Peter Todd (OP)
Legendary
 Offline
Activity: 1120
Merit: 1150
|
 |
May 15, 2013, 12:23:44 PM |
|
Reposting a bitcoin-development email: http://sourceforge.net/mailarchive/forum.php?thread_name=20130515113827.GB26020%40savin&forum_name=bitcoin-development
Now that I have the replace-by-fee reward, I might as well spread the
wealth a bit.
For all this discussion about replace-by-fee and the supposed
security of zero-conf transactions, no-one seems to think much about how
in practice very few vendors have a setup to detect if conflicting
transactions were broadcast on the network simultaneously - after all if
that is the case which transaction gets mined is up to chance, so much
of the time you'll get away with a double spend. We don't yet have a
mechanism to propagate double-spend warnings, and funny enough, in the
case of a single txin transaction the double-spend warning is also
enough information to allow miners to implement replace-by-fee.
So I'm offering 2BTC for anyone who comes up with a nice and easy to use
command line tool that lets you automagically create one version of the
transaction sending the coins to the desired recipient, and another
version sending all the coins back to you, both with the same
transaction inputs. In addition to creating the two versions, you need
to find a way to broadcast them both simultaneously to different nodes
on the network. One clever approach might be to use blockchain.info's
raw transaction POST API, and your local Bitcoin node. A good starting point
for your work would be Gavin's spendfrom utility in the contrib/spendfrom
directory in the Bitcoin-QT respository.
If you happen to be at the conference, a cool demo would be to
demonstrate the attack against my Android wallet. I'll buy Bitcoins off
of you at Mt. Gox rates + %10, and you can see if you can rip me off.
Yes, you can keep the loot.  This should be videotaped so we can put
an educational video on YouTube after.
Finally please do keep in mind that it's much better for the community if
an attack is demonstrated first, followed by releasing the code some
time later.
|
|
|
|
|
|
|
|
|
|
|
Be very wary of relying on JavaScript for security on crypto sites. The site can change the JavaScript at any time unless you take unusual precautions, and browsers are not generally known for their airtight security.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4158
Merit: 8382
|
|
May 15, 2013, 05:28:37 PM |
|
A double spend alert could be constructed so that it actually wasn't useful for replace by fee. E.g. you package up the input, scriptsig, and masked hash. Beyond not enabling other people to mine transactions you don't like much this would make the alerts smaller when there are more outputs than inputs.
On the downside, it would make distinguishing a benign replacement from a malicious one on the basis of the alert impossible.
|
|
|
|
|
SnowDog2003
Jr. Member
Offline
Activity: 41
Merit: 1
|
|
May 15, 2013, 05:52:46 PM |
|
One interesting thing when I've played with this, is that frequently, the 0-fee transaction will not propagate, whereas the one with the fee will. Apparently, there are some nodes which do not propagate 0 fee transactions for over 24 hours, it seems. This would tend to work in favor of the merchant experiencing the attack, as he simply may not see the 0 fee transaction, and would refuse service.
|
|
|
|
|
SnowDog2003
Jr. Member
Offline
Activity: 41
Merit: 1
|
|
May 15, 2013, 05:54:29 PM |
|
A double spend alert could be constructed so that it actually wasn't useful for replace by fee. E.g. you package up the input, scriptsig, and masked hash. Beyond not enabling other people to mine transactions you don't like much this would make the alerts smaller when there are more outputs than inputs.
On the downside, it would make distinguishing a benign replacement from a malicious one on the basis of the alert impossible.
Ideally, the transactions should be timestamped, and the first one sent should be placed on the block chain. I suspect that this would allow for a timestamp attack, however. |
|
|
|
|
|
|
chriswilmer
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
May 16, 2013, 02:13:52 AM |
|
Whoa. Crazy... I ... I am scared to use this. |
|
|
|
|
leijurv
Member
Offline
Activity: 63
Merit: 10
Vires in Numeris
|
|
May 16, 2013, 02:21:48 AM |
|
Would it be possible to make it so you can tell it which transaction should be broadcasted to which node? |
Firstbits 1Leijurv. Or, if you like cats, Firstbits 1Kittens and 1catcat as well. If you're a chemist, also 1Helium, 1Erbium, 1Copper, 1Cerium, and 1Nickel. If you like numbers, 123four, 12234, 12three.
Keybase and onename user: leijurv.
|
|
|
Peter Todd (OP)
Legendary
Offline
Activity: 1120
Merit: 1150
|
|
May 17, 2013, 02:49:58 PM |
|
piuk: Cool!
Is it actually broadcasting to different nodes though? I looked at the source and it looks like it all goes to blockchain.info/pushtx, although I dunno how you backend works there.
|
|
|
|
|
