Weak isolation levels allowed to steal BTC using plain SQL

Weak isolation levels allowed to steal BTC using plain SQL(blog.ydb.tech)

15 points by eivanov89 1 year ago | 5 comments

eatonphil 1 year ago |

I love the reference to the ACIDRain paper in there.

> They analyzed “12 popular self-hosted eCommenrce applications written in four languages and deployed on over 2M websites” and identified and verified “22 critical ACIDRain attacks that allow attackers to corrupt store inventory, over-spend gift cards, and steal inventory”. According to the paper, “Of the 22 vulnerabilities, five were level-based, meaning that the default weak isolation level led to the anomalies behind the vulnerabilities.

http://www.bailis.org/papers/acidrain-sigmod2017.pdf

PreInternet01 1 year ago |

The submitted title deviates from that of the linked post ("Do we fear the serializable isolation level more than we fear subtle bugs?") and, having read the source, I'm not even sure if it's even close to accurate...

eivanov89 1 year ago | |

Sorry, might be that the title is a little bit inaccurate. However, the post indeed describes multiple cases, when attackers have stolen many BTC from the exchanges, because of the issue with a weak isolation level. Moreover, one of the exchanges was totally ruined because of that.

PreInternet01 1 year ago | | |

Well, then maybe write a blog post explaining exactly what happened here and submit that?

Because, even having re-read the article you linked, it does not support the conclusion that "[an] exchange[...] was totally ruined because of [weak isolation]" at all?