Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/decred/dcrd
Decred is a blockchain-based cryptocurrency with a strong focus on community
input, open governance, and sustainable funding for development. It utilizes a
hybrid proof-of-work and proof-of-stake mining system to ensure that a small
group cannot dominate the flow of transactions or make changes to Decred without
the input of the community. A unit of the currency is called a decred
(DCR).
Core software:
Bundles:
dcrd
and dcrwallet
dcrd
and dcrwallet
dcrd is a full node implementation of Decred written in Go (golang).
It acts as a fully-validating chain daemon for the Decred cryptocurrency. dcrd maintains the entire past transactional ledger of Decred and allows relaying of transactions to other Decred nodes around the world.
This software is currently under active development. It is extremely stable and has been in production use since February 2016.
It important to note that dcrd does NOT include wallet functionality. Users who desire a wallet will need to use dcrwallet(CLI) or Decrediton(GUI).
The term 'full node' is short for 'fully-validating node' and refers to software that fully validates all transactions and blocks, as opposed to trusting a 3rd party. In addition to validating transactions and blocks, nearly all full nodes also participate in relaying transactions and blocks to other full nodes around the world, thus forming the peer-to-peer network that is the backbone of the Decred cryptocurrency.
The full node distinction is important, since full nodes are not the only type of software participating in the Decred peer network. For instance, there are 'lightweight nodes' which rely on full nodes to serve the transactions, blocks, and cryptographic proofs they require to function, as well as relay their transactions to the rest of the global network.
As described in the previous section, the Decred cryptocurrency relies on having a peer-to-peer network of nodes that fully validate all transactions and blocks and then relay them to other full nodes.
Running a full node with dcrd contributes to the overall security of the network, increases the available paths for transactions and blocks to relay, and helps ensure there are an adequate number of nodes available to serve lightweight clients, such as Simplified Payment Verification (SPV) wallets.
Without enough full nodes, the network could be unable to expediently serve users of lightweight clients which could force them to have to rely on centralized services that significantly reduce privacy and are vulnerable to censorship.
In terms of individual benefits, since dcrd fully validates every block and transaction, it provides the highest security and privacy possible when used in conjunction with a wallet that also supports directly connecting to it in full validation mode, such as dcrwallet (CLI) and Decrediton (GUI). It is also ideal for businesses and services that need the most reliable and accurate data about transactions.
So, you've decided to help the network by running a full node. Great! Running dcrd is simple. All you need to do is install dcrd on a machine that is connected to the internet and meets the minimum recommended specifications, and launch it.
Also, make sure your firewall is configured to allow inbound connections to port 9108.
Binary releases are provided for common operating systems and architectures. The easiest method is to download Decrediton from the link below, which will include dcrd. Advanced users may prefer the Command-line app suite, which includes dcrd and dcrwallet.
Go 1.21 or 1.22
Installation instructions can be found here: https://golang.org/doc/install. Ensure Go was installed properly and is a supported version:
$ go version
$ go env GOROOT GOPATH
NOTE: GOROOT
and GOPATH
must not be on the same path. Since Go 1.8 (2016),
GOROOT
and GOPATH
are set automatically, and you do not need to change
them. However, you still need to add $GOPATH/bin
to your PATH
in order to
run binaries installed by go get
and go install
(On Windows, this happens
automatically).
Unix example -- add these lines to .profile:
PATH="$PATH:/usr/local/go/bin" # main Go binaries ($GOROOT/bin)
PATH="$PATH:$HOME/go/bin" # installed Go projects ($GOPATH/bin)
Git
Installation instructions can be found at https://git-scm.com or https://gitforwindows.org.
$ git version
PS> git clone https://github.com/decred/dcrd $env:USERPROFILE\src\dcrd
PS> cd $env:USERPROFILE\src\dcrd
PS> go install . .\cmd\...
PS> dcrd -V
Run the dcrd
executable now installed in "$(go env GOPATH)\bin"
.
This assumes you have already added $GOPATH/bin
to your $PATH
as described
in dependencies.
$ git clone https://github.com/decred/dcrd $HOME/src/dcrd
$ git clone https://github.com/decred/dcrctl $HOME/src/dcrctl
$ (cd $HOME/src/dcrd && go install . ./...)
$ (cd $HOME/src/dcrctl && go install)
$ dcrd -V
Run the dcrd
executable now installed in $GOPATH/bin
.
The project does not officially provide container images. However, all of the
necessary files to build your own lightweight non-root container image based on
scratch
from the latest source code are available in
contrib/docker.
It is also worth noting that, to date, most users typically prefer to run dcrd
directly, without using a container, for at least a few reasons:
dcrd
is a static binary that does not require root privileges and therefore
does not suffer from the usual deployment issues that typically make
containers attractivedcrd
from a container as compared to
normal:
dcrd
is designed to automatically create a working default configuration
which means it just works out of the box without the need for additional
configuration for almost all typical usersdocker
requires special care in regards
to permissionsAll tests and linters may be run using the script run_tests.sh
. Generally,
Decred only supports the current and previous major versions of Go.
./run_tests.sh
If you have any further questions you can find us at:
The integrated github issue tracker is used for this project.
The documentation for dcrd is a work-in-progress. It is located in the docs folder.
dcrd is licensed under the copyfree ISC License.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.