Breaking and Fixing Gridcoin.

Bitcoin has been hailed as a new payment mechanism, and is currently accepted by millions of users. One of the major drawbacks of Bitcoin is the resource intensive Proof-of-Work computation. Proof-of-Work is used to establish the blockchain, but this proof of work does not bring any benefits and arguably is a waste of energy. To use these available resources in a more meaningful way, several alternative cryptocurrencies have been presented. One of them is Gridcoin, which rewards the users for solving BOINC problems. Gridcoin currently possesses a market capitalization of $ 23,423,115. In our work we conducted the first security analysis of Gridcoin. We identified two critical security issues. The first issue allows an attacker to reveal all email addresses of the registered Gridcoin users. Even worse, the second issue gives an attacker the ability to steal the work performed by a BOINC user, and thus effectively steal his Gridcoins. These attacks have severe consequences and completely break the Gridcoin cryptocurrency. We practically evaluated and confirmed both attacks, and responsibly disclosed them to the Gridcoin maintainers. We developed backwards compatible design changes for the Gridcoin system, in order to protect users' trust into this promising approach.