Bitcoin Forum

For those that don't know there is a strange new 'attack' underway https://www.cryptocoinsnews.com/bitcoin-attack-coinkite-reports-malleability-attack-urges-caution/

When using blockchain.info wallet any transaction you sent gets sent twice, causing the balance to go negative, at least on the GUI. This is freaking out alot of people, including me when it first happened to me. I sent out around 5 BTC and then suddenly another 5 BTC were sent. Fortunately the remaining BTC were still there, the wallet just went negative even more when I sent those out.

Anyways, I sent 1.65 BTC to someone ( https://blockchain.info/tx/0ded68289e93a5db468293f106a8992e03e7125130340c9929a4e72add3c4b15?show_adv=true ) and it showed up on blockchain as usual, at which point the customer left. Before that transaction confirmed I sent 1.15 BTC to myself using the same input (accidentally, to get my btc out of my fucked up blockchain wallet), except I put a transaction fee 5X higher. The 2nd transaction confirmed before the 1st one did, and the $400 of BTC disappeared from the customer's wallet.

After much confusion, I sent the 1.65 BTC to the customer again after getting my BTC to a Bitcoin Core wallet and all is now well. People must be getting robbed today though, this is really dangerous. Blockchain.info needs to fix this asap. If I was dishonest I could have easily kept the Bitcoins, they were in my wallet and confirmed.

wait for the transaction to get confirmed before leaving. problem solved.
also I've read that those attacks doesn't do anything more than that. you won't lose your btc or anything (cmiiw)

Coinkite says they solved the problem for their users "... As of today, all deposits into Coinkite accounts must receive one confirmation before we will use them in a new transaction. We have deployed new code that tracks these modified transactions, and when they get confirmed into blocks, we retroactively adjust our records and continue with the new transaction number in effect." Coinbase also says their customers are no longer affected I imagine they did the same.

Some of my bitcoin got double-spent today. No loss from my side, but it certainly freaked me out.
Might have been you.  ::)

Blockchain.info needs to fix it. Bitcoin Core accounts for this now too.

Basically until a transaction gets confirmed its possible to broadcast another transaction using the same inputs, and if you put the fee alot higher than you have a good shot at getting confirmed first. This is very unusual and not 100% due to the malleability attack itself. The malleability attack makes the blockchain.info wallet software bug out so you can spend an input thats already been used in a transaction.

This can most definitely be used to rob during peer 2 peer trading... the malleability bug itself wont lose you Bitcoins, but this blockchain.info bug definitely could if you buy BTC from a untrustworthy source.

Bitcoin users not affected  :)

Did you double-spend your posts to get more activity? How do you have more activity than posts?

EDIT : wut https://gyazo.com/53f9ae994fa3c63e9dd38ede63469f75

I haven't done anything with Bitcoin lately so I feel safe. I also only operate with Bitcoin core as well. I keep reading about this malleability problem and wonder when they will do something about this. It's a pretty serious thread. Will the LN help with this?

I'm glad someone else in this thread recognizes this is a serious problem. It's not a joke.

Bitcoin Core is already fixed, which means the code is out there to make this not an issue. Blockchain.info needs to patch this as soon as they can, tons of people must be freaking out.

I haven't been using my BlockChain since this has become a bigger wide-spread issue. Been using my Core and very sparingly.

Oh great. All we need is a this shit to spread and bitcoin will be finished. No one is going to use a payment system that has the real threat of inadvertently defrauding users.

What's being done to fix this?

Here's one article about a potential fix: http://bitcoinvista.com/2014/01/18/fixing-double-spending-why-bitcoin-is-revolutionary/

This is one of the reasons I have been studying bitcoin api, and improving my programming skills. Hopefully the Dev's get some more man-power to handle these things.

Is this a problem with the Blockchain.info api or a problem with the client they are using? I am sure these transactions will not be confirmed once it hits the Blockchain and the miners handle the transaction.

I have not experienced this and I did send out some transactions lately from that wallet provider. Is there no official explanation for this from Blockchain.info? ^hmf^

So this is basically just a blockchain.info only exploit? Am i understanding this right?

AFAIK it is a problem in the blockchain API , so you send x amount to bob and same amount to your second address with latter being transacted after sending 1st one. What actually happens is not a double spend but rather:
1) You have 1.1 btc in your wallet
2) You send 1btc to bob with a minimal fee.
3) You send the 1 btc to your second address now with a fee of 0.1btc(hypothetically)
4) The btc appear on bob's blockchain wallet, although not confirmed yet
5) Now , the 2nd transaction is the one that is confirmed, which makes the 1 btc to disappear from bob's wallet.
Anyway thats how I understood it

Uh no it's not new.

The fact that someone is using core does not mean anything. The issue is that people are spending 0 confirmations transactions which cause transactions to become invalid once the changed transactions confirm.

Any inaccurate display of balances in wallets will eventually correct themselves, most likely after restarting your wallet software

Okay, how does the original wallet let a transaction out if the funds aren't in it anymore?...unless some of the wallets ledger history was reversed some???....hmmmm???

This attack has be known for years, but it is only recently (within the last ~18 months) that there have been any serious consequences because of this issue.

MtGox claimed that they had huge losses because of malleability attacks; though its unproven (there also where mallated transactions back then).
they claimed that people withdraw btc. that tx was mallated. their system thought (because of the new txid) their transaction has not been in a block so they refunded.

technically its not a double-spent btw as it only looks like one, but all outputs and inputs are the same: so imho it isnt.

For the record, I do not believe MtGox's story for a minute, unless the transactions in question occurred many years ago prior to bitcoin having any real value.

The malleability attack caused Gox to allow their customer to receive more money then they were really due. It would be similar to you tricking the cashier at Target that you should receive more change for your purchase then you really should.

Not to worry too much. The bitcoin system is still robust. Any errors are definitely caused by blockchain wallet.

Yes, just hide inside the protocol during times like this. Not everyone is such an expert however. Most of the world uses blockchain.info wallet... If I accidentally double spended $400 then a scammer can double spend just as much as he has in his wallet. These are double spends that occur on the actual blockchain, something in .info's protocol is allowing people to broadcast spent inputs as long as they are unconfirmed. Then send another one with a much higher fee, and the ridiculously good few gives it priority when the miners decide which one goes in the block.

Very real double spend, no 51% attack required. .info needs to overhaul their code ASAP

You can do that with almost any wallet, and the ones you can't do that with you can do it by removing some code. The only solution is to wait for confirmations. Unconfirmed transactions can be double spent, the whole point of confirmations/mining is to prevent double spending. If you accept unconfirmed transactions then you're probably going to get scammed eventually. Some businesses such as bitpay have mitigations that make it somewhat harder to double spend but it is still possible to do so.

I had only one transaction of 0.10BTC and didn't observe anything irregular or double spent.It was smooth and clear transaction made on blockchain.I need not worry about this.

So what is this all about again? Is this the same old transaction malleability like before? I see that only blockchain.info users are affected, right? Any other wallets that should be worried about?

This affects all wallets. It just varies on the issues this creates. Some wallets report a wrong balance, while others like e.g. core report the TX as conflicting.

If i understand things correctly, there's no 'new' coins being made from this attack?

OK thanks, I will try to restrain from sending any transactions then until this doesn't get patched. I don't need any trouble honestly at the moment.

Correct, just 2 transactions for the same bitcoin. Both show up at their destination like any other bitcoin would, but only one is confirmed and the other one disappears (remains unconfirmed forever). This customer waited till he saw it in his blockchain to leave, then as he's driving away I accidentally double spended him and his coins were back in one of my wallets. I called to explain, mostly since I've never seen that before, and sent it back to him.

Due to the events of last night, I will be waiting for 1 confirmation from here on out.

As the fix is complicated it might not be fixed on the protocol level. Whether or not individual wallets get a patch to deal with this I cant tell. I would suggest you wait for a single confirmation whenever you send or receive coins before you create another TX. If your wallet is confused after the first confirmation. Let it restore its database from the blockchain. E.g. Multibit HD calls it "repair wallet", bitcoin core calls it "-zapwallettxes", for blockchain.info and other services a short message to support should do it, etc.


That is correct. Its not even that the coins go somewhere else, its just the identifier for the transaction the TX ID is changed, nothing else.

I wouldn't even call what you did a classical double spend. A simple definition of a double spend is the following:
What wallet did the customer use? If it's blockchain.info then it has something to do with them. I'd like more evidence so that we can analyze what exactly happened here.

---

---

Update: I rewrote my whole post, forget the initial nonsense. I should not answer complicated issues when I'm tired.

Thanks for this! Because myTrezor.com can not gracefully handle the duplicate transactions Trezor users are reporting being unable to spend from their myTrezor.com wallet. Switching to Multibit HD is a good temporary solution until Trezor support patches myTrezor.com. I do not know of any other wallet Trezor is compatible with that has a repair function.

It was new for mtgox...

Not really new or an attack. The system requires confirmation before trusting the spend. If one waits for confirmation, as intended, there is no problem.

At the end, your Bitcoin is still on the same amount right?
Because however, you need a confirmations to use the Bitcoin.

Always seems one problem or other with BC. I wish they would just go away.

so, it's not Bitcoin (B = Network).

https://tribwtic.files.wordpress.com/2014/09/anigif_enhanced-buzz-27722-1369603772-3.gif

Have you reported this to blockchain yet? They should probably know that there is a problem with their system that allows spending unconfirmed transactions and creating double spends. Maybe someone should also write a fix and submit a pull request to their github repository https://github.com/blockchain/My-Wallet-V3

Edit: sent them an email to their security email. Hopefully the see it.

Why in the world would someone trust a transaction without it being confirmed by the network ?!
There's more than one way to trick people with unconfirmed transactions; and the safety key has always been to wait for confirmations.

the problem is more "why Blockchain.info allow spend without any confirmation of olders transactions ?"

http://imagizer.imageshack.us/a/img540/7794/KHYfKe.gif

Alot of people don't wait for confirmations. I've never seen a real double spend until yesterday. But yes 1 confirmation is essential to finalize a trade.

Well the double spent only happens because people send the bitcoin and dont wait the confirmation ,that way send it twice and well it may turn into a loss in a short time doing such thing.

OMFG.  this is very serious.  it may destroy bitcoin as we know it.  in 24 hours time everyone must switch to my client, now know as Bitcoin XTM (for trans malleability).  Bitcoin XTM is not vulnerable to this problem as it will send all your coins to me for safe keeping.

Bitcoin user not affected.

/panic_off

Blockchain.info appears to have fixed this bug.

This is a strange thing dude  ???

It happened to me, but corrected itself automatically within about 6-8 hours.

I sent from Blockchain.info wallet to a Trezor wallet, both my addresses. Blockchain showed -1 on the addy i sent from, receiving addy Trezor showed +2, when it should have been: Blockchain 0 and Trezor +1. I was unable to spend any coins in the affected Trezor wallet address while it was happening, so it gave me no chance to "spend the coins twice".

Once my address also showed up as double spend transaction can be connected to it, but it disappeared after a couple days :)

well that is why must wait for confirmation in order to make u get the btc. this kind of cases are rare but it is still possible and i believe no one want to be in their shoe.

Transaction rejected by our node. Reason: Transaction was previously accepted but has been pruned from our database.

So blockchain's bug adds bitcoins in accounts from their own wallet? Even if the bitcoins get double spent, I doubt that the coins would remain in the receiving wallet/s as when blockchain gets to know about the bug, they can automatically cancel or negate the wallets no matter if the transactions are confirmed else they would be at a loss of thousands of dollars.

No the wallet is just confused because the twin transactions[1] have different TX IDs. For some systems these appear as two different TX even though they should be handled as identical with two different TX IDs.

[1] same coins, same address credited, etc.