
A successful Bitcoin double spend – USD 10000 - balsam
https://bitcointalk.org/index.php?topic=152348
======
platypii
OK, so it's not hard to imagine double spends happening during a fork. This
incident proves that as long as there is at least one provider willing to
exchange BTC automatically, and is unaware of a fork in progress, then one can
exploit the fork and double spend. This is bad, and should be fixed with a
technical solution if possible. People will be looking for this in the future.

Here's the scary thing revealed by this bug however: Causing (intentionally) a
fork is WAY easier than I thought!

You don't need to control a majority of mining. All you need is to craft a
block such that some large % of the mining clients will fail on it. This could
be a failure at any point in the bitcoin software. If there is a size limit
discrepancy between versions (in this case the DB), or maybe a unicode parsing
bug in some library used, or whatever. It doesn't need to be an exploitable
code bug. It just needs to cause some % of mining clients to fail and reject a
particular block.

It's relatively easy to find a bug that causes some software to crash. Most of
the time these bugs are minor, and don't allow any remote execution or
anything, so programmers don't necessarily worry about them most of the time.
But in bitcoin they could potentially cause a blockchain fork! Which could be
exploited, as this incident proves. This seems to lower the bar considerably
to exploit BTC.

~~~
johnsoft
You would need to find a very localized, specific class of bug in a piece of
software that has been highly scrutinized over many years by cryptography and
security experts who know there are millions of dollars at stake, and this bug
would need to affect parts of the P2P network but not others, keeping in mind
everyone voluntarily chooses which software to run. I think calling it
"relatively easy" is a bit of a stretch.

~~~
michaelt

      You would need to find a very localized, specific 
      class of bug in a piece of software that has been 
      highly scrutinized over many years by cryptography 
      and security experts
    

Couldn't you monitor the version control system trunk for patches fixing bugs
in the critical section of the code, work out the bug based on the fix, and
exploit it before everyone had their systems patched?

    
    
      everyone voluntarily chooses which software to run.
    

In things like operating systems heterogeneous software is often seen as a
defence against bugs - but in this instance, wasn't it the differences between
the 0.7 and 0.8 clients that triggered the split in the blockchain?

Surely the most secure thing is to be on the most widely used client?

~~~
johnsoft
Clients emit a warning in the GUI (and IIRC disable the RPC interface, which
would be the fail-safe for merchants) when this kind of issue is detected
(namely, conflicting blockchains of significant length received from different
peers). So the most secure thing would be to be connected to a high diversity
of peer nodes, and to pause transaction processing and check the news when you
get a warning.

------
nostromo
I've actually thought about putting some play money in Bitcoin, but these
stories prevent me from doing so.

This guy is (apparently?) unhappy, and he's knowledgable enough about bitcoin
to know to inspect forks and vins and OKPAY transactions -- and then to make
two double (?) spend transactions.

If this guy is getting screwed, I'd surely manage to lose twice my investment
somehow.

~~~
ramanujan
It looks like this possibility was known and broadcasted to merchants during
the maintenance window two days ago. It's kind of like the Rails mass
assignment or security bug: merchants are just going to have to stay on top of
Bitcoin issues.

[http://www.reddit.com/r/Bitcoin/comments/1a51xx/now_that_its...](http://www.reddit.com/r/Bitcoin/comments/1a51xx/now_that_its_over_the_blockchain_fork_explained)

    
    
      [Submitted March 12]
    
      It's DanielTaylor again and I wanted to create a simple yet 
      intuitive post to explain the folks out there what happened  
      a couple of hours ago. This might also be useful for 
      bloggers or journalists who might be going to write about 
      it in the following hours.
    
      TL;DR
    
      The programs that read the blockchain, the bitcoin ledger, 
      disagree.
    
      Due to a bug in 0.7, it says that HIS is the correct 
      version of this ledger and 0.8 says that HIS is the correct 
      version.
    
      Miners (the people who add pages to the blockchain) are 
      told to switch to the 0.7 program so that this version 
      gains more support and the other one is discarded. 
      (orphaned).
    
      Regular users are not affected. Their transactions are 
      included in both ledgers and don't need to change any 
      programs.
    
      During that time, though, there is a slight chance of a 
      double-spend ocurring. That is why people recommended 
      merchants and exchanges to wait until there is one single 
      blockchain again before processing purchases and 
      merchandise.
    
      ...
    
      What's a double-spend?
    
      This is the reason why some merchants and exchanges stopped   
      processing incoming bitcoins for a couple of hours.
    
      The bitcoin network prevents people from spending the same 
      coins by mantaining this unique ledger, the blockchain. But 
      now that there were two of them, it was theoretically 
      possible to broadcast two different transactions with the 
      same coins and still get some confirmations.
    
      With some luck, someone could sneakily sneakily* buy a 
      television to a merchant who was reading the 0.8 ledger and 
      have the transaction confirmed. At the same time he could 
      have sent the same coins back to himself and, with some 
      luck, have the transaction confirmed on the 0.7 ledger.
    
      What happens is that, in the end when 0.7 wins, the thief 
      will have the television and his bitcoins. Remember that 
      there were two different versions of the same coins!
    
      This is not something easy to do and requires a lot of luck 
      because the blocks mined (the pages added to the ledger)  
      must be mined precisely in the correct order. But still, in 
      this situation it was easier to pull off and so it was 
      recommended for merchants and exchanges to temporarily stop 
      processing incoming transactions.
    
      Now the situation has resolved and the blockchain keeps 
      growing happily, page by page, block y block.

~~~
TylerE
Calling what happened the other day a "maintenance window" is about as
truthful as describing a fire that burns your house as down as a "redecorating
party".

------
johnsoft
This was only possible because of an obscure bug in a database library used by
the reference client, which the developers are in the process of migrating
away from. The latest 0.8-beta release inadvertently caused a size restriction
on some part of the block structure to be loosened. Since the majority of the
network's mining power had upgraded, older clients wouldn't accept these
blocks, and the blockchain diverged, with 0.7 and 0.8 each on a different
fork, seeing an inconsistent view of recent transactions. Miners were quickly
contacted and asked to downgrade to 0.7, and once the 0.7 chain caught up with
the 0.8 chain, the network resolved the problem and the view of transactions
became consistent again.

One of his transactions was on the 0.8 chain (during its short life, and the
other was on the 0.7 chain. So it's better to think of it as a transaction
being invalidated rather than double-spent, because in the end there were no
outputs that didn't come from an input.

This was only possible to to extraordinary circumstances, and as long as the
majority of the network is running software that plays by the same rules, this
kind of thing isn't possible.

~~~
runn1ng
>as long as the majority of the network is running software that plays by the
same rules, this kind of thing isn't possible

Isn't this against the idea of decentralization?

~~~
Shish2k
HTTP is decentralised

~~~
davidw
Anything of value on the end of an HTTP transaction has some centralization,
such as bank accounts, Amazon.com, or other things that involve real money.

------
unclebucknasty
There are people saying that this shouldn't happen again, etc. but it will.
Perhaps not in this exact form, but in some form.

And, this was an accident. As we know, there are many people with the ill-
intent and incentive to look for or create exploits 24/7. Saying this won't
happen again is like saying "Ok, this is the LAST FireFox patch you'll ever
need. Really. We've thought of everything."

This is a game of cat and mouse, similar to one I've involuntarily had to play
with fraudsters in my business over the years, and we've all been involved
with via viruses, software patches, etc.

I am not sure why we continue to have such supreme confidence that we have
discovered something even approaching bulletproof here, when history has
taught us that we should believe anything but. It's partly the developer
mindset, I suppose. We all tend to believe we've thought of every path and
that our code is bug free, until someone encounters a bug that is.

We need to abandon that overly optimistic mindset and look for solutions that
accomodate the inevitability of this happening again, whether they be process,
technical, or both.

This might include the notion of a central registry on the network, which can
help to resolve/identify potential forks, etc. While I know the notion of
decentralization is sacrosanct in the BTC community, it is really a fallacy
that there is not centralization now. The "core team" is actually playing that
role, albeit manually, and what this issue shows is that it may well be a
necessary role. I am not talking about doing away with the P2P nodes or
controlling them centrally, just acknowledging that pure P2P has strong
merits, but also introduces vulnerabilities.

This incident was containable and manageable. In the future (and especially at
scale), it may well be infeasible for such manual intervention to clean up the
mess. Rather than all convince ourselves that we have now thought of
everything, we need to assure ourselves that we haven't and never will, then
use our collective brainpower to build in the kinds of safeguards and
redundancies that will help avert catastrophe when the inevitable happens.

------
SoftwareMaven
You know the next time something like this happens (and, this is software, it
_will_ happen), there will be a _lot_ of people trying this attack. It was
theoretical before with "enough effort"; now, it is known to be easy.

And the problem will get harder to manage as BC becomes more popular. They
could restrict damage because the ecosystem is still small, but when if there
are millions of merchants? The alternative is centralized processors, which
doesn't make BC that much better than cash.

~~~
batgaijin
shard the currency

------
tantalor
Can somebody explain without the technical jargon?

~~~
jmillikin
Bitcoin's security is based on the idea of a "block chain", which is sort of a
mutually agreed-upon list of transactions. As long as all participants in the
Bitcoin economy are using the same block chain, then double-spending money is
(for all practical purposes) impossible.

It was recently discovered that a change in Bitcoin 0.8 caused an entry in the
block chain that old versions can't process. The old versions, unable to
verify the 0.8 block chain, automatically started their own block chain based
on the last block they could deal with.

    
    
      0.8-readable block chain continues
      |
      ---> |
           |  | <- 0.7-readable block chain splits off
           | /
           |/
           *  <- block that old versions can't process
           |
           |
      (history)
    
    

For technical reasons, it was decided that the 0.8 block chain would be
abandoned, and all clients should switch to the "forked" block chain that was
accidentally created by old clients.

    
    
      dead    | <- 0.7-readable block chain is now "official"
      |       |
      ---> _  |
           |  |
           | /
           |/
           *  <- block that old versions can't process
           |
           |
      (history)
    
    

This causes a problem, because until that switch happens, a person could issue
a transaction to a 0.8 client that would be accepted only by clients running
the "bad" 0.8 blockchain.

The OP states that he has done this successfully. He submitted a transaction
to a BTC<->USD service running 0.8. The service, checking the bad block chain,
thought it had received Bitcoins and therefore sent him USD. But his
transaction was never sent to the "official" block chain, so according to the
rest of the Bitcoin world, he still has his original Bitcoins.

This is significant because prevention of double-spending is a fundamental
feature of Bitcoin. If it can be bypassed, then the entire Bitcoin economy is
endangered.

~~~
ctz
What happened to bitcoins 'mined' on the 0.8 chain in the meantime? Did people
lose their currency?

~~~
simondlr
Good question. I know that any transactions in forked chains that have been
orphaned are included as transaction if it hasn't been double spent on the
other chain.

But what happens to the mining reward, I don't know. Anyone?

~~~
RoboTeddy
The mining rewards on the 0.8 branch went _poof_

A mining reward is actually just a special transaction that the miner includes
in blocks they find that let them pay themselves out of thin air.

So, the mining reward transactions on the 0.8 branch only exist on that
branch, since the 0.7 chain had its own reward transactions made out to its
own miners. When the network reached consensus on the 0.7 branch, money that
miners on 0.8 thought they earned just disappeared (other clients stopped
acknowledging their reward bitcoins).

Some pool operators lost out too, since they paid people who found blocks on
the 0.8 branch.

~~~
erja
How would a pool operator lose? They would pay out on the 0.8 branch, in
bitcoins. Do pool operators pay in real-world currency like USD?

~~~
RoboTeddy
They do indeed pay in bitcoins. The payment transactions during the fork
weren't lost, however-- they were confirmed on both branches of the chain. The
only transactions that disappeared were the block reward transactions on 0.8.

If pools paid miners using bitcoins from their own mined blocks, this problem
would go away-- that's not a bad idea!

edit: I asked -- some pool operators apparently already do this. The ones that
lost out are the ones that don't.

------
zby
There was a visible fork of the blockchain - a clearly exceptional condition
showing that the network did not work correctly at that moment. All merchants
should stop accepting payments for duration of that - this can easily be
automated.

~~~
URSpider94
Forks of the blockchain happen all the time as a natural side effect of the
distributed nature of blockchain calculation. How do you propose that a
merchant detect a pathological fork?

If you're going to tell me that it depends upon the length of the fork, then
you'd better be waiting at least that many blocks before you verify a
transaction.

~~~
nazgulnarsil
this is already built into the protocol.

~~~
URSpider94
what is 'this'?

If you mean waiting for x validations before accepting a transaction, yes --
but do you really think that it's practical to wait 30 minutes before
delivering goods for a transaction? That's going to be a really long time
spent staring at the little spinny thing over a line of text saying "verifying
your payment" ...

~~~
nazgulnarsil
It's completely reasonable. Bitcoin is not a good candidate for a medium of
exchange despite what some adopters will tell you. It is more like virtual
gold. You can see in the real world that mediums of exchange and stores of
value aren't the same thing because the properties that are desirable in one
are not desirable in the other.

~~~
eric_bullington
And there's another electronic currency system coming online now that should
handle instant transactions well: ripple.com Its a new incarnation of a
relatively old idea, but the good thing about the new ripple is that
transactions are (and should continue to be) nearly instant. And it is very,
very easy to trade bitcoin for ripple using the ripple system, and should get
even easier. So I imagine a future where value is stored in btc, and spent
using ripple (in any of the supported currencies).

------
gritzko
<http://pds.ewi.tudelft.nl/~victor/bitcoin.html>

There is a plethora of truly wonderful effects possible once the transaction
chain is forked. The guy did the simplest thing possible with the least effort
invested after the chain forked on its own, basically. In case we had several
BitCoin codebases operating in the wild, such forks would be too easy to
trigger.

Key point: the technology is crap but the demand is huge.

------
maaku
Should be noted that the money was returned.

~~~
w-ll
I might be wrong, but it wasn't returned, but that doesn't matter, all the
mining ops switched to the 0.7 chain, and the transaction is now in limbo (for
lack of a better term); the forked 0.8 chain.

~~~
waterlesscloud
He paid it back, he said something about it in the irc channel this morning.

Still, it's an exploitable vulnerability. Very difficult to make the
conditions happen, but if they happen naturally it's something that can be
taken advantage of. It'll need to be addressed in one way or another.

~~~
skcin7
> he said something about it in the irc channel

What IRC channel out of curiosity?

~~~
waterlesscloud
#bitcoin, I think. That or #bitcoin-dev.

------
rms
Yet the price keeps rising...

~~~
bdcravens
Indeed, every time a negative story comes out, proponents always talk about
the MtGox price and how that indicates how strong BitCoin is.

BitCoin's raison d'etre isn't for conversion to fiat currency - it's to become
an alternative to fiat currency. I'd love to see a breakdown of how much has
been converted into fiat currency vs. how much has been spent for
goods/services. Likely, I bet it's well over 100:1. So what has happened?
BitCoin is helping put more fiat currency in people's hands as it grows, which
is (theoretically) being spent on iPhones and bubble gum, strengthening the
value of fiat currency in general.

~~~
aianus
Even if Bitcoin fails at everything except conversion into and out of fiat
currency, it's still a major win. It significantly undercuts existing services
for international payments while also circumventing currency controls, AML
regulations, and censorship.

------
marco-fiset
I was looking forward for BitCoins to be hacked. This tells me it's not secure
enough yet.

------
cadetzero
I submitted the exact same a day ago.

<https://news.ycombinator.com/item?id=5365083>

