There is a vulnerability found in the majority of stratum mining protocol implementations. I've published
the disclosure of this bug few weeks ago.
Why did you make a public disclosure in Russian of a security bug in software written and maintained by people who probably don't understand Russian?
The proper procedure for such things is to
privately get in touch with the maintainers so they have an opportunity to fix it
before public disclosure -
especially for bugs easily exploited.
Vulnerability is caused by incorrect algorithm of verification for uniqueness. Instead of checking raw solutions, most of the pools are doing this through checking the hex-encoded representation. This allows miner to create multiple versions of the same share through applying uppercase function to hex encoded solution.
This vulnerability seems as intentionally made i.e. backdoor. Simplest workaround is to use lower() method:
While it's a pretty stupid bug, I don't think I'd automatically assume malice.
As far I know, stratum-mining/eloipool/node-stratum-pool are vulnerable.
Why do you say Eloipool is affected? It checks for duplicate submissions in binary.