|
Title: [FIX on the way] Flaw with fee calculation on strongcoin. Post by: DiThi on December 30, 2011, 02:01:23 PM Edit: A fix is on the way!
A friend of mine sent 0.99999999 BTC with StrongCoin and the fee has been 10 BTC (in theory it should be 1%, 0.005 min, 1 max). Please, fix it! And to the rest of the people: don't try that at home! Well, can someone try sending something like 0.00999999 to test? Title: Re: Huge flaw with fee calculation on clientside online wallets! Post by: sadpandatech on January 03, 2012, 12:27:48 AM wht software are you refering to that your friend input this amount into and was told there would be a 10BTC fee?
Title: Re: [FIXED] Huge flaw with fee calculation on clientside online wallets! Post by: DiThi on January 03, 2012, 02:24:21 PM Strongcoin (https://strongcoin.com/). They sent me the missing 10 BTC and they're trying to fix the problem.
Also blockchain.info is affected (and maybe other bitcoinJS wallets), but as I said, you can review the transaction before sending it, so it's not a problem. Clien-side online wallets are much more secure than server side ones. Don't ever use server-side wallets (such as the infamous and now extinct mybitcoin). The only client-side wallets I know are Strongcoin, Blockchain.info and Bitventory (this one may be more secure since the author can't change the code without you knowing it). None of them can access your private keys. Title: Re: [FIXED] Huge flaw with fee calculation on clientside online wallets! Post by: BurtW on January 03, 2012, 03:07:19 PM I will give it a try with my strongcoin account.
Title: Re: [FIXED] Huge flaw with fee calculation on clientside online wallets! Post by: casascius on January 03, 2012, 03:10:55 PM None of them can access your private keys. The problem is that if any of these sites are compromised by attackers, and the attackers change the scripts in these pages so that they can access your private keys, this will have been a false sense of security. Attackers gaining access to change html pages is actually a fairly common occurrence, so it's a realistic threat to be aware of. Title: Re: [FIXED] Huge flaw with fee calculation on clientside online wallets! Post by: BurtW on January 03, 2012, 03:27:21 PM This is NOT fixed!
I just sent 0.99999999 from my StrongCoin account and the transaction went as follows: 0.99999999 Sent 0.99999999 StrongCoin Fee 0.99999999 Miner Fee ------------ 2.99999997 TOTAL This should have been 0.99999999 Sent 0.00500000 StrongCoin Fee 0.00500000 Miner Fee ------------ 1.00999999 TOTAL I was overcharged 1.9899998 BTC I have contacted StrongCoin. Title: Re: [FIXED] Huge flaw with fee calculation on clientside online wallets! Post by: DiThi on January 03, 2012, 03:51:30 PM Sorry, misleading title tag. Don't try until they confirm it's fixed.
Title: Re: [FIXED] Huge flaw with fee calculation on clientside online wallets! Post by: DiThi on January 03, 2012, 04:08:03 PM None of them can access your private keys. The problem is that if any of these sites are compromised by attackers, and the attackers change the scripts in these pages so that they can access your private keys, this will have been a false sense of security. Attackers gaining access to change html pages is actually a fairly common occurrence, so it's a realistic threat to be aware of. It's much more difficult than directly accessing unencrypted keys, but I agree, it's a threat. Is there a browser plugin or userscript that guarantees that the code in a page hasn't changed? Or something that allows digitally signing HTML and JS. Title: Re: [FIX in the way] Huge flaw with fee calculation on clientside online wallets! Post by: piuk on January 03, 2012, 04:33:09 PM Edit: A fix is in the way! A friend of mine sent 0.99999999 BTC with StrongCoin and the fee has been 10 BTC (in theory it should be 1%, 0.005 min, 1 max). With blockchain.info, trying to do that yelds even weirder results, but hopefully that wallet is so great it lets you review all the details of the transaction before sending it. Please, fix it! And to the rest of the people: don't try that at home! Well, can someone try sending something like 0.00999999 to test? Hi DiThi, I have been unable to replicate this using blockchain.info. What browser and OS are you using? Could you please confirm the exact steps to replicate the bug and if possible include a screenshot of the transaction confirmation dialog. For example this transaction of 0.999999 appears to be constructed correctly. https://i.imgur.com/jfxdq.png Title: Re: [FIXED] Huge flaw with fee calculation on clientside online wallets! Post by: Jan on January 04, 2012, 08:48:13 AM Strongcoin (https://strongcoin.com/). They sent me the missing 10 BTC and they're trying to fix the problem. Add BitcoinSpinner (https://market.android.com/details?id=com.miracleas.bitcoin_spinner) to your list of client-side wallets. Forum thread: https://bitcointalk.org/index.php?topic=52674.0 Also blockchain.info is affected (and maybe other bitcoinJS wallets), but as I said, you can review the transaction before sending it, so it's not a problem. Clien-side online wallets are much more secure than server side ones. Don't ever use server-side wallets (such as the infamous and now extinct mybitcoin). The only client-side wallets I know are Strongcoin, Blockchain.info and Bitventory (this one may be more secure since the author can't change the code without you knowing it). None of them can access your private keys. Title: Re: [FIXED] Huge flaw with fee calculation on clientside online wallets! Post by: DiThi on January 05, 2012, 08:52:28 PM Add BitcoinSpinner (https://market.android.com/details?id=com.miracleas.bitcoin_spinner) to your list of client-side wallets. Forum thread: https://bitcointalk.org/index.php?topic=52674.0 I was talking about "online" wallets, i.e. web browser based wallets. I use BitcoinSpinner as well and it's great! Title: Re: [FIX in the way] Huge flaw with fee calculation on clientside online wallets! Post by: DiThi on January 05, 2012, 09:55:21 PM Hi DiThi, I have been unable to replicate this using blockchain.info. What browser and OS are you using? Could you please confirm the exact steps to replicate the bug and if possible include a screenshot of the transaction confirmation dialog. For example this transaction of 0.999999 appears to be constructed correctly. You are right. I was about to send you an example but there was an error on my part when interpreting the tx. Thumbs up for such a great web app. By the way, it says "A 1% or 0.01 BTC fee is charged on all outgoing transactions". 0.01 is the minimum? Fix the text to make it clear. Title: Re: [FIX on the way] Flaw with fee calculation on strongcoin. Post by: ThiagoCMC on January 17, 2012, 06:56:08 AM In fact, Strongcoin (https://strongcoin.com/) is a modified version of Diaspora integrated with Electrum lightweight Bitcoin client ???
Title: Re: [FIX on the way] Flaw with fee calculation on strongcoin. Post by: DiThi on January 17, 2012, 02:16:36 PM In fact, Strongcoin (https://strongcoin.com/) is a modified version of Diaspora integrated with Electrum lightweight Bitcoin client ??? I have no idea, and I don't know if they fixed the problem. I haven't used strongcoin since I opened this thread. I use blockchain.info and the official client importing the keys with pywallet. |
