I successfully double spended $400 of Bitcoin today

[newtons1]

For those that don't know there is a strange new 'attack'

Uh no it's not new.

This attack has be known for years, but it is only recently (within the last ~18 months) that there have been any serious consequences because of this issue.

MtGox claimed that they had huge losses because of malleability attacks; though its unproven (there also where mallated transactions back then).
they claimed that people withdraw btc. that tx was mallated. their system thought (because of the new txid) their transaction has not been in a block so they refunded.

technically its not a double-spent btw as it only looks like one, but all outputs and inputs are the same: so imho it isnt.

For the record, I do not believe MtGox's story for a minute, unless the transactions in question occurred many years ago prior to bitcoin having any real value.

The malleability attack caused Gox to allow their customer to receive more money then they were really due. It would be similar to you tricking the cashier at Target that you should receive more change for your purchase then you really should.

[7788bitcoin]

Not to worry too much. The bitcoin system is still robust. Any errors are definitely caused by blockchain wallet.

[turtlehurricane]

Not to worry too much. The bitcoin system is still robust. Any errors are definitely caused by blockchain wallet.

Yes, just hide inside the protocol during times like this. Not everyone is such an expert however. Most of the world uses blockchain.info wallet... If I accidentally double spended $400 then a scammer can double spend just as much as he has in his wallet. These are double spends that occur on the actual blockchain, something in .info's protocol is allowing people to broadcast spent inputs as long as they are unconfirmed. Then send another one with a much higher fee, and the ridiculously good few gives it priority when the miners decide which one goes in the block.

Very real double spend, no 51% attack required. .info needs to overhaul their code ASAP

[Blazr]

something in .info's protocol is allowing people to broadcast spent inputs as long as they are unconfirmed.

You can do that with almost any wallet, and the ones you can't do that with you can do it by removing some code. The only solution is to wait for confirmations. Unconfirmed transactions can be double spent, the whole point of confirmations/mining is to prevent double spending. If you accept unconfirmed transactions then you're probably going to get scammed eventually. Some businesses such as bitpay have mitigations that make it somewhat harder to double spend but it is still possible to do so.

[buddu]

I had only one transaction of 0.10BTC and didn't observe anything irregular or double spent.It was smooth and clear transaction made on blockchain.I need not worry about this.

[Mickeyb]

Not to worry too much. The bitcoin system is still robust. Any errors are definitely caused by blockchain wallet.

So what is this all about again? Is this the same old transaction malleability like before? I see that only blockchain.info users are affected, right? Any other wallets that should be worried about?

[shorena]

Not to worry too much. The bitcoin system is still robust. Any errors are definitely caused by blockchain wallet.

So what is this all about again? Is this the same old transaction malleability like before? I see that only blockchain.info users are affected, right? Any other wallets that should be worried about?

This affects all wallets. It just varies on the issues this creates. Some wallets report a wrong balance, while others like e.g. core report the TX as conflicting.

[fuddudle]

If i understand things correctly, there's no 'new' coins being made from this attack?

[Mickeyb]

Not to worry too much. The bitcoin system is still robust. Any errors are definitely caused by blockchain wallet.

So what is this all about again? Is this the same old transaction malleability like before? I see that only blockchain.info users are affected, right? Any other wallets that should be worried about?

This affects all wallets. It just varies on the issues this creates. Some wallets report a wrong balance, while others like e.g. core report the TX as conflicting.

OK thanks, I will try to restrain from sending any transactions then until this doesn't get patched. I don't need any trouble honestly at the moment.

[turtlehurricane]

If i understand things correctly, there's no 'new' coins being made from this attack?

Correct, just 2 transactions for the same bitcoin. Both show up at their destination like any other bitcoin would, but only one is confirmed and the other one disappears (remains unconfirmed forever). This customer waited till he saw it in his blockchain to leave, then as he's driving away I accidentally double spended him and his coins were back in one of my wallets. I called to explain, mostly since I've never seen that before, and sent it back to him.

Due to the events of last night, I will be waiting for 1 confirmation from here on out.

[shorena]

-snip-
OK thanks, I will try to restrain from sending any transactions then until this doesn't get patched. I don't need any trouble honestly at the moment.

As the fix is complicated it might not be fixed on the protocol level. Whether or not individual wallets get a patch to deal with this I cant tell. I would suggest you wait for a single confirmation whenever you send or receive coins before you create another TX. If your wallet is confused after the first confirmation. Let it restore its database from the blockchain. E.g. Multibit HD calls it "repair wallet", bitcoin core calls it "-zapwallettxes", for blockchain.info and other services a short message to support should do it, etc.

If i understand things correctly, there's no 'new' coins being made from this attack?

That is correct. Its not even that the coins go somewhere else, its just the identifier for the transaction the TX ID is changed, nothing else.

[Lauda]

Correct, just 2 transactions for the same bitcoin. Both show up at their destination like any other bitcoin would, but only one is confirmed and the other one disappears (remains unconfirmed forever). This customer waited till he saw it in his blockchain to leave, then as he's driving away I accidentally double spended him and his coins were back in one of my wallets. I called to explain, mostly since I've never seen that before, and sent it back to him.

Due to the events of last night, I will be waiting for 1 confirmation from here on out.

I wouldn't even call what you did a classical double spend. A simple definition of a double spend is the following:

Double-spending is the result of successfully spending some money more than once.

What wallet did the customer use? If it's blockchain.info then it has something to do with them. I'd like more evidence so that we can analyze what exactly happened here.
Update: I rewrote my whole post, forget the initial nonsense. I should not answer complicated issues when I'm tired.

[BitcoinNewsMagazine]

-snip-
OK thanks, I will try to restrain from sending any transactions then until this doesn't get patched. I don't need any trouble honestly at the moment.

As the fix is complicated it might not be fixed on the protocol level. Whether or not individual wallets get a patch to deal with this I cant tell. I would suggest you wait for a single confirmation whenever you send or receive coins before you create another TX. If your wallet is confused after the first confirmation. Let it restore its database from the blockchain. E.g. Multibit HD calls it "repair wallet", bitcoin core calls it "-zapwallettxes", for blockchain.info and other services a short message to support should do it, etc.

If i understand things correctly, there's no 'new' coins being made from this attack?

That is correct. Its not even that the coins go somewhere else, its just the identifier for the transaction the TX ID is changed, nothing else.

Thanks for this! Because myTrezor.com can not gracefully handle the duplicate transactions Trezor users are reporting being unable to spend from their myTrezor.com wallet. Switching to Multibit HD is a good temporary solution until Trezor support patches myTrezor.com. I do not know of any other wallet Trezor is compatible with that has a repair function.

[LiteCoinGuy]

For those that don't know there is a strange new 'attack'

Uh no it's not new.

It was new for mtgox...

[RodeoX]

Not really new or an attack. The system requires confirmation before trusting the spend. If one waits for confirmation, as intended, there is no problem.

[JeWay]

At the end, your Bitcoin is still on the same amount right?
Because however, you need a confirmations to use the Bitcoin.

[Panadacoin]

Always seems one problem or other with BC. I wish they would just go away.

[Meuh6879]

Blockchain.info needs to fix this asap.

so, it's not Bitcoin (B = Network).

[achow101]

Have you reported this to blockchain yet? They should probably know that there is a problem with their system that allows spending unconfirmed transactions and creating double spends. Maybe someone should also write a fix and submit a pull request to their github repository https://github.com/blockchain/My-Wallet-V3

Edit: sent them an email to their security email. Hopefully the see it.

[ajareselde]

Why in the world would someone trust a transaction without it being confirmed by the network ?!
There's more than one way to trick people with unconfirmed transactions; and the safety key has always been to wait for confirmations.