[Cryptography] BitCoin bug reported

Bear bear at sonic.net
Fri Feb 14 23:53:17 EST 2014

On Mon, 2014-02-10 at 08:03 -0500, Phillip Hallam-Baker wrote:
> The MtGox people are claiming that the reason they have been offline
> is a bug in the BitCoin protocol:
> https://www.mtgox.com/press_release_20140210.html
> Does anyone with deep knowledge of the protocol know if this is a
> credible explanation?

Summary:  The protocol is secure in terms of protecting against 
double payments actually taking effect, but someone is injecting 
bogus transactions (fiddled copies of real transactions) onto the
network. The clients in use at Gox are unable to distinguish bogus
copies from real, and other clients in use are still *SHOWING* the 
copies (which will never confirm) as "pending unconfirmed" payments
leading to confusion.  

Details:  Bitcoin transactions have an "ID number" derived from a 
hash of the transaction.  The problem is that the transaction may 
be expressed in any of several ways, resulting in different hashes. 
This problem is called transaction malleability, and work to 
eliminate it has been underway for months.

What is cryptographically secured about a transaction is which 
unspent coins are being spent, what public key they are being spent
to, the fact that the correct privkey (whose pubkey they were 
previously spent to) has signed off on the spend, etc.  This set
of information is globally unique.  But the "ID number" itself 
could be any of several values depending on details about how 
these things are expressed.  It has never been possible for more 
than one version of the same transaction to confirm; that is 
prevented as a double spend of the same inputs.  

The problem of issuing noncanonical forms of transactions was 
fixed months ago in the Bitcoin clients themselves - the standard 
tools now emit transactions in a "canonical form" that can only 
have a single hash/ID number.  But until quite recently the 
network still accepted transactions having other forms, and if 
multiple forms of the same transaction somehow got on the network
at the same time, it was essentially a cointoss as to which one 
would be accepted.  

And Mt.Gox, which had failed to update its own software when the 
rest of the network updated, was still occasionally emitting such 
noncanonical transactions.  Less than one-thousandth of Mt.Gox's 
payments were noncanonical, but they still existed.  Recently, 
after many warnings, the network reached a threshold and stopped
accepting noncanonical transactions in new blocks, which resulted 
in occasional payments made by Mt.Gox failing to confirm.  Gox 
was "confused" by its outdated software into thinking that it 
had made these payments, but because such payments were not 
accepted by the network, the coins were still at Gox.  Or, one of
the miners would be accepting their noncanonical transaction, 
transforming it into canonical form, and including it in a block, 
whereupon it would have a different ID number than the ID number
Gox was looking for a confirmation of.  

That was bad enough for Gox, but it was a relatively minor problem; 
Gox was reviewing these on a case-by-case basis, discovering that 
the transactions had in fact never been accepted by the network (or 
had been accepted with a different ID number), and issuing new
transactions or updating accounts with the corrected ID numbers.

Then someone started a DDoS attack on the Bitcoin network. There's 
some botnet now that's taking transactions off the network, fiddling
them into a noncanonical form, and re-emitting them onto the network.

The standard clients of course are refusing to accept these
transactions, and whenever a miner who has failed to update software
attempts to put one or more of them into a block that block is 
rejected.  But they're causing confusion and load, and the standard
clients are still seeing them as "pending" payments that haven't 
been accepted into a block yet.  For this reason, people are seeing
multiple copies of payments in their clients, with different ID 
numbers.  Only one copy of a payment will ever confirm, but for a 
while (until the payment confirms and the noncanonical version of 
it is then dropped as a double spend of the same coins) it looks 
as though multiple copies of payments have been sent.

Gox, which had relied on the "ID numbers" instead of more stable 
cryptographically secured identifying information about the
transactions, has been completely crippled by this attack.  

Some users, seeing "unconfirmed" payments in addition to the ones
they expected or made, are being confused into issuing more 
transactions to try to "correct" the multiple copies of payments.  

More information about the cryptography mailing list