Bitcoin Forum
November 24, 2017, 08:14:14 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 [5] 6 7 8 9 10 11 12 13 14 15 16 17 18 19 »  All
  Print  
Author Topic: Instawallet/Bitcoin-Central Security Breach  (Read 84331 times)
molecular
Donator
Legendary
*
Offline Offline

Activity: 2408



View Profile
April 01, 2013, 09:27:07 PM
 #81

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?
+1

for some reason the network propagation for both transactions is below 5%, why are nodes not relaying them?

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

EDIT: piuk, you should probably change your avatar. People (at least I) got used to the new logo.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511554454
Hero Member
*
Offline Offline

Posts: 1511554454

View Profile Personal Message (Offline)

Ignore
1511554454
Reply with quote  #2

1511554454
Report to moderator
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
April 01, 2013, 09:28:34 PM
 #82

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

It was submitted using https://blockchain.info/pushtx

molecular
Donator
Legendary
*
Offline Offline

Activity: 2408



View Profile
April 01, 2013, 09:29:39 PM
 #83

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

It was submitted using https://blockchain.info/pushtx

makes sense

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
molecular
Donator
Legendary
*
Offline Offline

Activity: 2408



View Profile
April 01, 2013, 09:31:47 PM
 #84

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees.

There has been talk about optimizing tx prioritization in bitcoind for quite a while. I can now see why it would make sense to have a high-fee tx (such as these 2) "pull in" the no- (or low-) fee inputs. I kinda thought this was the case already.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
steelboy
Hero Member
*****
Offline Offline

Activity: 784



View Profile
April 01, 2013, 09:32:21 PM
 #85

The last few posts made no sense to me at all. Smiley

Does it look good or bad?
molecular
Donator
Legendary
*
Offline Offline

Activity: 2408



View Profile
April 01, 2013, 09:37:43 PM
 #86

The last few posts made no sense to me at all. Smiley

Does it look good or bad?

good.

not because of what was talked in the last couple posts. That was just a technical "mystery" explained.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
dooglus
Legendary
*
Offline Offline

Activity: 2352



View Profile
April 01, 2013, 09:41:36 PM
 #87

So, question.  Can you create an identifier for unconfirmed inputs, such that they would "pop out" at a person looking at this page: http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

Maybe just mark the text in red, or put a little red "unconfirmed" bubble next to any of them that aren't confirmed.

I'd like this too.  When I look at the 'advanced' view of a transaction on blockchain.info I'd like to see unconfirmed inputs marked as such.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
dooglus
Legendary
*
Offline Offline

Activity: 2352



View Profile
April 01, 2013, 09:49:16 PM
 #88

The last few posts made no sense to me at all. Smiley

Does it look good or bad?

Not bad.

They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address.  Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours.

It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed.

The transactions which are holding the bit big transactions up have fees of 0, so miners aren't prioritising them.

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.  Smiley

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
lucb1e
Jr. Member
*
Offline Offline

Activity: 47


View Profile WWW
April 01, 2013, 09:52:24 PM
 #89

Thanks for this explanation, dooglus!

112RyUbTiK5jWf7UYz1ESc5VZ6f7VyhQGs
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
April 01, 2013, 09:53:57 PM
 #90

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526


View Profile
April 01, 2013, 09:55:05 PM
 #91

There is a patch that makes miners calculate fees recursively like that, as everyone agrees it's a good idea. The problem is the code is rather non-trivial and Gavin isn't yet convinced it's a safe change.
steelboy
Hero Member
*****
Offline Offline

Activity: 784



View Profile
April 01, 2013, 09:56:57 PM
 #92

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

They didn't mention instawallet though. Sad

Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily.  

It would be nice to hear from Davout. I believe he is instawallet staff
Injust
Legendary
*
Offline Offline

Activity: 1008



View Profile
April 01, 2013, 10:06:29 PM
 #93

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

They didn't mention instawallet though. Sad

Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily.  

It would be nice to hear from Davout. I believe he is instawallet staff

Yup, he is.
Nicolai
Jr. Member
*
Offline Offline

Activity: 39


hey


View Profile
April 01, 2013, 10:10:38 PM
 #94

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.
steelboy
Hero Member
*****
Offline Offline

Activity: 784



View Profile
April 01, 2013, 10:11:23 PM
 #95

I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.

If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues?

So in regards to this, without being too technical. Why would a transaction take two days to confirm?

Is it something to do with instawallet being free?
BitDreams
Hero Member
*****
Offline Offline

Activity: 502



View Profile
April 01, 2013, 10:16:08 PM
 #96

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

If those google https:\\ links pointed back to the instawallet web site it most certainly is a security flaw which could indeed lead to exploits in my opinion.
Injust
Legendary
*
Offline Offline

Activity: 1008



View Profile
April 01, 2013, 10:19:49 PM
 #97

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...
Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

If you don't think that somebody just Googling up your Instawallet URLs along with your BTC in them, then you need to stop hiding your head in a hole.
jabetizo
Full Member
***
Offline Offline

Activity: 122


View Profile WWW
April 01, 2013, 10:24:51 PM
 #98

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.  Smiley

i think the problem is also that the miners are not even aware of the transactions, since nodes don't relay them because of unconfirmed inputs. the client would need to be updated as well to enable "smart relaying".

MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
April 01, 2013, 10:26:52 PM
 #99

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
jabetizo
Full Member
***
Offline Offline

Activity: 122


View Profile WWW
April 01, 2013, 10:31:58 PM
 #100

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.

he can include them in the same block

Pages: « 1 2 3 4 [5] 6 7 8 9 10 11 12 13 14 15 16 17 18 19 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!