You might have noticed some trending hashtags on Twitter the last 48 hours — #Meltdown #Spectre. Without getting into the dirty details of these two exploits, understand this:

“The first thing you need to know: Pretty much every PC, laptop, tablet, and smartphone is affected by the security flaw, regardless of which company made the device or which operating system it runs. The vulnerability isn’t easy to exploit — it requires a specific set of circumstances, including having malware already running on the device — but it’s not just theoretical.” — Matt Weinberger, Business Insider

Patches are already being shipped and expect to see up to a 30% decrease in speed, especially on older computers as the exploits target shortcuts in chip architecture to boost speed in exchange for security.

CERT turns the dial to “10” when recommending a solution to eliminating the problem fully

This c̶o̶u̶l̶d̶ will have massive ramifications in the cryptocurrency space.

Encryption keys, passwords, private keys stored in CPU memory could be stolen by websites weaponizing Meltdown using Javascript. Because so much value is associated with crypto expect nefarious actors to focus most of their attention in this space. However,

Particl Cold Staking safeguards your wallet’s private keys, and thus your PART, by using a script (contract) between an online staking node and an offline wallet. Both wallets have unique private keys, meaning that if/when the online staking node is exploited by Meltdown/Spectre with a memory leak only the private keys of the node are stolen. If setup properly, the staking node should have 0 PART — thereby eliminating the threat of theft and protecting the PART in your wallet which is kept offline and secure.

Meltdown/Spectre vs Blockchain/Cryptocurrencies

In Google’s Project Zero blog post on Jan. 3rd they warn “an attacker could use [these exploits] to steal sensitive or confidential information, including passwords.”

Because so much value is tied to cryptocurrencies, people are especially tuned into how this could impact their investments. Whether coins are on personal computers or in wallets on exchanges, these exploits could have massive ramifications across the space because of the alure of money.

Cut to the chase, how does this affect me (my investments)?

For Proof of Stake distributed consensus networks, Meltdown/Spectre is especially concerning.

Issue: Proof of Stake

The issue is that in order to stake, your wallet needs to be online and so does your private key.

Therefore, your private key is held in memory and easily retrievable with Meltdown and Spectre.

Now in control of your private key, an attacker can easily move your funds to another address.

Solution: Particl Cold Staking

Particl developed Cold Staking because of vulnerabilities our team discovered in the security of Proof of Stake (PoSv3). Not attack vectors specific to these exploits, but enough flaws to warrant hardening our code against potential attacks from future technology. (Specifically resistance to quantum computing which is unrelated to Meltdown/Spectre)

By creating a contract between a staking node and a wallet Particl developers were able to build a more secure staking mechanism for distributed consensus on the blockchain — to be covered in future paper and proof of concept.

Read our Cold Staking primer for more details

Protecting against a Meltdown/Spectre attack

Particl Cold Staking (activated):

Your staking node private key is different than the private key for your real wallet since they are two different wallets.

Your real wallet remains offline whilst a staking-only private key signs blocks on your behalf.

The private key and PART on your offline wallet are safe from a Meltdown/Spectre attack.

What this means:

If the Meltdown/Spectre exploit is used on a machine running a Particl Staking Node an attacker could retrieve the private key from memory but it would be of no use since staking nodes typically carry a 0 PART balance.

Explain like I’m Five:

Particl Cold Staking creates a partnership between your online computer that has no coins on it and your offline wallet that contains all your coins. Meltdown/Spectre can only gain access to the online computer which has no coins on it meaning you don’t get robbed.

Are other PoS projects safe?

Or all cryptocurrency projects in general?

“Spectre is particularly nasty — there’s no real fix for it, and it exploits a fundamental part of how processors work.” — Matt Weinberger, Business Insider

As I mentioned above, patches are being delivered at the moment, but in the case of Spectre there is no real way to fix it besides changing processors; something most people would consider equivalent to buying new equipment. That is a non-starter (expense, hassle) for the majority of people living on tech devices most the day.

A case for keeping Particl codebase up to date with Bitcoin

As we mentioned in our Year in Review post to close 2017, one of the core values of Particl is security, as evident in our development of Cold Staking, as well as, being one of the only projects maintaining merges with Bitcoin Core.

While building safeguards against quantum computing and exploits like Meltdown and Spectre isn’t related to the latest Bitcoin protocol it is important to benefit from the best and largest development teams in crypto.

The further away a project strays from the original basecode the more of an island they become and the harder it is to merge crucial security updates like the major update pushed by Bitcoin Core with 0.15.

Did You Know? Every project built on Bitcoin releases older than 0.15 are vulnerable to the permissions bug detailed by Chris Jeffrey at this year’s Breaking Bitcoin conference.

Summary

Is Particl 100% safe from Meltdown & Spectre?

The simple answer is: not completely.

If you have Cold Staking activated and linked then your offline PART in your wallet are safe as described in this post.

If you are staking with the wallet unlocked for staking your PART and private keys could be vulnerable.

In any scenario, for Particl or Bitcoin or Litecoin etc, once you send your coins out of the wallet you are vulnerable and opening yourself to a sideways attack with Meltdown/Spectre.

Be diligent and stay safe!

Particl Team