Instawallet/Bitcoin-Central Security Breach

[molecular]

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

+1

for some reason the network propagation for both transactions is below 5%, why are nodes not relaying them?

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

EDIT: piuk, you should probably change your avatar. People (at least I) got used to the new logo.

[1714053177]

1714053177

[1714053177]

1714053177

[1714053177]

1714053177

[1714053177]

1714053177

[1714053177]

1714053177

[piuk]

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

It was submitted using https://blockchain.info/pushtx

[molecular]

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

It was submitted using https://blockchain.info/pushtx

makes sense

[molecular]

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees.

There has been talk about optimizing tx prioritization in bitcoind for quite a while. I can now see why it would make sense to have a high-fee tx (such as these 2) "pull in" the no- (or low-) fee inputs. I kinda thought this was the case already.

[steelboy]

The last few posts made no sense to me at all.

Does it look good or bad?

[molecular]

The last few posts made no sense to me at all.

Does it look good or bad?

good.

not because of what was talked in the last couple posts. That was just a technical "mystery" explained.

[dooglus]

So, question.  Can you create an identifier for unconfirmed inputs, such that they would "pop out" at a person looking at this page: http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

Maybe just mark the text in red, or put a little red "unconfirmed" bubble next to any of them that aren't confirmed.

I'd like this too.  When I look at the 'advanced' view of a transaction on blockchain.info I'd like to see unconfirmed inputs marked as such.

[dooglus]

The last few posts made no sense to me at all.

Does it look good or bad?

Not bad.

They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address.  Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours.

It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed.

The transactions which are holding the bit big transactions up have fees of 0, so miners aren't prioritising them.

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.  

[lucb1e]

Thanks for this explanation, dooglus!

[SgtSpike]

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

[Mike Hearn]

There is a patch that makes miners calculate fees recursively like that, as everyone agrees it's a good idea. The problem is the code is rather non-trivial and Gavin isn't yet convinced it's a safe change.

[steelboy]

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

They didn't mention instawallet though.

Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily.  

It would be nice to hear from Davout. I believe he is instawallet staff

[Injust]

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

They didn't mention instawallet though.

Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily.  

It would be nice to hear from Davout. I believe he is instawallet staff

Yup, he is.

[Nicolai]

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

[steelboy]

I made two withdrawals from jnstawallet 2 nights ago around 1am GMT. The first one did not show up but the second one did. I messages Davout about the first one not showing up and I also emailed support at instawallet. I wasn't worried as it actually happened last time I withdrew money from them too. That took 24 hours. I also thought that as it was a bank holiday there might be a delay in support.

If this money was sent should I be sure to receive this whatever happens with the rest of instawallets issues?

So in regards to this, without being too technical. Why would a transaction take two days to confirm?

Is it something to do with instawallet being free?

[BitDreams]

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

If those google https:\\ links pointed back to the instawallet web site it most certainly is a security flaw which could indeed lead to exploits in my opinion.

[Injust]

I found a security breach in instawallet last week...  I fixed it for them... they never tipped me or anything...

Correction: You found a "mistake" in their website. Some might call it a flaw, but it is certainly not a security flaw or exploit.

Please don't spread alot of FUD, this might actually be a serious matter. Someone might have exploited a real security vulnerability.

If you don't think that somebody just Googling up your Instawallet URLs along with your BTC in them, then you need to stop hiding your head in a hole.

[jabetizo]

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.  

i think the problem is also that the miners are not even aware of the transactions, since nodes don't relay them because of unconfirmed inputs. the client would need to be updated as well to enable "smart relaying".

[MPOE-PR]

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.

[jabetizo]

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee".  But apparently there aren't any smart miners yet.

Moreover there's no guarantee that the miner including the low fee txs gets to also include the high fee txs - in fact due to the 51% weakness it's improbable he will (as it's improbable he'd have a majority of hashing). Consequently no real incentive.

he can include them in the same block