Bitcoin Forum
April 21, 2014, 05:13:58 AM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6  All
  Print  
Author Topic: A successful DOUBLE SPEND US$10000 against OKPAY this morning.  (Read 68419 times)
macbook-air
Full Member
***
Offline Offline

Activity: 121


View Profile

Ignore
March 12, 2013, 06:22:02 PM
 #1

All time UTC+08:00:

08:08 – Well before I knew what later have happened, I deposited $10000-worth Bitcoins to BTC-e over OKPAY's Bitcoin payment, I paid OKPAY address 12z2n8YCJw1BEsJhhQPLCTuLqwH341nKnE 211.9093 BTC and 0.0005 BTC as transaction fee.
09:30 – The transaction was included in version 0.8's fork, block 225446
10:08 – Deposit completed, $9800 credited to my BTC-e account
12:53 – After some study, I recognized, the transaction, though included in version 0.8's fork, was never confirmed by the pre-0.8 fork, so I decided to make two double spend transactions on two of the vins of the OKPAY transaction, and broadcasted them with the raw transaction API, 0.001 BTC transaction fee included in each transaction.
13:01 – The double spend transaction was included in pre-0.8 fork block 225446

You should know what happens next...

I bet merchants would think twice before they decide to accept Bitcoins after the incident.
1398057238
Hero Member
*
Offline Offline

Posts: 1398057238

View Profile Personal Message (Offline)

Ignore
1398057238
Reply with quote  #2

1398057238
Report to moderator
1398057238
Hero Member
*
Offline Offline

Posts: 1398057238

View Profile Personal Message (Offline)

Ignore
1398057238
Reply with quote  #2

1398057238
Report to moderator
1398057238
Hero Member
*
Offline Offline

Posts: 1398057238

View Profile Personal Message (Offline)

Ignore
1398057238
Reply with quote  #2

1398057238
Report to moderator
Private Internet Access™ - No logs, Unlimited Bandwidth, PC Magazine's Editor's Choice
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1398057238
Hero Member
*
Offline Offline

Posts: 1398057238

View Profile Personal Message (Offline)

Ignore
1398057238
Reply with quote  #2

1398057238
Report to moderator
1398057238
Hero Member
*
Offline Offline

Posts: 1398057238

View Profile Personal Message (Offline)

Ignore
1398057238
Reply with quote  #2

1398057238
Report to moderator
macbook-air
Full Member
***
Offline Offline

Activity: 121


View Profile

Ignore
March 12, 2013, 06:30:14 PM
 #2

And OKPAY also owes me 64.91410001 BTC.

I made two OKPAY payments in one Bitcoin transaction, their system cannot process this, eventually only one of the two payments was confirmed. The other one was lost.

Jan
Hero Member
*****
Offline Offline

Activity: 944



View Profile

Ignore
March 12, 2013, 06:38:27 PM
 #3

All time UTC+08:00:

08:08 – Well before I knew what later have happened, I deposited $10000-worth Bitcoins to BTC-e over OKPAY's Bitcoin payment, I paid OKPAY address 12z2n8YCJw1BEsJhhQPLCTuLqwH341nKnE 211.9093 BTC and 0.0005 BTC as transaction fee.
09:30 – The transaction was included in version 0.8's fork, block 225446
10:08 – Deposit completed, $9800 credited to my BTC-e account
12:53 – After some study, I recognized, the transaction, though included in version 0.8's fork, was never confirmed by the pre-0.8 fork, so I decided to make two double spend transactions on two of the vins of the OKPAY transaction, and broadcasted them with the raw transaction API, 0.001 BTC transaction fee included in each transaction.
13:01 – The double spend transaction was included in pre-0.8 fork block 225446

You should know what happens next...

I bet merchants would think twice before they decide to accept Bitcoins after the incident.
Ouch...

Mycelium Bitcoin Wallet, a swift & secure Bitcoin client for Android. Join the fun, we are hiring
bg002h
Donator
Hero Member
*
Offline Offline

Activity: 882


Got GLIPH? https://gli.ph/m *p-d-d


View Profile WWW

Ignore
March 12, 2013, 06:38:59 PM
 #4

All time UTC+08:00:

08:08 – Well before I knew what later have happened, I deposited $10000-worth Bitcoins to BTC-e over OKPAY's Bitcoin payment, I paid OKPAY address 12z2n8YCJw1BEsJhhQPLCTuLqwH341nKnE 211.9093 BTC and 0.0005 BTC as transaction fee.
09:30 – The transaction was included in version 0.8's fork, block 225446
10:08 – Deposit completed, $9800 credited to my BTC-e account
12:53 – After some study, I recognized, the transaction, though included in version 0.8's fork, was never confirmed by the pre-0.8 fork, so I decided to make two double spend transactions on two of the vins of the OKPAY transaction, and broadcasted them with the raw transaction API, 0.001 BTC transaction fee included in each transaction.
13:01 – The double spend transaction was included in pre-0.8 fork block 225446

You should know what happens next...

I bet merchants would think twice before they decide to accept Bitcoins after the incident.

Good thing someone honest was the cause of the double spend...

Jan
Hero Member
*****
Offline Offline

Activity: 944



View Profile

Ignore
March 12, 2013, 06:42:19 PM
 #5

Here is the tx: http://blockchain.info/tx/12814b8ad57ce5654ba69eb26a52ddae1bff42093ca20cef3ad96fe7fd85d195

Mycelium Bitcoin Wallet, a swift & secure Bitcoin client for Android. Join the fun, we are hiring
Elwar
Hero Member
*****
Offline Offline

Activity: 1036


www.bitpools.com


View Profile WWW

Ignore
March 12, 2013, 06:47:22 PM
 #6

Ugh...this is worse than we thought.

Is this the first double spend?

Seeking Beta testers. PM me for more information.
yokosan
Full Member
***
Offline Offline

Activity: 210



View Profile

Ignore
March 12, 2013, 06:51:50 PM
 #7

alir
Member
**
Offline Offline

Activity: 84


Developer


View Profile WWW

Ignore
March 12, 2013, 06:52:54 PM
 #8

Guess they don't owe you anymore.

Largo
Member
**
Offline Offline

Activity: 112



View Profile

Ignore
March 12, 2013, 07:00:44 PM
 #9

Thats why merchants should have stopped accepting bitcoin deposits, at least those handing out some other form of cash instantly.

The problem was that 0.8 clients were thinking they are in the right fork (because that was actually the case before miners switched to 0.7) so it didnt stop the RPC interface like the 0.7 clients did.


Isokivi
Hero Member
*****
Offline Offline

Activity: 812


Items flashing here available at btctrinkets.com


View Profile WWW

Ignore
March 12, 2013, 07:01:52 PM
 #10

Heres a merchant giving 0-fucks about double spends, go for it. www.btctrinkets.com Every single payment goes trough a payment processor (mtgox) and I verify every single payment by hand.

Bitcoin trinkets now on my online store: btc trinkets.com <- Bitcoin Tiepins, cufflinks, lapel pins, keychains, card holders and challenge coins.
etotheipi
Hero Member
*****
Offline Offline

Activity: 1036


Core Armory Developer


View Profile WWW

Ignore
March 12, 2013, 07:04:49 PM
 #11

Any guesses as to the reason it didn't show up in the pre-0.8 branch?   I don't see any reason that the original transaction could be systematically rejected by one branch and not the other.  Even transactions that hadn't made it into blocks in the pre-0.7 branch should still be in the nodes' memory pools and double-spends rejected.

gmaxwell pointed out that this could happen if an attacker started by flooding the system with duplicate transactions hoping to create disagreement, but it sounds like macbook-air did not do that.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
casascius
Mike Caldwell
VIP
Hero Member
*
Offline Offline

Activity: 1204


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW

Ignore
March 12, 2013, 07:13:20 PM
 #12

A serious solution is simply for several major stakeholders to publish signed endorsements and/or kills to blocks. Users can subscribe to them, and if a supermajority agrees to kill a block, the merchant at the very least can be configured to stop and go into safe mode.

I have thought of this long ago, now others might take the idea seriously. It was aggressively rejected in the past under the pretense it was too "centralized".  I believe we need it to raise the bar on the risk of a 51% attack.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
elux
Hero Member
*****
Offline Offline

Activity: 868



View Profile

Ignore
March 12, 2013, 07:16:18 PM
 #13

All time UTC+08:00:

08:08 – Well before I knew what later have happened, I deposited $10000-worth Bitcoins to BTC-e over OKPAY's Bitcoin payment, I paid OKPAY address 12z2n8YCJw1BEsJhhQPLCTuLqwH341nKnE 211.9093 BTC and 0.0005 BTC as transaction fee.
09:30 – The transaction was included in version 0.8's fork, block 225446
10:08 – Deposit completed, $9800 credited to my BTC-e account
12:53 – After some study, I recognized, the transaction, though included in version 0.8's fork, was never confirmed by the pre-0.8 fork, so I decided to make two double spend transactions on two of the vins of the OKPAY transaction, and broadcasted them with the raw transaction API, 0.001 BTC transaction fee included in each transaction.
13:01 – The double spend transaction was included in pre-0.8 fork block 225446

You should know what happens next...

I bet merchants would think twice before they decide to accept Bitcoins after the incident.
Ouch...


And the other: http://blockchain.info/tx-index/59996016

The "unconfirmed" transaction was included in http://blockchain.info/block-index/357971, later orphaned.

Story seems to check out. How many confirmations did the first transaction get?
TheButterZone
Hero Member
*****
Offline Offline

Activity: 658


Nemo me impune lacessit


View Profile WWW

Ignore
March 12, 2013, 07:18:04 PM
 #14

move topic> https://bitcointalk.org/index.php?board=85.0 ?

ΜΟΛΩΝ ΛΑΒΕ! I sell stuff for BTC here here and here | Flute & Violin & Piano For Sale | Voiceover for BTC | Copy editing for BTC
gpg_identity=http://pgp.thebutterzone.com | WoT feedback here & eBay feedback here | Buy BTC in San Diego, CA, or worldwide!
PayPal: Bitcoinese for "FU, I'm getting a chargeback up to 365 days later!" | Bitcoin voice chat | Utilities For Bitcoin Sellers | THE Bitcoin Sound is here.
gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
March 12, 2013, 07:20:09 PM
 #15

gmaxwell pointed out that this could happen if an attacker started by flooding the system with duplicate transactions hoping to create disagreement, but it sounds like macbook-air did not do that.
One way would be for miners on the other fork to already have long mempool queues, and so the transaction was just waiting to get mined but they had it. The miners were restarted to switch from 0.8 to 0.7 and in doing so that instantly expires their mempools, and nothing will resync them. Once an entry is mempool expired then all it takes it the transaction managing to get relayed to one of them.
MrCrabs
Member
**
Offline Offline

Activity: 105



View Profile

Ignore
March 12, 2013, 07:21:24 PM
 #16

How serious is this please. Double spends  I thought were impossible . Huh

Ill Give it all to a good Cause. Honest
16LVLDnEFcuPXVG2H3WRRKaMMTwy9zE5v8
macbook-air
Full Member
***
Offline Offline

Activity: 121


View Profile

Ignore
March 12, 2013, 07:25:20 PM
 #17

All time UTC+08:00:

08:08 – Well before I knew what later have happened, I deposited $10000-worth Bitcoins to BTC-e over OKPAY's Bitcoin payment, I paid OKPAY address 12z2n8YCJw1BEsJhhQPLCTuLqwH341nKnE 211.9093 BTC and 0.0005 BTC as transaction fee.
09:30 – The transaction was included in version 0.8's fork, block 225446
10:08 – Deposit completed, $9800 credited to my BTC-e account
12:53 – After some study, I recognized, the transaction, though included in version 0.8's fork, was never confirmed by the pre-0.8 fork, so I decided to make two double spend transactions on two of the vins of the OKPAY transaction, and broadcasted them with the raw transaction API, 0.001 BTC transaction fee included in each transaction.
13:01 – The double spend transaction was included in pre-0.8 fork block 225446

You should know what happens next...

I bet merchants would think twice before they decide to accept Bitcoins after the incident.
Ouch...


And the other: http://blockchain.info/tx-index/59996016

The "unconfirmed" transaction was included in http://blockchain.info/block-index/357971, later orphaned.

Story seems to check out. How many confirmations did the first transaction get?

Both addresses were mine. The former was a mess after double spend and I could not recognize how much balance on it, so I used blockchain.info's wallet send all the money to another address of mine to clean it up. But blockchain.info also did not know which vouts are valid. This transaction includes vins from both v0.8 and pre-0.8 forks, so it cannot be confirmed by either fork. I later manually corrected the issue with another transaction, thus double spend.
Melbustus
Hero Member
*****
Offline Offline

Activity: 840


View Profile

Ignore
March 12, 2013, 07:26:35 PM
 #18

How serious is this please. Double spends  I thought were impossible . Huh

Was only an issue while there were two chains; ie, for a couple hours last night. The possibility was well-known, which is why it was recommended that merchants, exchanges, etc, stop taking payments/deposits until the issue was resolved, which it now is.

Bitcoin is the first monetary system to credibly offer perfect information to all economic participants.
1JNkCd7LwGGSzAAgkiLh1JDyjLQX8wmmEo  |  BM-2D99BeRQdD9ZU1F6k8Znd3PdenwxocQHmH
nevafuse
Sr. Member
****
Offline Offline

Activity: 248


View Profile

Ignore
March 12, 2013, 07:35:06 PM
 #19

Any guesses as to the reason it didn't show up in the pre-0.8 branch?   I don't see any reason that the original transaction could be systematically rejected by one branch and not the other.  Even transactions that hadn't made it into blocks in the pre-0.7 branch should still be in the nodes' memory pools and double-spends rejected.

Is this the only successful double spend from last night?  Maybe the difference will be easier to spot if there are others.  Sounds like there may be other fork issues besides the database problem.

The only reason to limit the block size is to subsidize non-Bitcoin currencies
Spekulatius
Hero Member
*****
Offline Offline

Activity: 882


Zappa di bibbedi boo!


View Profile WWW

Ignore
March 12, 2013, 07:35:34 PM
 #20

@ OP: Did you repay OK? Grin

★☆★BITCOIN -The Documentary- The first feature-length docu on Bitcoin!★☆★
Be part of it! Be creative! Give us your best ideas, personal contributions and maybe a little donationWink
Pages: [1] 2 3 4 5 6  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!