
Addressing Transaction Malleability - nopsleds
https://www.mtgox.com/press_release_20140210.html
======
maaku
This is incompetence on the part of MtGox.

It is not even clear that the malleability problem is solvable. Besides the
problem that there is innumerable ways to transform a transaction to give it a
different hash without affecting scriptSig validity, it is simply unknown
whether it is possible to algebraically transform an elliptic curve signature
without invalidating it. If so, then no matter what you do to cover up the
other holes, that gaping one is left open.

Transactions are malleable. Deal with it. If a transaction is observed on the
network that has the same input outpoints and the same outputs, it is the same
transaction, and mtgox should treat it as such. This is a simple check to do,
and trivial to automate.

And instead of reporting only the hash to the user, they should record,
report, and track the transaction itself. You should be able to go to your
withdraws and see the actual transaction, including which inputs were used,
and what the change address is. You can then go to any block chain service and
verify for yourself if/when those same outpoints are spent in a modified
transaction.

This is MtGox's problem, not bitcoin's.

~~~
nwh
Eh well, it is Bitcoin's problem in that it's not meant to ever happen. Mt
Gox's implementation is based on what is _meant_ to happen in the network
(transaction IDs can not change) rather than what _does_ happen (signatures
with weird padding are accepted). The network as of late version doesn't relay
these either, I seem to remember reading, so it's a problem that's being
intentionally reduced.

~~~
maaku
This is not a recently discovered "problem." This is how bitcoin has always
worked. Even before the OpenSSL signature encoding malleability discovery, it
was always known that you could add a NOP instruction to a scriptSig, for
example, to change the txid without affecting the signature (as the scriptSig
is not covered by the signature, for obvious reasons). From the very first day
that Bitcoin was released, it was known to anybody who looked at the code that
transaction ID's could be changed without affecting signatures.

~~~
nwh
From the references on the forum, it looks like the issue wasn't really
discovered or considered until mid 2011. The developers comment on their
active involvement in closing this up, so it's probably reasonable to expect
that it's not intended or desirable.

[https://bitcointalk.org/index.php?topic=8392.msg122410#msg12...](https://bitcointalk.org/index.php?topic=8392.msg122410#msg122410)

~~~
pmorici
It's Feb. 2014 the issue has been known since at least May 2011 In other words
people have known about this for about 3 years. My vote is still on Mt.Gox
incompetence.

------
saurik
It seems to me the trivial solution (ok, "hack") for this problem is to
construct a new bitcoin address for every withdrawal that is used as a staging
ground and one-time "identity" for the transaction. So like, rather than MtGox
sending a hundred bitcoin to a user's address, and then having to sort-of-fail
to detect the transaction as it gets mutated, it sends the money to a
temporary address and then empties the temporary address into the user's
target address.

Now, any transaction coming from that temporary address (which can also be
told to the user as "expect the money to come from this address", which might
be separately useful for purposes other than transaction proofing) can be
considered to be the transaction in question: the computed hash of the
transaction is irrelevant.

Of course, I should not be able to solve this problem after two minutes of
thinking about it; so: anyone mind teaching me what I'm missing? I can't
imagine I could come up with a solution this simple so quickly to a problem
that is apparently so well known and so problematic to such an established
player in this space ;P.

~~~
sillysaurus2
MtGox made the right decision in shutting off withdraws and not implementing
hacks. It's important for this problem to be solved once and for all.

MtGox made a very bad decision in its choice of wording in this press release.
It shouldn't have framed this as a "design flaw." The only reason this
happened was because of MtGox's custom software. No one else was affected. By
definition, that's not a design flaw.

~~~
Anderkent
Uhm, no, this is definitely a design flaw. It violates the principle of least
surprise for no reason other than "we didn't think of it at the time". That's
pretty much the definition of a design flaw.

------
sillysaurus2
Can I catch a break?

[http://news.ycombinator.com/item?id=6926472](http://news.ycombinator.com/item?id=6926472)

[http://news.ycombinator.com/item?id=7195024](http://news.ycombinator.com/item?id=7195024)

[http://i.imgur.com/5TAwopR.png](http://i.imgur.com/5TAwopR.png)

There are few times in my adult life I've felt like crying actual tears, but
this is one of them.

Four times since that first comment, the bitcoin price has recovered to
$1,000, then dipped back down again. Four times I didn't sell.

The silver lining is that Gox's explanation is correct on a technical level.
There is every reason to believe this explanation to be true. This isn't
(just) me being hopeful; this is because if you investigate whether it's true,
you'll find out it is true.) For further details see
[https://news.ycombinator.com/item?id=7203544](https://news.ycombinator.com/item?id=7203544)

Since I've only been able to withdraw 3.4 bitcoin, I'm at the mercy of Gox.
It's entirely possible that I'll wind up with less than $1,000, from $11,000.
An expensive life lesson, but at least it's recoverable.

EDIT: I apologize if this comment didn't contribute anything. I sometimes use
HN for moral support. I'm just shocked at what's happened.

EDIT2: This surely shouldn't be the top comment... it's important to get
information out to people in a crisis situation like this. This was just me
being sad and gathering information from those more experienced. Thank you
though.

~~~
davidw
I suppose it is viscerally obvious to you at this point, but putting money
into something like Bitcoin should be considered one step up from putting it
all on 31 and letting it ride: don't do it with money you consider important.

~~~
coldtea
I don't get why people who don't trust banks go and deposit money to the first
BS "service" that's a guy and his dog, implemented in 2 weeks, full of holes
and bugs, and with nothing much as financial assurances and security that
you'll even get your money out.

~~~
pjc50
Because banks are "the Man", while bitcoin is "one weird trick .. bankers hate
it!" Social proof by negative.

The crypto also triggers a geeky faith in technology. Because the crypto _is_
sound, it's just the way it's being used is problematic. And the institutions
around it are very flaky, but geeks _hate_ institutional politics and dream of
eliminating it by technological fiat.

------
krelian
Well technically this is a "technical issue" but lets not fool ourselves to
believe that Mtgox is holding out withdrawals just to be on the safe side. If
they are doing this then it means they were subject to an attack involving
this bug. How much did this attack hurt MTgox financially?

~~~
Anderkent
Probably not that much.

However, it must have really messed up their internal accounting. The problem
isn't that they don't have the money - the problem is that they don't know
which of the outputs that they own have been used, and which haven't. They
have to fix the bug, parse the blockchain, consolidate that with their
internal records of ownership, figure out which pending withdrawals have been
fulfilled, which haven't, which have been paid twice...

There's a lot of things to do there, and they all need to be fixed before they
can tell if a new withdrawal is legit.

~~~
pmorici
"The problem isn't that they don't have the money"

They didn't address that in their statement. They may not even know themselves
yet how much they were taken for. With the high number of transactions that
were failing in the days leading up to the withdrawal halt it's pretty clear
someone was exploiting this to double withdraw something was almost certainly
taken the question is how much and can they recover.

------
VMG
Thread on bitcointalk.org Dev subforum:
[https://bitcointalk.org/index.php?topic=458076.0](https://bitcointalk.org/index.php?topic=458076.0)

~~~
VMG
Core dev's Gregory Maxwells response to MtGox statements from IRC:

[http://www.cryptocoinsnews.com/2014/02/10/mt-gox-blames-
bitc...](http://www.cryptocoinsnews.com/2014/02/10/mt-gox-blames-bitcoin-core-
developer-greg-maxwell-responds/)

Excerpt:

 _< gmaxwell> The Gox press release seems a little ‘spun’ to me. They portray
characteristics of the Bitcoin system well known since at least 2011 (which
even have their own wiki page ) as something new.

These characteristics are annoying but don’t inhibit basic operation. They are
slowly being fixed – but fixing them completely will likely take years as they
require changing all wallet software. Correctly-written wallet software can
cope with the consequences, and I cannot understand why they would gate their
withdraws on external changes._

------
mathrawka
So the problem is that they are not tracking inputs and outputs, but relying
on the transaction ID. This transaction ID can be changed while keeping the
signatures valid. The inputs and outputs will _not_ be changed.

It sounds like they need to just watch for duplicate transactions as the
protocol is built to prevent those.

~~~
laichzeit0
So what's the use of tx id's at all then? I mean practically speaking, since
they're mutable? I'm thinking of an analogy here but I can't. It's like a git
commit hash, but you're "allowed" to append some whitespace to the end of a
file so you can keep mutating the hash but it's the "same" commit.

I don't really see a use for tx ids if they keep the spec as-is then or am I
missing something?

------
TomGullen
This is what MtGox should of done over 6 months ago:

\- Given $100k or however much it costs to 1-2 top quality devs to write a new
exchange from the ground up. Very basic functionality, focus on efficiency and
reliability.

\- Take MtGox.com offline for a few hours

\- Port all user accounts over to the new system

\- Launch MtGox v2.

It blows my mind the total level of incompetence, wasted opportunity and lack
of common sense MtGox have shown. Literally sitting on a money making factory
and they didn't get their shit together for such a long period of time.

They do not deserve all the forgivness the market gives them, they are past
the stage of a "bad apple" now and need to die for Bitcoin to move forwards.

------
dexcs
I wonder how many other bugs the protocol has. I bet it's not the only one.
Maybe i should scan the issues list on github and sell every time a issue is
opened...

~~~
nwh
There's not that many, this particular one has been known for some time. Most
seem to be legacy issues (OP_RETURN used to return true when it should be
false) or quite reasonable misunderstandings (the lock limit for the BIP50
chain fork was tested, but not fully).

[http://en.bitcoin.it/wiki/Transaction_Malleability](http://en.bitcoin.it/wiki/Transaction_Malleability)

------
freakyterrorist
So the question now becomes how much did this bug cost MT Gox in incorrect
refunds. Could this have the ability to affect their solvency?

~~~
stp-ip
And even if they didn't notice it right away. It takes a lot of effort to race
an unconfirmed transaction and let the coins get respend (double the actual
withdraw in your address). Especially when mtgox let's you verify your account
with your official documentation. Additionally with the fees generated just
today they would cover 500 Bitcoins in losses just from one day revenue.

------
oleganza
Explanation on what happened in simple terms:
[http://blog.oleganza.com/post/76213549017/mtgox-and-
malleabl...](http://blog.oleganza.com/post/76213549017/mtgox-and-malleable-
transactions)

------
snitko
It seems people in the chatroom and on reddit don't buy this. Blaming their
inability to withdraw money for customers on the Bitcoin protocol? And somehow
all other exchanges are doing fine? Super suspicious.

~~~
sekasi
Huh what? what do people in chatrooms and reddit have to do with anything? If
that's your choice of credible information then life must be very dark.

If you follow the article you'll find that some of the core bitcoin team is
confirming the flaw.

But maybe reddit is right. Clearly.

~~~
jawr
How is the article any more credible than reddit or chatrooms? If by chatrooms
he is referring to IRC, then there are hundreds of credible people/rooms
there, some that I would trust far more than Mt. Gox directly.. Reddit is the
same, it's just another forum of communication.

~~~
sekasi
Core bitcoin team member.

moar credibility than <randomguy15> on any irc/dark/use-net I can think of.

~~~
jawr
The guy I just spoke to on IRC is also part of the bitcoin core team... Take
my word for it, you took Mt. Gox's!

Have a read through:
[https://bitcointalk.org/index.php?topic=458076.0](https://bitcointalk.org/index.php?topic=458076.0)

Also, why are you comparing IRC to dark and use-net, they're all completely
different things?

------
ck2
_A bug in the bitcoin software makes it possible for someone to use the
Bitcoin network to alter transaction details to make it seem like a sending of
bitcoins to a bitcoin wallet did not occur when in fact it did occur._

If that is true, it probably affects all alt-coins since they all fork back to
btc.

However I bet it's just a matter of getting more confirms since attackers
could be using fraudulent nodes to try to fool the network.

~~~
jlgaddis
_> If that is true, it probably affects all alt-coins since they all fork back
to btc._

Yes, you should have kept reading:

 _> Note that this will also affect any other crypto-currency using the same
transaction scheme as Bitcoin._

------
laichzeit0
MtGox knew about this problem at least 3 months ago already. All of a sudden
it's a protocol problem now.

I say this as someone who personally had BTC withdrawals fail 3 months ago
when they explained to me on IRC that they couldn't find a bunch of
transactions with the TX ids they were looking for and had to rebroadcast
them.

------
dsr_
I would like to advance the notion that this could be exactly what it looks
like to a non-invested observer: this is the end stage of a massive fraud.

The one thing that makes me suspect otherwise is that they are holding a lot
of BTC instead of a lot of cash.

------
taspeotis
Sat down in front of my PC just in time to watch this [1] graph.

[1] [http://bitcoin.clarkmoody.com/](http://bitcoin.clarkmoody.com/)

------
kristianp
[https://en.bitcoin.it/wiki/Transaction_Malleability](https://en.bitcoin.it/wiki/Transaction_Malleability)

------
enscr
[http://i.imgur.com/imve1Sc.jpg?1](http://i.imgur.com/imve1Sc.jpg?1)

------
surana90
Probably a good time to enter into market for some people!

------
epaga
typo in title: protocol, not protocole

------
dzhiurgis
Isn't this related to 'network confirmations'?

