Search content
Sort by
Showing 16 of 16 results by dorobotsdream
Re: DDos fix (malleability issue workaround) is ready! back to business :)
Actually, this is the fix. I'm already running it on my nodes.
https://github.com/bitcoin/bitcoin/pull/3025
https://github.com/bitcoin/bitcoin/pull/3025
This leaves me with some questions:
1. How long will it take for a new reference client version to make a real impact on the network?
2. What software do miners use? If they use other software how long will it take for that to be updated? Attackers could still try to plant mallified transactions by peering with miners using older software right?
3. What is to stop an attacker to hire his own mining equipment and stick mallified transactions in it? Or is this too expensive?
Re: What you need to know about Transaction mutability ...
PS, like your username. And, yes, they do -- of electric sheep. At least the androids.
Thanks. Or maybe they are counting Satoshi's.
Still, delaying a non canonical transaction to a later block wouldn't be a problem for miners, or would it? The original transaction should be there to mine also, unless it is a transaction which actually uses the capabilities of the script format and has a good fee. But then it wouldn't be a problem to mine it. And in the end it is in the interest of the miners when bitcoin functions well and is valued, because it increases the value of their reward.
Also the stick could be applied to keep miners that apparently prefer non canonical transactions for no valid reason and keep them from spending matured coins unless they mine them theirselves.
Re: What you need to know about Transaction mutability ...
I was under the impression that the Sign conversion / Modulo change of the signature was immediately obvious, because the default client would only choose positive R and S and there is only one other solution in the available length.
Only if it's immediately obvious that every user is using OpenSSL-linked bitcoin-qt. That's neither obvious nor true!
For example, the transactions I use to move coins in and out of cold storage are generated by a javascript client, since it can run on an "air-walled" laptop with no network connection. A lot of people do this. In that case the sign of the ECDSA signature depends on what javascript VM I'm using Standards are standards, especially for crypto -- never a good idea to start assuming people are using specific implementations.
Yes, but wouldn't it be beneficial to agree on a canonical signature with positive R and S that gets preferential treatment for mining? Otherwise with your change hanging on confirmations, you could get severely limited in exchanging digital coins which supposedly are the new fast thing.
Re: What you need to know about Transaction mutability ...
Wouldn't there be some way to discourage miners from solving a block with malleated (or should I say mallified :-) ) transactions?
No, it is not possible. Some forms of transaction mutation, like the ECSDA sign-inversion mutation, can't be distinguished from the original even if you have both of them side-by-side.
There are other forms of mutation involving alterations to the script. There have been proposals to prohibit obviously-mutated scripts (like scripts with a bunch of no-ops stuck on the end), but going beyond the obviously-mutated scripts risks accidentally banning useful scripts or future uses of the script system not currently foreseen.
A middle ground is to come up with rules for preferred transactions (ECDSA sig has the preferred sign, DER encoding, only very basic scripts) and hold any non-preferred transactions until the next block to see if a preferred spend of the same outputs shows up. But you can't force miners to do this and it's slightly contrary to their interests since they'd have to forego the transaction fee. Cooking up new rules also isn't the sort of thing you want to do in a crisis like the current situation.
I was under the impression that the Sign conversion / Modulo change of the signature was immediately obvious, because the default client would only choose positive R and S and there is only one other solution in the available length.
Maybe the majority of miners could cooperate to block the spending of matured coins from a coinbase of a block that contains more then the usual share of malleated transactions by not accepting it in a block for mining. Then the original miners would have to spend a double effort to spend their coin.
Re: What you need to know about Transaction mutability ...
Wouldn't there be some way to discourage miners from solving a block with malleated (or should I say mallified :-) ) transactions?
If there is less of a reward, it might not be worth the energy or investment, and if malleated transaction do not get mined, they would be pointless, wouldn't they?
If there is less of a reward, it might not be worth the energy or investment, and if malleated transaction do not get mined, they would be pointless, wouldn't they?
Re: Explain the gox transaction malleability issue like you are five
Code:
2 + 3 = 5
is a mathematically true statement.Code:
2 + 3 + 0 = 5
is mathematically true, and in fact is the same statement.They've got different hash values though, because hash functions care about binary representations, not mathematical equivalence.
Good oneIf you compare the signature on the bitcoin transaction (on an input of it actually, like a transaction is composed of multiple checks.) with a traditional
wet handwritten signature, then the malleability is like the signature being done in another color of ink. A grafologist would still conclude that the purported sender could have made that signature, if he didn't know that the real sender always used a very specific color and composition of ink. I am wondering if people here can show what the real Mt. Gox transactions looked like, or if we can work that out ourselves.
Actually I have three outgoing transactions that I know to have been from Mt. Gox. I have looked at the script data. It is kind of interesting.
The first two on 23rd and 24th of january actually have negative R and S value of the signature, this means that they have one leading 0 byte and the highest bit set (as they should for negative values). This is a non-canonical signature but valid.
The third transaction on the 31st of january has positive R and S values, so would be canonical.
The IP addresses that transmitted them were involved in a lot of other transmits but they all stopped transmitting on the 4th of february (or blockchain has dropped collecting them?). They are three distinct ip-addresses.
https://blockchain.info/en/tx/5a8464c4e91af71cf77b5cf3f13eca4c5f6e064d4d2cede4037669b839d3d8a4
https://blockchain.info/en/tx/d19141769fca9e484616b373a6a0cef234dfda80275a012d2753e1d2b03e7d22
https://blockchain.info/nl/tx/927f3fd7aab1ad8700ed841d07385ccfb2506c3f8bcbfcc17c25e7d2b40988b0
What were the true Mt. Gox transactions, the non canonical ones or the canonical one? Is the canonical one really a mutated transaction, or did Mt. Gox use the standard client for it?
Anyone?
Actually I have three outgoing transactions that I know to have been from Mt. Gox. I have looked at the script data. It is kind of interesting.
The first two on 23rd and 24th of january actually have negative R and S value of the signature, this means that they have one leading 0 byte and the highest bit set (as they should for negative values). This is a non-canonical signature but valid.
The third transaction on the 31st of january has positive R and S values, so would be canonical.
The IP addresses that transmitted them were involved in a lot of other transmits but they all stopped transmitting on the 4th of february (or blockchain has dropped collecting them?). They are three distinct ip-addresses.
https://blockchain.info/en/tx/5a8464c4e91af71cf77b5cf3f13eca4c5f6e064d4d2cede4037669b839d3d8a4
https://blockchain.info/en/tx/d19141769fca9e484616b373a6a0cef234dfda80275a012d2753e1d2b03e7d22
https://blockchain.info/nl/tx/927f3fd7aab1ad8700ed841d07385ccfb2506c3f8bcbfcc17c25e7d2b40988b0
What were the true Mt. Gox transactions, the non canonical ones or the canonical one? Is the canonical one really a mutated transaction, or did Mt. Gox use the standard client for it?
Anyone?
Re: Explain the gox transaction malleability issue like you are five
...
Malleability is a potential and hypotheticalissue nuisance, which only became possible to exploit at MtGox for two reasons: because Gox failed to correctly implement Bitcoin specification properly, and also because it failed to implement proper workarounds for this issue. You correctly pointed out second reason, but the first is more important to point out, in my opinion, because this is why other exchanges are much less likely to be affected, if likely at all.
Gox didn't follow the specification, which required tx signature to be encoded with ASN1/DER encoding. This requirement was specified in April 2011: https://en.bitcoin.it/wiki/Protocol_specification#Signatures
Instead they used some sloppy format which was not DER encoding but was still accepted by SSL library and old reference client. When tighter checks were implemented in bitcoin reference client (the main reason for which was actually to prevent malleability issue), their transactions, which violated bitcoin spec, were rejected. Basically, their transactions looked like what hackers would employ to exploit this issue. That allowed hackers to pick these rejected transactions up, malleate them to "fix" the signature format, and re-submit. Ironically, hackers were helping MtGox to propagate their malformed transactions through the network.
Malleability is a potential and hypothetical
Gox didn't follow the specification, which required tx signature to be encoded with ASN1/DER encoding. This requirement was specified in April 2011: https://en.bitcoin.it/wiki/Protocol_specification#Signatures
Instead they used some sloppy format which was not DER encoding but was still accepted by SSL library and old reference client. When tighter checks were implemented in bitcoin reference client (the main reason for which was actually to prevent malleability issue), their transactions, which violated bitcoin spec, were rejected. Basically, their transactions looked like what hackers would employ to exploit this issue. That allowed hackers to pick these rejected transactions up, malleate them to "fix" the signature format, and re-submit. Ironically, hackers were helping MtGox to propagate their malformed transactions through the network.
I have looked up the change logs of the Bitcoin client of the previous year, and I have yet to find any sign that the client switched to more stringent checks. There are some code changes on github that you referred to earlier, but even if those made it into the default client they wouldn't go as far as to fix the problem, because these code changes still leave open lots of room for malleability. But with access to good mining equipment it would be somewhat easy to race the original transaction being transmitted on the bitcoin network with your manipulated version.
I would still like to see an actual instance of the original Mt. Gox transaction and the transaction that got in the blockchain instead and who mined that.
Re: BREAKING NEWS: Multiple Exchanges Affected - Possible Global Shutdown
Do these attackers still believe they can dupe sender into sending coins twice or are they just out to create havoc and force a drop in prices. Somewhere I guess people are putting large buy orders on low prices.
Re: New Mt Gox Press Release - Feb 10 - they are claiming flaw in bitcoin protocol !
If Mt. Gox really has been defrauded, then they must be able to present us with one of their outgoing transactions (obviously from before their statements) incorporated in the blockchain where the scriptIn does not follow their normal pattern.
Either extra operations would have been included in the scriptIn, the format of the pubkey would use a different format or the signature would be non-canonical or it's DER representation. I am assuming that they would use an automated did we really pay this script to update their checkbooks, and that it could have been fooled by any of these manipulations.
There would still need to be some party involved in changing this part of the transaction (wittingly or not) and some client with a Mt. Gox account making use of the changed transaction to later seduce Mt. Gox into paying twice.
Either extra operations would have been included in the scriptIn, the format of the pubkey would use a different format or the signature would be non-canonical or it's DER representation. I am assuming that they would use an automated did we really pay this script to update their checkbooks, and that it could have been fooled by any of these manipulations.
There would still need to be some party involved in changing this part of the transaction (wittingly or not) and some client with a Mt. Gox account making use of the changed transaction to later seduce Mt. Gox into paying twice.
Re: New Mt Gox Press Release - Feb 10 - they are claiming flaw in bitcoin protocol !
That's not actually a Bitcoin double-spend, though.
This. Quit talking about double spending, this is confusing. Notice that MtGox communication don't talk about double spend at all, either.It's just a voluntary MtGox double send.
Yes, that is a more apt naming for it.
I just examined an outgoing transaction from Mt. Gox that I made earlier and how it got noted in the blockchain. Their regular scriptIn seems to be with an uncompressed pubkey. Anyone seen different scriptIns from Mt. Gox?
Re: New Mt Gox Press Release - Feb 10 - they are claiming flaw in bitcoin protocol !
I haven't read this entire thread yet, but is this true? The TX ID can be modified and re-broadcast to effectively double-spend?
It's not true. Both versions of the transaction will have the same inputs, outputs and amounts; they are two different ways of expressing the same transaction, and only one will be accepted by the network, so there is no double-spend. No-one should care which version of the transaction gets accepted. (MtGox did care, and that's their mistake.)I think this txid mutability doesn't cause double-spend by itself. But if the sender (i.e. Mt. Gox) thinks (erroneously) the coins didn't arrive because they didn't see the txid and somebody complained and they did the spend again, then it depends. If the sending address still holds enough coin, or if they use a different address then the sender does a double-spend. It could be that somebody acquired knowledge of their accounting flaw and used it to their advantage.
This is just poor bookeeping on Mt.Gox side.
If 5 BTC is sent from address X to address Y, then it will be permanently on record in the block chain. Does not matter which TXID was used.
That is true. But if Mt. Gox used a shortcut to finding out if THEIR transaction to Y went through by comparing txid in the blockchain with their originally created txid, then they would miss the transaction having gone through. Someone making use of this shortcut flaw (probably the one who caused the difference txid? Or could it have naturally occurred (experts?)) could have convinced Mt.Gox to then double spend.
Re: New Mt Gox Press Release - Feb 10 - they are claiming flaw in bitcoin protocol !
I haven't read this entire thread yet, but is this true? The TX ID can be modified and re-broadcast to effectively double-spend?
It's not true. Both versions of the transaction will have the same inputs, outputs and amounts; they are two different ways of expressing the same transaction, and only one will be accepted by the network, so there is no double-spend. No-one should care which version of the transaction gets accepted. (MtGox did care, and that's their mistake.)I think this txid mutability doesn't cause double-spend by itself. But if the sender (i.e. Mt. Gox) thinks (erroneously) the coins didn't arrive because they didn't see the txid and somebody complained and they did the spend again, then it depends. If the sending address still holds enough coin, or if they use a different address then the sender does a double-spend. It could be that somebody acquired knowledge of their accounting flaw and used it to their advantage.
Re: New Mt Gox Press Release - Feb 10 - they are claiming flaw in bitcoin protocol !
...
But if it did occur, then a spend with the same input,output and quantity should have shown up to the receiver address right? Just not with the original txout. It wouldn't explain a transaction delay where nothing is transacted or would it?
Let me explain further, ppl dont receive their coins isnt because of this. Its because Gox system (bookkeeping) got messed up and send out non available coins since all tx are chain-linked.
Ok, so they sent out some coins. Then because they didn't see the txout in the blockchain (whether by helpful or malicious use of malleability), they considered the coins not spent and kept trying to send out the same coins that were not theirs anymore, blowing up their whole accounting system?
Given my own experience this must have been going on already on the 28th of january.
Re: New Mt Gox Press Release - Feb 10 - they are claiming flaw in bitcoin protocol !
Quote
from gmaxwell
21 January 2013
And you'll note that page is citing a forum thread from 2011. Bitcoin v0.8 rolled out the first round of fixes to eventually remove malleability way back then too... and we've seen bouts of amounts of malleability use on the network, back in 2012 if not sooner I haven't grepped my logs.
21 January 2013
And you'll note that page is citing a forum thread from 2011. Bitcoin v0.8 rolled out the first round of fixes to eventually remove malleability way back then too... and we've seen bouts of amounts of malleability use on the network, back in 2012 if not sooner I haven't grepped my logs.
I overlooked the 2013
But if it did occur, then a spend with the same input,output and quantity should have shown up to the receiver address right? Just not with the original txout. It wouldn't explain a transaction delay where nothing is transacted or would it?
Re: New Mt Gox Press Release - Feb 10 - they are claiming flaw in bitcoin protocol !
The malleability issue seems real enough. Something was published on it on 21 january on bitcoin.it, maybe someone had to try it out...
That said I did a withdrawal on 28th january from Mt. Gox (and it was taken from my balance on 28th january). It failed to get in to the receiver until 31st january after I had complained about it with their support. Blockchain.info did not show any transaction coming in to the receiver address on the 28th of january with the original txout or with anything different. The support ticket went unanswered until after the transaction was finally done (on the 31st of january). The answer when it did come on the 5th of february claimed that some users were experiencing delays in withdrawals and that I had to rest assured that this was only affecting limited users and transactions.....
I was immediately distrustful of this statement, and this weekends saga much confirms it.
That said I did a withdrawal on 28th january from Mt. Gox (and it was taken from my balance on 28th january). It failed to get in to the receiver until 31st january after I had complained about it with their support. Blockchain.info did not show any transaction coming in to the receiver address on the 28th of january with the original txout or with anything different. The support ticket went unanswered until after the transaction was finally done (on the 31st of january). The answer when it did come on the 5th of february claimed that some users were experiencing delays in withdrawals and that I had to rest assured that this was only affecting limited users and transactions.....
I was immediately distrustful of this statement, and this weekends saga much confirms it.