MtGox withdrawal delays [Gathering]

[Rampion]

.....

Seriously Sturle, WTF??

Bitcoin-qt/bitcoind vulnerable to what??? To 0 confirmations transactions?? Then YES, all services using a bitcoin implementation, reference or custom, ARE VULNERABLE TO DOUBLE SPENDING IF THEY ACCEPT 0-CONFIRMATION TRANSACTIONS. Wasn't that clear? For God's sake, on QT it reads "unconfirmed" until you have 6 confirmations, please don't tell me you did think that was for no reason.

About malleability: it's a known and documented issue, its been on the Wiki for months if not years. You are running a service based on bitcoind, so I WANT TO BELIEVE that you have read the Bitcoin wiki - it's not too long. If you did, you should know that transaction ID's CAN be changed by a malicious third party. The coins still go to the address they were supposed to, there's no way to "hack" bitcoin to steal those coins, but the transaction ID can be changed - and thus you do not base your automated processes on transaction IDs - full stop.

The blockchain is the tool you use, and until a transaction is bruried on the friggin' blockchain you just consider it unconfirmed. As it has always be.

[1714144790]

1714144790

[1714144790]

1714144790

[1714144790]

1714144790

[N12]

Conclusion: Bitcoin-Qt/bitcoind does not track changed transactions properly.  Changed transactions will show up as a new transaction, and I would need the  "new txid" thing to track those properly.  It is not only MtGox.  Services using bitcoind, like mine, may be vulnerable as well.

Hm, wonder if this explains why I've heard all other exchanges updating their systems as well. I believe this mutability issue is not as "insignificant" as the core dev team is attempting to convey.

It's because the Bitcoin cultist foundation wouldn't want to have people recognize that Bitcoin is imperfect and sell. Paid shills will do what paid shills do. Damage control.

[Chancellor]

Services using bitcoind, like mine, may be vulnerable as well.

Or rather services using bitcoind programmed by clueless programmers like you, who accept transactions with zero confirmations.

[itsunderstood]

Services using bitcoind, like mine, may be vulnerable as well.

Or rather services using bitcoind programmed by clueless programmers like you, who accept transactions with zero confirmations.

Totally.  Nothing more useless than a [stupid or greedy or blackmailed] fucking programmer.

[EDIT TO FIX]

[mmitech]

20:28 < sturles> Question: I have an autobuy system where I give each seller an unique address to transfer to when selling, and use a
                 -walletnotify script to trigger a price check when someone transfer coins to their address.  When the transaction

you are asking questions when you wrote the answer, you give each customer a unique address, so why are you afraid? you just wait for 3 confirmatons like the rest of the world and you are good to go. regarding your script that checks the price, I would check the price when I get the 3rd confirmation and not before, as easy as it can get.

I agree that this has to be fixed, but I just dont feel it is an issue that will cause the failure of the protocol !! if it worked for 5 years it will hold till the fix...

[Rampion]

Sturle: I wonder if you are paid to take Gox's side on EVERYTHING or if your shilling is just a twisted way to protect your business which I assume relies on Gox.

But the more I think about it the more the latter doesn't make any sense, as its pretty obvious that the only way to protect your business was to move out from Gox months ago.

[mmitech]

Conclusion: Bitcoin-Qt/bitcoind does not track changed transactions properly.  Changed transactions will show up as a new transaction, and I would need the  "new txid" thing to track those properly.  It is not only MtGox.  Services using bitcoind, like mine, may be vulnerable as well.

Hm, wonder if this explains why I've heard all other exchanges updating their systems as well. I believe this mutability issue is not as "insignificant" as the core dev team is attempting to convey.

It's because the Bitcoin cultist foundation wouldn't want to have people recognize that Bitcoin is imperfect and sell. Paid shills will do what paid shills do. Damage control.

mmmm, Blitz, you surprised me, I didn't expect this from you !!!  so you really think that Bitcoin core developers and the foundation are playing around ? and how can you stand for gox after all what they've done to their customers ?!! now Bitcoin is not perfect, and such perfect system doesnt not exist, but Mark blaming it on Bitcoin is just stupid !! I give them credit for bringing bitcoin to what it is at today, but this doesnt mean that this protects them from failure...

do you remember April 2013, the engine lag ? so bitcoin's fault ? and FIAT withdrawals ? Bitcoin's fault ? and their custom wallet and how it trace/write inquiries to the database ? bitcoin's fault as well ?

[smoothie]

Sturle: I wonder if you are paid to take Gox's side on EVERYTHING or if your shilling is just a twisted way to protect your business which I assume relies on Gox.

But the more I think about it the more the latter doesn't make any sense, as its pretty obvious that the only way to protect your business was to move out from Gox months ago.

Isn't it obvious? It is one of those two you mentioned.

[igorr]

The master problem is, no money.

[gizmoh]

MtGox will resume bitcoin withdrawals to outside wallets once the issue outlined above has been properly addressed in a manner that will best serve our customers.

Dear Mark, What will best serve me,as your customer, is that you get your act together and find a quick workaround like all other exchanges to finally process btc withdrawals.

But am sure you'll keep saying we ain't doing nothing till bitcoin is forked!

[alfabitcoin]

MtGox will resume bitcoin withdrawals to outside wallets once the issue outlined above has been properly addressed in a manner that will best serve our customers.

Dear Mark, What will best serve me,as your customer, is that you get your act together and find a quick workaround like all other exchanges to finally process btc withdrawals.

But am sure you'll keep saying we ain't doing nothing till bitcoin is forked!

+1
Also, process withdraw NOW. We do not want any service anymore from your exchange and seize to be your customers.
After you return the funds, you can wait to fork or consensus of core devs. Dont keep our funds hostage in order to save mtgox! Fix your customized wallet code without your clients funds!

[donk4u]

MtGox will resume bitcoin withdrawals to outside wallets once the issue outlined above has been properly addressed in a manner that will best serve our customers.

Dear Mark, What will best serve me,as your customer, is that you get your act together and find a quick workaround like all other exchanges to finally process btc withdrawals.

But am sure you'll keep saying we ain't doing nothing till bitcoin is forked!

+1  my funds have been held hostage since jan 27  since I paid 25 percent markup to these scum and have gone down from 820 to 620 mark you are raping your cutomers ty for your understanding.

[mmitech]

I feel I am missing something here, so gox halted BTC withdrawals claiming that its is the protocol fault, we all agree on the bug and it has been known for a long time now, what I cant understand is how users are effected.

ok take a moment and hear me out, or in other words try to explain to me how this works:

1- I request a BTC withdraw
2- Gox hot wallet is empty
3- now 1000 user requests BTC withdrawals.
4- gox fill up the hot wallet to make it possible to withdraw or at the mean time they get enough deposits to proceed with the withdrawals.
5- the attacker is one of those users who did request a withdraw.
6- gox send TX1.
7- attacker change the TX1 to TX2
8- everyone get their Bitcoins regardless which tx is.
9- attacker claims that he didn't receive the BTC so they check their DB for TX1 and they agree on his claim and credit his account ( but again why, what about the other 999 user).
10- all the 999 user got their bitcoins and no one complains.


if we agree on the 10 steps above, then there is something fishy here, now when I see thousands of customers complaining about not getting Bitcoin withdrawals it makes me wonder how is this possible !!? because my logic tells me the 999 user shouldn't be effected, only the attacker who can claim on being "effected".

but for the last couple of weeks some people got their bitcoins when others didn't, how do we explain this ? anyone try to explain this to me ?

[7iain7]

unable to login now "502 Bad Gateway"

[solex]

I feel I am missing something here, so gox halted BTC withdrawals claiming that its is the protocol fault, we all agree on the bug and it has been known for a long time now, what I cant understand is how users are effected.

ok take a moment and hear me out, or in other words try to explain to me how this works:

1- I request a BTC withdraw
2- Gox hot wallet is empty
3- now 1000 user requests BTC withdrawals.
4- gox fill up the hot wallet to make it possible to withdraw or at the mean time they get enough deposits to proceed with the withdrawals.
5- the attacker is one of those users who did request a withdraw.
6- gox send TX1.
7- attacker change the TX1 to TX2
8- everyone get their Bitcoins regardless which tx is.
9- attacker claims that he didn't receive the BTC so they check their DB for TX1 and they agree on his claim and credit his account ( but again why, what about the other 999 user).
10- all the 999 user got their bitcoins and no one complains.


if we agree on the 10 steps above, then there is something fishy here, now when I see thousands of customers complaining about not getting Bitcoin withdrawals it makes me wonder how is this possible !!? because my logic tells me the 999 user shouldn't be effected, only the attacker who can claim on being "effected".

but for the last couple of weeks some people got their bitcoins when others didn't, how do we explain this ? anyone try to explain this to me ?

And further. Was there an actual case where someone claimed for TX1 and got paid twice? If so, how much did they get, 5, 10 or 20 BTC?
And MtGox crucifies their entire business operation over a (theoretical) BTC double-payment?  Does VISA kill their whole system because of one credit card fraud?

[alfabitcoin]

From reddit:

My view on the latest events at MtGox (self.Bitcoin)
poslano prije 51 minuta*, poslao il--ya
This is my picture of events around so-called Technical Issue in bitcoin protocol, which MtGox uses as a pretext for their ongoing BTC withdrawal block. Just for those who is not aware yet, this is a classical FUD. And already refuted by some core developers and Bitcoin Foundation.
So it started in 2011.
On 24 April 2011 the protocol specification was updated to specify that ASN1/DER encoding should be used for the transaction signature: https://en.bitcoin.it/wiki/Protocol_specification#Signatures
On May 15, 2011, there were some concerns raised, confirmed as a known low-priority issue by Gavin Andresen: https://bitcointalk.org/index.php?topic=8392.0
Much later this known transaction malleability issue was published in wiki on 21 January 2013: https://en.bitcoin.it/wiki/Transaction_Malleability
There is also a bit of interesting background from GMaxwell: http://www.reddit.com/r/Bitcoin/comments/1x93tf/some_irc_chatter_about_what_is_going_on_at_mtgox/cf99yac
Malleability patches were released in 2012 and 2013: Dec 22, 2012: https://github.com/bitcoin/bitcoin/commit/bffc744444c19e25c60c8df999beb83192f96a8a Aug 15, 2013: https://github.com/bitcoin/bitcoin/commit/a81cd96805ce6b65cca3a40ebbd3b2eb428abb7b Sep 21, 2012: https://github.com/bitcoin/bitcoin/commit/58bc86e37fda1aec270bccb3df6c20fbd2a6591c and probably other other.
If you are familiar with C, look in particular at the lines with text "Non-canonical signature: R value excessively padded" message and "Non-canonical signature: S value excessively padded" - that's the ASN.1/DER encoding deviations which were present in MtGox signatures and reason why some of their transactions were rejected by nodes when format rules in reference clients were tightened.
In spite of all this development activity, as of the end of January, MtGox developers still had no clue what this "Excessive padding" error is about.
This sloppy signature format implementation was the actual reason why it was so easy to exploit this (otherwise mostly hypothetical) vulnerability with MtGox exchange, but not with other exchanges. Other exchanges implement signatures properly, so it would take a lot of luck and/or resources for the hacker to intercept the transaction, modify it and propagate throughout the network faster than the original transaction. In the latest version of the reference client, malformed transactions are rejected, and only properly formed transactions are propagated through the network. So for the hacker to pull the trick, it would indeed require to "alter the transaction fast enough, for example with a direct connection to different mining pools"; but that would be not as easy to "cause the transaction hash alteration to be committed to the blockchain" as MtGox claims in their mendacious statement. It was indeed easy in their case, because the hacker had all the time he needed to replay transaction.
Also, despite false MtGox claim: "It is likely that these services will assume.. have currently no means to recognize the alternative transactions as theirs in an efficient way", other exchanges very likely don't assume, but just follow reference client and use other (efficient enough) ways to track transactions and spent outputs. MtGox assumes here that everybody else is as incompetent as they are, which is beyond my imagination.
To my knowledge (I analized https://data.mtgox.com/api/0/bitcoin_tx.php - list of "stuck" transactions published by MtGox) the oldes spent transactions which they try to re-use go as far back as 10 November 2013 (at least).
So basically since 10 of November their exchange was exploited, and they didn't even notice that. The only "flaw" in bitcoin protocols in this case are humans beings: incompetent, ignorant, complacent and dishonest.
And after all that, they decided to publish their filthy statement, blaming everybody except themselves for their own faults, and not even caring to apologise. They also want to portray themselves as heroes, who save Bitcoin from fatal flaws. Latest rumour was, that they donated 10000BTC to bitcoin foundation to push[might have misinterpreted that] pushing through a completely unnecessary patch into reference client implementation, just to prove their point.
Shame on you, MtGox.
Edit: spelling.

[7iain7]

@alfabitcoin  thanks for this information.
As you put it capturing the data would nearly impossible.
unless you were literally sat on there servers.

[Rampion]

Great post alfabitcoin. I do hope Gox wasn't exploited for months, but its not looking good.

[itsunderstood]

From reddit:

[...]

In spite of all this development activity, as of the end of January, MtGox developers still had no clue what this "Excessive padding" error is about.
This sloppy signature format implementation was the actual reason why it was so easy to exploit this (otherwise mostly hypothetical) vulnerability with MtGox exchange, but not with other exchanges. Other exchanges implement signatures properly, so it would take a lot of luck and/or resources

[...]

[itsunderstood]

Don't be too hard on Gox.

Look at it this way:  If you stored your money with the Yakuza, you'd need to hire Wesley Snipes and Sean Connery to go to Japan and get it back.  So, Gox is still viable in terms of loan sharks and so forth?

Remember everyone who knew AOL was total crap, and yet millions upon millions of people rushed to use the AOL install discs and CDs and such?  Well, the desire to jump onto a speeding 500 KPH bullet train to paradise, is always gonna be risked by the arbitragers and so forths.  So, maybe Gox is just a bit understaffed.

Frankly, all IT departments are "cost center" on the balance sheet, so a promoted manager typically will cut IT.  So, for myself, I am impressed tha Gox has gone this far, I suspect it will go farther.  I do believe in magic.

https://www.youtube.com/watch?v=O7ONp-GC7vM