Just P2Pool, just casually holding 100,000 Stratum connections without breaking a sweat

Just P2Pool, just casually holding 100,000 Stratum connections without breaking a sweat

100,000 simulated mining rigs - each has its own hashrate and submits mining jobs, just like XMRig - no real mining of course, I don't have 200 MH/s :)

More than 3,000 messages per second on Stratum, each message gets replied in less than 0.1 ms - 99th percentile (p99) = 0.1 ms.

All this on a regular laptop, I call it a success :)

Previous P2Pool versions were struggling with more than 10k connections, but I found the source of performance issues and fixed it.

Next release (v4.18) will have these optimizations.

u/sech1 — 4 days ago
▲ 138 r/MoneroMining+3 crossposts

P2Pool vulnerability is being actively exploited, update to v4.16 NOW

Update: P2Pool-main has been attacked too, today (June 16th) at 00:02:46 UTC - see the log https://p2pool.io/p2pool_main_attack.log.xz All P2Pool miners, you must update to v4.16 immediately if you don't want to mine to the attacker's wallet! Update here: https://github.com/SChernykh/p2pool/releases/latest

Update 2: Me and DataHoarder are currently running a counter-attack by mining malformed blocks ourselves - to hijack the payouts from the attacker and redistribute them to miners later. Currently doing it on p2pool-mini. We will ask the community for more hashrate later, once everything is set up properly.

Both P2Pool Mini / Nano older chains (that did not upgrade to P2Pool v4.16) have been exploited by an unknown attacker targeting the vulnerability patched: https://github.com/SChernykh/p2pool/security/advisories/GHSA-fm6j-gf38-p925

P2Pool Main is probably having the attacker wait to mine a share.

Upgrade as soon as possible https://github.com/SChernykh/p2pool/releases/tag/v4.16

More than half of P2Pool Mini/Nano are still not updated, so their hashrate was lost to the attacker:

https://preview.redd.it/ofujl1orzd7h1.png?width=1613&format=png&auto=webp&s=3c863342a427fb0022fadb8a707faffc9dfc4484

reddit.com
u/EmperorBale — 22 days ago
▲ 135 r/MoneroMining+1 crossposts

PSA: Critical P2Pool security update

A critical vulnerability has been discovered in all currently released P2Pool versions.

This is a P2Pool consensus bug that can allow an attacker to affect the calculated payouts of miners - up to the whole block reward going to the attacker.

To avoid facilitating exploitation, no technical details will be published at this time. The vulnerability does not enable RCE (remote code execution), node crashes, or resource-exhaustion attacks. However, affected nodes remain financially vulnerable until updated.

A patched P2Pool release will be published on 2026-06-13 (this Saturday) at 15:00 UTC. All users must update as soon as the release becomes available.

15:00 UTC is 8am US west coast, 11am US east coast, 17:00 in most of Europe, 23:00 in China, midnight in Japan, 1am (June 14th) in Australia

Anyone continuing to run an older version after that time risks losing mining payouts if the vulnerability is exploited. Note that mining payouts which are already in your wallet are safe. Updating is strongly recommended even if your node appears to be operating normally.

Source code, signed binaries, checksums, and upgrade instructions will be published through the official P2Pool release channels only - https://github.com/SChernykh/p2pool/releases

Download releases only from the official page and verify all downloaded files before installation.

Because P2Pool is open source, the fix will become visible once published. A capable attacker may be able to develop an exploit within hours, leaving miners who have not updated exposed.

It is essential that you are available to update promptly at the time of the release, or have a carefully tested automatic update process that downloads, verifies, and installs the official release.

Further technical details will be disclosed after sufficient adoption of the patched release.

We are continuously monitoring the network and have reviewed the available historical logs. We have found no evidence that this vulnerability has been exploited.

P.S. Gupax users: you will be able to update p2pool in the setting tab on the "updates" sub-menu. By default you will also get a notification about the new release.

u/sech1 — 28 days ago