Weak isolation levels allowed to steal BTC using plain SQL
blog.ydb.techI love the reference to the ACIDRain paper in there.
> They analyzed “12 popular self-hosted eCommenrce applications written in four languages and deployed on over 2M websites” and identified and verified “22 critical ACIDRain attacks that allow attackers to corrupt store inventory, over-spend gift cards, and steal inventory”. According to the paper, “Of the 22 vulnerabilities, five were level-based, meaning that the default weak isolation level led to the anomalies behind the vulnerabilities.
The submitted title deviates from that of the linked post ("Do we fear the serializable isolation level more than we fear subtle bugs?") and, having read the source, I'm not even sure if it's even close to accurate...
Sorry, might be that the title is a little bit inaccurate. However, the post indeed describes multiple cases, when attackers have stolen many BTC from the exchanges, because of the issue with a weak isolation level. Moreover, one of the exchanges was totally ruined because of that.
Well, then maybe write a blog post explaining exactly what happened here and submit that?
Because, even having re-read the article you linked, it does not support the conclusion that "[an] exchange[...] was totally ruined because of [weak isolation]" at all?
My post is a secondary research regarding potential issues with weak isolation levels. It includes a link [0] to an in-depth description of what happened to Flexcoin. Additionally, the post references another similar BTC attack [1] that exploited a "lost update" due to weak isolation levels.
The goal of the post is to highlight this problem, as cited research papers clearly demonstrate that such issues occur more frequently than commonly perceived.
Again, I'm sorry that the title might be misleading and you have expected a different content.
[0] https://hackingdistributed.com/2014/04/06/another-one-bites-...
[1] https://www.reddit.com/r/Bitcoin/comments/1wtbiu/how_i_stole...