telegra.ph/Lessons-for-Pedro...o-skip-09-01-2

On the recent Noso outage

On the recent Noso outage

Forumregeln