Bitcoin Forum
March 19, 2024, 07:52:41 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Fake Bitcoins?  (Read 16597 times)
Anonymous
Guest

August 13, 2011, 01:27:00 AM
 #1

So, I understand that MyBitcoin was killed by someone who sent fake bitcoins, and confirmed them once somehow, and then made a withdraw of those coins. Of course those coins did not exist, so he actually withdrew other user's coins. My question is what are the technical details on this type of attack. I wanted to know how it is done, solely out of curiosity.

Thanks,
Joey.
1710834761
Hero Member
*
Offline Offline

Posts: 1710834761

View Profile Personal Message (Offline)

Ignore
1710834761
Reply with quote  #2

1710834761
Report to moderator
It is a common myth that Bitcoin is ruled by a majority of miners. This is not true. Bitcoin miners "vote" on the ordering of transactions, but that's all they do. They can't vote to change the network rules.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710834761
Hero Member
*
Offline Offline

Posts: 1710834761

View Profile Personal Message (Offline)

Ignore
1710834761
Reply with quote  #2

1710834761
Report to moderator
1710834761
Hero Member
*
Offline Offline

Posts: 1710834761

View Profile Personal Message (Offline)

Ignore
1710834761
Reply with quote  #2

1710834761
Report to moderator
1710834761
Hero Member
*
Offline Offline

Posts: 1710834761

View Profile Personal Message (Offline)

Ignore
1710834761
Reply with quote  #2

1710834761
Report to moderator
Crypt_Current
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Shame on everything; regret nothing.


View Profile
August 13, 2011, 01:29:34 AM
 #2

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::

10% off at CampBX for LIFE:  https://campbx.com/main.php?r=C9a5izBQ5vq  ----  Authorized BitVoucher MEGA reseller (& BTC donations appreciated):  https://bitvoucher.co/affl/1HkvK8o8WWDpCTSQGnek7DH9gT1LWeV5s3/
LTC:  LRL6vb6XBRrEEifB73DiEiYZ9vbRy99H41  NMC:  NGb2spdTGpWj8THCPyCainaXenwDhAW1ZT
Anonymous
Guest

August 13, 2011, 01:30:57 AM
 #3

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::
I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)
Anonymous
Guest

August 13, 2011, 01:34:22 AM
 #4

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::
I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)

What I am trying to do is perform this exploit on my own site and find a way to prevent it. I need to perform the exploit in the first place to see what actually occurs on my site.
the joint
Legendary
*
Offline Offline

Activity: 1834
Merit: 1020



View Profile
August 13, 2011, 01:37:03 AM
 #5

Lol, solely out of curiosity my ass.
Anonymous
Guest

August 13, 2011, 01:42:55 AM
 #6

Look. My intentions are sincere. To test this exploit out on my own e-wallet (bitcoin debit cards). I am not trying to hack anyone. Please only respond if you want to help me perform the exploit on my own site (do not attempt it yourself  Smiley), I believe I have it soundproof, but I want to protect the coins from the people who hacked mybitcoin and others. I need to test it myself, and find a way to prevent it.
the joint
Legendary
*
Offline Offline

Activity: 1834
Merit: 1020



View Profile
August 13, 2011, 01:44:14 AM
 #7

I don't know how to program, unfortunately, or I'd probably hack everything  Grin
Serith
Sr. Member
****
Offline Offline

Activity: 269
Merit: 250


View Profile
August 13, 2011, 01:50:47 AM
 #8

Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.

Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
Anonymous
Guest

August 13, 2011, 01:55:22 AM
 #9

Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.

Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
Alright. So the source code sends the coins, but how did he force a single confirm on the transaction. Did he exploit something having to do with mining. What happened there?
BitVapes
Full Member
***
Offline Offline

Activity: 140
Merit: 100


BitVapes.com


View Profile WWW
August 13, 2011, 05:05:16 AM
 #10

Short answer: mybitcoin waited for only 1 confirmation, instead of 6, to deposit bitcoins, or so they say.

Long answer: you will have to spend couple weeks reading available documentation and exploring source code to get full understanding of how it happened
Alright. So the source code sends the coins, but how did he force a single confirm on the transaction. Did he exploit something having to do with mining. What happened there?

honestly I don't know either, but I believe Theymos who originally posted about the possibility of such an attack said it would be trivial for anyone who can mine two blocks in a row.   So I assume yes it did have something to do with mining, I presume the attacker was a large miner and was able to mine two blocks in a row, adding his transactions of 'fake bitcoins' to the blockchain.  Eventually the 'real' blockchain took back over and his blocks weren't a part of the real blockchain anymore.

as long as you don't accept transactions from 1 confirmation, you should be safe from this attack.  The more confirmations, the more sure you can be that the transaction can't be reversed

Buy Electronic Cigarettes with Bitcoin @ http://bitvapes.com
koin
Legendary
*
Offline Offline

Activity: 873
Merit: 1000


View Profile
August 13, 2011, 09:42:21 AM
 #11

So I assume yes it did have something to do with mining, I presume the attacker was a large miner and was able to mine two blocks in a row, adding his transactions of 'fake bitcoins' to the blockchain.  Eventually the 'real' blockchain took back over and his blocks weren't a part of the real blockchain anymore.

the problem is, apparently, that nobody can find these supposed double spends on any reorgs: http://bitcointalk.org/index.php?topic=34770.msg434895#msg434895
BTCrow
Sr. Member
****
Offline Offline

Activity: 243
Merit: 250

BTCrow.com


View Profile WWW
August 13, 2011, 04:27:12 PM
 #12

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::
I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)

You don't need to exploit to patch ... Simply wait 6 confirmation when people send funds into your wallet before releasing anything (goods / other currency etc) and you won't have the mybitcoin problem.

Anonymous
Guest

August 13, 2011, 04:48:18 PM
 #13

Quote
I wanted to know how it is done, solely out of curiosity.

Snake:  "Wallet Inspector!  Hand over your wallets!"
Suckers:  "OK sir, I believe this is all in order..." :::hands over wallets:::
I am serious. I want to understand how this is done so I can identify any type of exploit on my own site. http://www.bitcoindebit.co.cc (redirects to https://www.bitcoindebit.net)

You don't need to exploit to patch ... Simply wait 6 confirmation when people send funds into your wallet before releasing anything (goods / other currency etc) and you won't have the mybitcoin problem.

Do you think it is safe to allow people to use their bitcoins at 4 confirmations. Because I am an e-wallet, people want to use their coins the second they get them. Of course I cannot do that, but is 4 sufficient. Can someone really fake 4 whole confirmations?
jackjack
Legendary
*
Offline Offline

Activity: 1176
Merit: 1233


May Bitcoin be touched by his Noodly Appendage


View Profile
August 13, 2011, 04:53:30 PM
 #14

Nobody can fake blocks, they can mine them in a row
I think even 3 confirmations should be enough

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
Anonymous
Guest

August 13, 2011, 04:59:16 PM
 #15

Nobody can fake blocks, they can mine them in a row


Sorry, that is what I meant to say. Fake Confirmations, by mining blocks in a row.
I think even 3 confirmations should be enough
Okay. I'll be on the safe side and give no access to coins from transactions without 4 or more transactions.

Thanks,
Joey
zellfaze
Full Member
***
Offline Offline

Activity: 141
Merit: 101


Security Enthusiast


View Profile WWW
August 14, 2011, 05:08:09 PM
 #16

So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?

Even if his intentions were not sincere, security through obscurity is a terrible terrible practice.  Despicable.

macintosh264: For every confirmation it gets that much harder for an attacker to (temporarily) create fake bitcoins.  1 Confirmation means that the transaction is in 1 block in the block chain, 2 confirmations means it is in 2 blocks, 3 means 3, etc.  In a nutshell what happened with MyBitCoin is that an attacker was able to mine a invalid block, then before the block was thrown out for being invalid mine another invalid block.  In these invalid blocks it showed him depositing bitcoins to MyBitCoin.   Because MyBitCoin only waited for 1 confirmation, it assumed that these were valid transactions and allowed him to withdraw the bitcoins.  The withdrawn bitcoins were included in the actual real block-chain and therefore remained valid even after the deposits from the fake blocks were thrown out.

If you wait for 1 confirmation an attacker has to mine 2 fake blocks in a row to trick you.  If you wait for 2 confirmations, they have to mine 3.  If you wait for 3 confirmations, they have to mine 4. Etc.

Every confirmation you wait for makes it exponentially more unlikely that you are being tricked.  Remember that a block is mined about once every 10 minutes, so it would take a great deal of computing power (and luck) to successfully stay ahead of the network for a significant amount of time to pull one of these attacks off.

With that in mind, 4 confirmations should be plenty.  3 would probably be plenty even.

A+, CCENT, CCNA
Security Enthusiast
PHP Coder

Not that I expect anyone to, but should you like my post, please donate:
Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
willphase
Hero Member
*****
Offline Offline

Activity: 767
Merit: 500


View Profile
August 14, 2011, 05:55:43 PM
 #17

So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?

Even if his intentions were not sincere, security through obscurity is a terrible terrible practice.  Despicable.

without having access to the source for mybitcoin it's impossible to know what mistakes they made.  They've admitted only that they were not waiting for the required number of confirmations before crediting account balance.  There are also rumours that they were not even waiting for the transactions to appear in a block at all and merely marking them confirmed when they saw a new block, but I can't honestly believe anyone would code anything that bad.

If you don't like 'security through obscurity' - I recommend you start using one of the open sources exchanges based on intersango e.g. https://intersango.us/ rather than mtgox...

Will

indio007
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
August 14, 2011, 06:00:33 PM
 #18

Wasn't Mtgox a fake bitcoin hack too? Not to the bitcoin client but to the trading program?
zellfaze
Full Member
***
Offline Offline

Activity: 141
Merit: 101


Security Enthusiast


View Profile WWW
August 14, 2011, 06:05:55 PM
 #19

So is there actually no one on these forums that can and is willing to explain in great detail how to go about one of these attacks?

Even if his intentions were not sincere, security through obscurity is a terrible terrible practice.  Despicable.

without having access to the source for mybitcoin it's impossible to know what mistakes they made.  They've admitted only that they were not waiting for the required number of confirmations before crediting account balance.  There are also rumours that they were not even waiting for the transactions to appear in a block at all and merely marking them confirmed when they saw a new block, but I can't honestly believe anyone would code anything that bad.

If you don't like 'security through obscurity' - I recommend you start using one of the open sources exchanges based on intersango e.g. https://intersango.us/ rather than mtgox...

Will

My point was simply that it seemed no one wanted to give the guy a straight answer.  And I have an account on intersango.us actually. Tongue

My understanding of the Mt.Gox hack is that it was indeed a fake bitcoin hack also, but done in a different way.  Although to be entirely honest, I'm not sure how exactly; Mt.Gox didn't really give us a straight answer (they changed their story a few times if I remember correctly).

A+, CCENT, CCNA
Security Enthusiast
PHP Coder

Not that I expect anyone to, but should you like my post, please donate:
Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
August 14, 2011, 06:11:59 PM
 #20

You should stop saying "what happened with mybitcoin" because in all honesty YOU DON'T KNOW!

All we can do is throw around suspicions. All we have is the dude saying that someone faked transactions with their shopping cart interface, but i bet he would prefer to say that if he wanted to run away with the coins.

Even if that was what happened, i bet the error was with mybitcoin and had nothing to do with the blockchain.

If you account for some informer that dropped by #bitcoin-police, it was because of a bug mybitcoin had in their code that wasn't calculating stuff right.

Like i said, all suppositions, no answers! Wink
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!