Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: bitaps on March 10, 2017, 09:19:34 PM



Title: Transaction malleability 2017
Post by: bitaps on March 10, 2017, 09:19:34 PM
Today about 15 hours ago, was transaction malleability attack to bitcoin network. BIP 62 was accepted in 2014 but in 2017 miner BitClub mine transactions with negative S value in signature!  :o  So BitClub gave the opportunity to this  attack get  success
 
We have bitcoin node with ability to save all events on bitcoin network.

Statistics on our bitcoin node:
   Total affected Transaction: 84335
   Success: 1405
 
Code:
9ab1d8ede94b8997c526680c197ed6cf1d2004845f1a409645c36c52d5c3fefa
  >>>  00070d799ae941cd60fc686802afba8609f637687df8714c9b29c03600a7559b block 456545 miner BitClub
6f1f6740eb0eaa7db013461f497e4fdc39594ab506c70708ed6969c25e9cbae0
  >>>  f889938e3878a9836caa558c926bc2b05353cf29eb7f8ebbdffe0a5af80af5a4 block 456545 miner BitClub
924e59a5d70f2e8928a1dfdd01cab476caebf5773b001d06ad87d4619ff8674e
  >>>  785b2856106170b5ef462b35deae83879bb9e3fd282b3e5face8fe0d9ec17285 block 456545 miner BitClub
00fba70e71336d78c52cda58c252a836d1d860c69e54840fb85f6f9e947eef75
  >>>  2000e4a79fb534563f361a5a3f031c3db2d87a886b072b6ba68587ebbebc6198 block 456545 miner BitClub
71bad5a7eb5693e1787572c62ce3fe81be57907c9a67e5b67df32615b6fcc564
  >>>  783a6b069abb42818ef942832b8aad689c52c9e054572a8e5c5f402b41b1d35e block 456545 miner BitClub
5ad4bd91dc3b1588a5dd3fc880109400a467316114b64c093ba2624e6d9bfa28
  >>>  5e60913b376ce04a526dfd26ec60b5c0e86e5cbf61b0cc77ad170b35240dd313 block 456545 miner BitClub
c3d73f073d9efb1e6b5f83de13415e8f76763a1526c58283ec887a0f6b54a987
  >>>  9f4fd7345061fc567eca2807aa7f655696a0fcd0b4c039e597978ec935a8c4c4 block 456545 miner BitClub
bc256939a84a8a7d25e1e3f79b9cdc61f8f84cb1746371b6e75076f548bca6b1
  >>>  ab1f20f7785137012de35e81709b2172c0d56af4949e53bfed9ddea9ddfb9527 block 456545 miner BitClub
304210e71da43a2f64410568b0473a1652da245e15eaccf42526636ced50be10
  >>>  04916551d68114586f22f6fe5e9cc73497f6b91fd440c764301437fc069afe69 block 456545 miner BitClub

 
 
Full list of successfully attacked transactions http://pastebin.com/KGYpqPta
 



Title: Re: Transaction malleability 2017
Post by: achow101 on March 10, 2017, 10:11:20 PM
Who malleated those transactions?

I know that those who have chains of unconfirmed transactions that were based off of the original non-malleated ones were, but how many transactions is that? Who else was affected by these transactions?


Title: Re: Transaction malleability 2017
Post by: johoe on March 10, 2017, 10:27:29 PM
BIP-62 was withdrawn.  You may be confusing it with BIP-66, which didn't have low-S requirement.  There is also a relay policy for low-S but not a soft fork.  BIP-146 may fix it some day.

There are several discussions on reddit on r/btc.  I think BitClub mined three blocks with high-S and BitmainWarrenty (not to be confused with Bitmain) was also involved.  It also temporarily broke blockchain.info.


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 01:43:16 PM
How is it an attack?
Who is it attacking and what for?


Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 05:54:00 PM
How is it an attack?
Who is it attacking and what for?

Here is official News about it

https://news.bitcoin.com/bither-ceo-bitclub-performing-segwit-related-attack-network/


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 07:24:39 PM
How is it an attack?
Who is it attacking and what for?

Here is official News about it

https://news.bitcoin.com/bither-ceo-bitclub-performing-segwit-related-attack-network/

How does it answer any of my questions?

Please explain why it is called "attack".

Using such a word implies that there was an aggressor and a victim.
So who was the victim and how was it hurt?


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 07:33:21 PM
BTW, this article on news.bitcoin.com is hilarious.

For instance, it says:

Quote
In the two blocks they mined, 456545 and 456552, they changed all the txid inside the blocks. In other words, they “double spent” all transactions.
What "double spent"??
It was exactly the same spent, just with a different txid.  :)


Then:

Quote
Blockchain.info, the most widely used blockchain explorer, is basically crashed during the attack event. Since block 456545, blockchain.info no longer received any new blocks.”
So it seems that what it "attacked", was not any "bitcoin network", but only a buggy software used by Blockchain.info
Well, at least they got a chance t fix it :)


And then:
Quote
It’s still not exactly clear how the attack was performed.
How is it not clear how it was performed, if they had just said that "by exploiting the symmetry characteristic of elliptic curves"? :)


Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 07:40:45 PM
Quote
How is it not clear how it was performed, if they had just said that "by exploiting the symmetry characteristic of elliptic curves"

ECDSA Signature consists of 2 big numbers, R and S.  In case we change S to (S * -1) it will not invalidate signature. Because during signature verification used the absolute value of S.

Quote
What "double spent"Huh
It was exactly the same spent, just with a different txid.  Smiley

Yes different tx_id and create different coins in blockchain, technically this is double spending input coins, but no way to steal btc


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 07:44:34 PM
Yes different tx_id and create different coins in blockchain, technically this is double spending input coins, but no way to steal btc

No sir.

This is not "double spending input coins" - not technically, nor in any other way.

The spending transaction just ended up in the blockchain with a different ID - that's it.
There is nothing more about it; no attacks, no double spending - nothing more!


Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 07:46:24 PM
2 transactions try to spend same coins and as result create different output coins

This is double spent


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 07:49:17 PM
2 transactions try to spend same coins and as result create different output coins

This is double spent

But only one of them gets confirmed - how is it a double spent?


Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 07:52:37 PM
Right! Any double spent attempt have one winner tx and losing tx or few losing txs


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 07:55:09 PM
Right! Any double spent attempt have one winner tx and losing tx or few losing txs

That's fascinating.

Perhaps you should write a paper about it.
bitcoin.com should be able to publish it for you.
They seem to be very much into bitcoin science.


Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 07:59:22 PM
Not quite understood your sarcasm


Title: Re: Transaction malleability 2017
Post by: Carlton Banks on March 12, 2017, 08:06:38 PM
You're trying to say

"this double spend attempt failed, therefore it succeeded!"

Which is why you're attracting derision


Shut up


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 08:07:33 PM
Not quite understood your sarcasm
You and bitcoin.com are using big words to describe trivial things.

There was no "attack on the bitcoin networks" - that's ridiculous.

Ever since bitcoin has existed, any miner could have taken a transaction (or all of them) and change the ID(s).
There is nothing new or sensational about it and it is definitely no reason to spread a panic with big titles like "attack on a bitcoin network".

IMHO, such events are actually a good thing, because they show whose bitcoin software is shit.


Title: Re: Transaction malleability 2017
Post by: achow101 on March 12, 2017, 08:25:32 PM
2 transactions try to spend same coins and as result create different output coins

This is double spent
A transaction malleation attack does not change the outputs in any way whatsoever. There are no "different output coins". The receivers still get the Bitcoin, regardless or whether the original or the malleated transaction confirms. Transaction malleation is not a double spend attack. Nor is it an attack on the Bitcoin network but rather it is an attack on poorly written wallets and services.


Title: Re: Transaction malleability 2017
Post by: andron8383 on March 12, 2017, 08:26:27 PM
Right! Any double spent attempt have one winner tx and losing tx or few losing txs

So they can trick lets say bitbay that don't wait for confirmation to double sped - interesting.

Quote
Some online chatter regarding the issue revolved around the idea that the attack is political; trying to influence developers and stakeholders to come to a solution to the so-called malleability issue (which Segwit is intended to solve).

For me all know that "malleability issue" but BU :D shit this like nothing happened everything is ok you can makes attacks and what now ?
For those BU supporters waiting 30min for confirmations is not big deal.
I think that Bitcoin have to fix security holes that shout this is your foud you sould be wait for 30 min confirmations if you have luck because not you can wait up to few hours :D

2 transactions try to spend same coins and as result create different output coins

This is double spent
A transaction malleation attack does not change the outputs in any way whatsoever. There are no "different output coins". The receivers still get the Bitcoin, regardless or whether the original or the malleated transaction confirms. Transaction malleation is not a double spend attack. Nor is it an attack on the Bitcoin network but rather it is an attack on poorly written wallets and services.

so how "malleation attack" fucked up Mt Gox ? they were complaing about that if i good remember that they lost BTC in that process.


Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 08:30:21 PM

You and bitcoin.com are using big words to describe trivial things.

There was no "attack on the bitcoin networks" - that's ridiculous.

Ever since bitcoin has existed, any miner could have taken a transaction (or all of them) and change the ID(s).
There is nothing new or sensational about it and it is definitely no reason to spread a panic with big titles like "attack on a bitcoin network".

IMHO, such events are actually a good thing, because they show whose bitcoin software is shit.

First of all, my title was not big title with words "attack on a bitcoin network".

Second Bitcoin.com :
Quote
In the two blocks they mined, 456545 and 456552, they changed all the txid inside the blocks. In other words, they “double spent” all transactions.

It's not quite so. Bitclub not change tx signatures inside his blocks.  All transactions in mempool was attacked within few seconds after broadcasting to network.  Same one do attack on mempool. Most of nodes not accept and not relay this tx because double spending tx not accepting for relay in most nodes settings (except RBF txs). But Bitclub accept this txs. Exploiting attack is not good thing, good thing is fix vulnerability in bitcoin protocol.


Title: Re: Transaction malleability 2017
Post by: achow101 on March 12, 2017, 08:31:59 PM
so how "malleation attack" fucked up Mt Gox ? they were complaing about that if i good remember that they lost BTC in that process.
Chains of unconfirmed transactions can be invalidated by malleating a transaction in that chain and having that malleated transaction confirm. So it is possible that people send an exchange like Mt. Gox Bitcoin being spent from an unconfirmed transaction, and one transaction in the chain is malleated thus invalidating the whole chain and the service never actually receives the Bitcoin.


Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 08:40:37 PM
2 transactions try to spend same coins and as result create different output coins

This is double spent
A transaction malleation attack does not change the outputs in any way whatsoever. There are no "different output coins". The receivers still get the Bitcoin, regardless or whether the original or the malleated transaction confirms. Transaction malleation is not a double spend attack. Nor is it an attack on the Bitcoin network but rather it is an attack on poorly written wallets and services.

Coin this is link to Transaction Hash and output number inside this transaction. In case transaction hash changed coins that created by this tx also changed. So we have 2 different txs hashes and have different coins in UTXO.  Yes all this coins related to same bitcoin address.
But this is different coins, but input coins is same. You can  admit it or not, but technically this is double spend.



Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 08:54:18 PM
Right! Any double spent attempt have one winner tx and losing tx or few losing txs

So they can trick lets say bitbay that don't wait for confirmation to double sped - interesting.

Quote
Some online chatter regarding the issue revolved around the idea that the attack is political; trying to influence developers and stakeholders to come to a solution to the so-called malleability issue (which Segwit is intended to solve).

For me all know that "malleability issue" but BU :D shit this like nothing happened everything is ok you can makes attacks and what now ?
For those BU supporters waiting 30min for confirmations is not big deal.
I think that Bitcoin have to fix security holes that shout this is your foud you sould be wait for 30 min confirmations if you have luck because not you can wait up to few hours :D

2 transactions try to spend same coins and as result create different output coins

This is double spent
A transaction malleation attack does not change the outputs in any way whatsoever. There are no "different output coins". The receivers still get the Bitcoin, regardless or whether the original or the malleated transaction confirms. Transaction malleation is not a double spend attack. Nor is it an attack on the Bitcoin network but rather it is an attack on poorly written wallets and services.

so how "malleation attack" fucked up Mt Gox ? they were complaing about that if i good remember that they lost BTC in that process.



Bitclub is not BU supporter, they vote for SegWit. Maybe he want to say that Segwit help us to fix this problem? But this is not true.
Segwit will fix this problem only for witness outputs. All old UTXO set will be still vulnerable for malleability attack. How long will that take to spend all old UTXO?? ;D  

Segwit in softfork mode  will not solve these problems completely.  Before to laugh at BU supporters, better understand in detail in the issue.


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 09:04:30 PM
Quote
so how "malleation attack" fucked up Mt Gox ? they were complaing about that if i good remember that they lost BTC in that process

It's not really confirmed whether mtgox funds were lost through some kind of malleability attack.

That's what they were claiming at some point,  but they never showed any proofs, or even a technical explanation of how that would actually be possible.


Title: Re: Transaction malleability 2017
Post by: piotr_n on March 12, 2017, 09:11:39 PM
It definitely looks like some statement from the mining pool, saying 'if we won't activate segwit, look what can be happening'.

Well, I've seen it...
And I'm not impressed, frighten or shocked. :)

Even though I'd like to see segwit activated.
But not as much as most of the supporters :)

I also spent my time to add segwit support to my software. It was fun and I won't be crying if this doesn't get used.


Title: Re: Transaction malleability 2017
Post by: bitaps on March 12, 2017, 09:23:55 PM
Segwit will not fix this problem! To fix this problem we need segwit + hardfork (restrict negative S value)


Segwit is good improvement, but we need the solution to give ability change block size and this thing very important.
Yes Segwit will get more txs inside 1 MB blocks.
But in case we not accept change block size solution  today, to come that day when we will hit the block  limit again, at that time bitcoin infrastructure will grow significantly. Do hard fork will  be more painful than do it now!

Also accept solution to give ability change block size, this is not mean that we should change block size right now.


Title: Re: Transaction malleability 2017
Post by: cr1776 on March 12, 2017, 10:38:48 PM
Quote
so how "malleation attack" fucked up Mt Gox ? they were complaing about that if i good remember that they lost BTC in that process

It's not really confirmed whether mtgox funds were lost through some kind of malleability attack.

That's what they were claiming at some point,  but they never showed any proofs, or even a technical explanation of how that would actually be possible.

The hypothesis regarding mtgox (fed by them, iirc) was that they were relying on transaction IDs to update their internal database of balances.  So, there were withdrawals, then the attacker changed the transaction ID when they broadcast a transaction (the attacker was directly connected to them).  So gox never decreased their balance since they were relying on the TX ID and they would withdraw again.  (There were more details).

Again, poorly written non-bitcoin network software IF that is what happened.