
The Bitcoin malleability attack graphed hour by hour - kens
http://www.righto.com/2014/02/the-bitcoin-malleability-attack-hour-by.html
======
dangero
He mentions the timing of the MtGox announcement being odd. What happened at
MtGox was somewhat different. MtGox was submitting transactions that were
being rejected due to being malformed according to the latest Bitcoin client
software. What some users discovered is that they could correct the
malformation issues in the MtGox transactions causing them to go through, but
they could also change the hash transaction id, so that meant that not only
could they make the transfer go through, but they could do so while making
MtGox's software believe that it in fact had not gone through since MtGox was
using the transaction id hash to verify a transaction.

When a transaction was rejected by the Bitcoin network that MtGox sent, the
MtGox software would detect the rejection and immediately re-credit your
account for the attempted transfer amount. MtGox also had an api that allowed
you to see the exact contents of the transactions that they sent to the
Bitcoin network. This meant that what someone could do is just grab the
rejected transaction, fix the malformed portion, modify the transaction id
hash and resend the transaction, causing it to go through, but MtGox was
unaware of the successful transfer and would re-credit the account. The user
could then rinse and repeat over and over.

The interesting twist of this is that it means MtGox knows which user accounts
were used to steal coins from them since the malformed transaction could be
modified to change the transaction id hash, but the receiving bitcoin address
could not be modified without invalidating the transaction.

~~~
holychiz
if MtGox knows the thief's account, what can they do to remedy their losses?

~~~
dangero
Probably not much it depends on if it's a hacked account or not and then if
they do in fact know the identity of the hacker then it becomes a legal thing.
They can't do anything to revert the theft. It would be an interesting court
battle over bitcoins.

------
foolrush
Ignorant idiot here will assume the role of First Person That Finds This
Interesting But Has No Real Clue What It Means title.

Could someone outline loosely what the implications are of this in layperson's
terms?

Thanks.

~~~
exit
transactions, which move bitcoins from one address to another, must be signed
by the sending address.

however, not all parts of a transaction are signed. modifying those parts
allows one to create a valid transaction with the same bitcoin transferring
effect, but with a different overall hash.

the hash of the entire transaction is used as a transaction id.

so a modified transaction would have a different id.

some bitcoin management software (a wallet) loses track of transfers, because
those transfers don't occur under the transaction-id it expected.

the implication is that some bitcoin services could get confused about who
they've successfully sent bitcoins to.

an attacker could socially engineer a "robbery" by transmitting a mutation of
an official withdrawal transaction, then appealing to the helpdesk of that
service that their withdrawal never went through. it did go through - just
under a different transaction id.

~~~
paulgb
Thanks for taking the time to explain this, I've been curious myself.

Do you know why scripts aren't signed? I don't fully understand bitcoin but it
seems like they're an integral part of the transaction.

~~~
implr
scriptSig (the second part of the script) contains the signature - it can't
sign itself, but you can add other opcodes to it and that allows malleability.

------
jimktrains2
This isn't really an attack, is it? I mean, the money still gets from who it's
suppose to get from to who it's suppose to get to?

It's only an "attack" if your wallet software doesn't validate against the
recommended (iirc: to_addy, from_addy, amount, time-in-tx), correct?

~~~
kens
Yes, the modified Bitcoin transaction performs exactly the same transfer
between the same addresses. There is no double-spend as far as the Bitcoin
system is concerned since only one of the transactions will get confirmed by
miners.

Linguistic arguments are kind of pointless, but it's still an attack even if
they are just trying to disrupt the system and not steal anything. e.g. a
denial-of-service attack.

Various definitions of "attack" are at
[http://en.wikipedia.org/wiki/Attack_(computing)](http://en.wikipedia.org/wiki/Attack_\(computing\))

~~~
jimktrains2
But if you handle tx properly it doesn't disrupt your system.

~~~
sillysaurus2
The seriousness of this attack is that several major bitcoin services lost a
_lot_ of money because of it. It's an attack.

~~~
erikpukinskis
It's an attack, it's just not an attack on _Bitcoin_.

~~~
sillysaurus2
This is mincing words. It's an attack on bitcoin. Many major exchanges were
shuttered while they dealt with it, for example.

It's certainly not an attack on not-bitcoin, so therefore it's an attack on
bitcoin.

~~~
jimktrains2
There's an attack on credit cards because Target had a breach!

See, I can say ridiculous things too. Someone using bitcoins didn't follow
protocol and as such as scammed out of money. This isn't a bitcoins-protocol
issue, this is a people issue.

Note that the other exchanges are up now, very quickly after everyone stopped
to check themselves.

~~~
smackfu
The Target hack certainly disrupted the credit card system, by causing a lot
of reissued cards.

~~~
jimktrains2
That doesn't really disrupt the system though. It's not causing issues for
anyone who hasn't had their card canceled and reïssued.

------
jasonlingx
This is not an attack. If anything, it serves to make the bitcoin ecosystem
stronger. A course of anti-bionics if you like, forcing the network to build
up safeguards against the lack of understanding of this characteristic of the
protocol.

~~~
StavrosK
Ah, yes. X makes Y stronger, NOT-X also makes Y stronger. Can't have it both
ways, I'm afraid.

~~~
qbrass
You can if the transition from one to the other is what's doing the
strengthening.

