You've got some of your facts wrong. Additionally, you've stated some additional information that I haven't heard before, and you haven't provided any source for that information.
Here is the original thread identifying, discussing, and solving the problem:
https://bitcointalk.org/index.php?topic=823.0Looks like people would prefer to spam the same old replies in the mega threads than engage in actual conversations.
Which is why this sub-forum was created.
In Bitcoins early days in fact just over 1 year
19-and-a-half months. (closer to two years than 1 year)
a major exploit was found and abused by two addresses on the network which were likely controlled by one person although this hasn't been proven or found out to date.
It was a single mined block that mined the bitcoins to two addresses. There may have been more than one person involved in creating that block, but it seems unlikely.
The major security vulnerability was first spotted in what I presume was in the code and by Satoshi himself or some other developer on 6 August 2010.
Where did you get the date of August 6?
To my knowledge this is the only major vulnerability that was discovered in Bitcoins history.
I guess that depends on how you define "major vulnerability". There have been a variety of bugs that have been fixed over the years (including but not limited to transaction maleability).
what happened in these 9 days.
I still don't understand why you think 9 days were involved.
1. How was the vulnerability spotted and by who?
I suspect multiple people spotted it. It was first reported to bitcointalk by jgarzik when he noticed the problem in transaction 012cd8f8910355da9dd214627a31acfeb61ac66e13560255bfd87d3e9c50e1ca of block 0000000000790ab3f22ec756ad43b6ab569abf0bddeb97c67a6f7b1470a7ec1c
2. If this was public knowledge why was it only exploited 9 days after?
Why do you believe it was public knowledge?
3. The transaction/exploit was erased from the network how so?
An overwhelming majority of the hash power at the time all agreed to run code that would invalidate the block. Then they re-synchronized their blockchains. The invalid block (and any subsequent blocks) were rejected, and the blockchain continued along a valid path.
4. Was it discovered who exploited the network and controlled the addresses?
Not that I ever heard.
I am assuming the vulnerability was first discovered by either Satoshi or another developer that was working on Bitcoin at that time.
I believe it was first discovered by the person that exploited it. Once exploited, it was very quickly discovered by several of the developers that were working on Bitcoin at the time.
Maybe the vulnerability was discovered by a member of the public?
Define "the public". As far as I can tell, if you weren't Satoshi at that time, then you were "the public".
It's odd that knowing there was a vulnerability in the code and was probably public knowledge at the time because of Bitcoin being open source
Being open source doesn't mean that the vulnerability was public knowledge. It is possible that nobody noticed the vulnerability until the attacker discovered it.
why did it take 9 days for
Again with the 9 days. Where are you getting that number?
A. Something to be done about it
As far as I can tell, a fix was provided within 150 minutes of the exploit first being reported here at bitcointalk.
B. For someone to exploit it.
I don't think anyone knows how long the attacker knew about the vulnerability before he chose to exploit it.
This was very early days for Bitcoin and the exploit was spotted before it was abused.
Are you sure about that? Where did you get that information?
So why risk it and wait until someone does exploit it to actually patch the code?
Why do you think there was any waiting?
Did it really take 9 days to come up with a solution and it just so happens that it was exploited the same day too.
Seems unlikely. I suspect it took less than 3 hours to come up with and implement a solution.
Once the vulnerability was exploited it only took a few hours for it to be patched and the transaction log to be cleared.
Correct.
How did this happen? Surely the coins would of confirmed on the network and because Bitcoin isn't reversible would of stayed on the network?
You can read the thread at the link above for the details.
Effectively, code was added to check for negative and overflow values, most of the hashpower installed that code, and then the blockchain was re-synchronized.
I know that the network would of had to been forked. But was this a hard fork?
This would have been a soft fork.
As long as the majority of the hash power on the network implemented the change, their chain would grow to be the longest. Anyone that did not update to the new software would see BOTH forks as valid, and would simply follow the longest. With the majority of the hash power, the fork that did not have the attack would eventually become longest.
If so what we are using today could be considered Bitcoin 2.0 and thus the original Bitcoin failed within a year and half due to this exploit.
Call it whatever you want. There is no authority in charge of naming Bitcoin. The general public, however, recognizes the current bitcoin as the original bitcoin (regardless of all the enhancements and bug fixes that have been implemented over the past 9+ years).
Finally does anyone know what the two addresses were and could link them in this thread? It would be interesting to know who abused the vulnerability and if the addresses have been used since.
According to
this post:
92,233,720,368.54277039 BTC was sent to address 1Hk51V49a58fC2r471hScXopEQpioDEuqx
92,233,720,368.54277039 BTC was sent to address 12vRJXnnA21YAaLacWXpNshy7MBAwrigtQ
Those amounts are both very close to the maximum value that can be stored in a positive 8 byte integer.
The sum of those two values (when represented in a 8 byte integer) is a small negative integer.
For anyone who is wondering how the vulnerability worked is transactions were not verified before they were included in the blockchain.
That is not true. Transactions WERE verified, but the verification had a bug that allowed someone to take advantage of the way computers store integers.
Therefore you could send any amount of coin you wanted as it would not check if you had that amount to send.
ABSOLUTELY NOT.
What you COULD do is award yourself multiple outputs when mining which, when added added together, were larger than the maximum positive amount that could be stored in a 4 byte integer. When the validation code added these output values together, the result would be a negative integer (due to the way computers handle integers). Therefore, the sum of the outputs (a negative integer) would appear to the code to be less than the allowed block reward (50 BTC) even though each of the individual outputs was larger than 50 BTC (and less than the maximum positive integer).
So someone generated 184 billion bitcoins
Correct.
and sent it to two addresses on the network it existed on the network for a brief amount of time.
Did they send it? I don't recall hearing that the bitcoins were ever spent.
I wish for us to discuss this and provide further insight for not only myself but for the others which maybe don't know too much about the vulnerability and Bitcoin itself. I welcome both technical and non technical discussion.
Thanks. It's been great reviewing what I remember about the issue.
