MtGox blames Bitcoin protocol problem for BTC withdrawal issue

[il--ya]

Plus they can then easily track/suspend people who have a record of changing transaction hashes can't they?

No they can't. Because

Simply because they are incompetent.

[1713460048]

1713460048

[1713460048]

1713460048

[1713460048]

1713460048

[maaku]

That would only be good for unique transactions, and for individual wallets.

If you have User 1 and 2 sending the same amount from Exchange A/online Wallet A to Exchange B/Online Wallet B, and only one transaction goes in the blockchain, whose is it?

And how long do you wait before re-sending the transaction if you don't spot it?
The more you wait, the greater the risk a User 3 will ask for the same transaction, which will just further mess things up, and it wouldn't be hard to exploit your input/output based "simple" transaction check to cause trouble.

A safer solution under the current protocol would be to spam the blockchain by including signature transactions: small extra amounts going to specific addresses known to the exchange, and that are unique (to the exchange) at any point in time. This will cause transaction dust of course, which is its own problem.

I'm not sure you understand how bitcoin works. The problem which precipitated this is not about different users requesting different transactions. It is about the same transaction being "helpfully" modified to be standards compliant, but in the process changing the txid. However it is still the same transaction. The same funds going from the same inputs (albeit with modified scriptSigs) to the same outputs. It is easy to check whether a similar mutated transaction got on the chain or not.

[il--ya]

Some excerpts from irc:

<@MagicalTux> [19:26:18] <e5c> MagicalTux: wasn't a fix already provided, now mutated transaction no longer get accepted to block chain, aren't they? <- they do

<@MagicalTux> [19:28:01] <ersi> MagicalTux: Who wrote the press release? <- a lot of people actually, it took a very long time to reach something
<@MagicalTux> [19:29:31] <Mike_B> MagicalTux: will you wait for the developers to change the code in some way, or do you just want them to agree on the new standard? Is an agreement enough to make withdrawals processed again? <- agreement + we will implement that standard on our own system without waiting for a bitcoin release
<@MagicalTux> [19:29:52] <midnightmagic> A mutated transaction can be included directly in a block by a miner. <- or by anyone, actually

<@MagicalTux> [19:30:31] <midnightmagic> MagicalTux: Only if they race the original transaction. <- yep, which is easy to do if you have a half node that focuses only on catching the tx, morphing it and forwarding it directly to mining pools

<@MagicalTux> [19:30:42] <anddam> MagicalTux: is there a workaround you could apply meanwhile? <- the solution we propose can be implemented quickly, we just want to make sure everyone agrees to it

<@MagicalTux> (by everyone, I mean the Bitcoin core team and possibly other involved people)

<@MagicalTux> [19:31:54] <e5c> MagicalTux: so what's the fix you're proposing? is it that starting some particular block depth mutated transactions can't be appear even in block? <- the fix we propose is that even if someone mutates a transaction it has a specific identifying hash that won't change

<midnightmagic> All major pools (and many p2pool nodes) are directly peering with one another, or via BlueMatt's backbone, including Eligius. It would be strange to discover that they can successfully race that; still, the coins are spent. This is how the satoshidice mutated bets were re-rolled (and how the *.io miners are or were recently re-rolling the latest SD incarnation.)

<@MagicalTux> midnightmagic, and they also peer with wallet & exchange services?

<@MagicalTux> [19:33:32] <archminer> MagicalTux: If you don't need a new bitcoin release for it to work, then you don't need an agreement for it to work. Why not make it work and seek agreement afterwards? <- if the bitcoin core devs settle for a different solution then we'll have to re-implement it from zero

<@MagicalTux> [19:34:36] <midnightmagic> MagicalTux: I know I am, minus those goons at blockchain.info. <- inversely, it means it's easy for someone to catch the tx at the source and push it quickly to all miners

<@MagicalTux> [19:37:16] <under_hood> however from what is studiet it shoult be easy to prevent this attack and check if transaction really went trough with different hash <- that's our suggestion, however since that new hash doesn't exist as of today in Bitcoin, it wouldn't mean much to people receiving txs - also since this potentially affects other exchanges, it's better to get a global fix

<@MagicalTux> [19:40:33] <Mike_B> magicaltux: have the developers indicated to you that they're on board with the new proposed standard? <- waiting on that for now

Why the hell do they need a fix in the protocol, when they already have their own SIGNATURE on the transaction? And most of it's content unchanged? It's trivial to check whether the block includes your transaction without any modification of the protocol. They just want to come out heroes from this. "We saved bitcoins". And crash the price to recover their losses. Fucking bastards.
EDIT: sorry for being emotional, it's just such an obvious lie for anybody familiar with how blockchain is organized.

[dafqok]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

[underhood]

Some excerpts from irc:

<@MagicalTux> [19:26:18] <e5c> MagicalTux: wasn't a fix already provided, now mutated transaction no longer get accepted to block chain, aren't they? <- they do

<@MagicalTux> [19:28:01] <ersi> MagicalTux: Who wrote the press release? <- a lot of people actually, it took a very long time to reach something
<@MagicalTux> [19:29:31] <Mike_B> MagicalTux: will you wait for the developers to change the code in some way, or do you just want them to agree on the new standard? Is an agreement enough to make withdrawals processed again? <- agreement + we will implement that standard on our own system without waiting for a bitcoin release
<@MagicalTux> [19:29:52] <midnightmagic> A mutated transaction can be included directly in a block by a miner. <- or by anyone, actually

<@MagicalTux> [19:30:31] <midnightmagic> MagicalTux: Only if they race the original transaction. <- yep, which is easy to do if you have a half node that focuses only on catching the tx, morphing it and forwarding it directly to mining pools

<@MagicalTux> [19:30:42] <anddam> MagicalTux: is there a workaround you could apply meanwhile? <- the solution we propose can be implemented quickly, we just want to make sure everyone agrees to it

<@MagicalTux> (by everyone, I mean the Bitcoin core team and possibly other involved people)

<@MagicalTux> [19:31:54] <e5c> MagicalTux: so what's the fix you're proposing? is it that starting some particular block depth mutated transactions can't be appear even in block? <- the fix we propose is that even if someone mutates a transaction it has a specific identifying hash that won't change

<midnightmagic> All major pools (and many p2pool nodes) are directly peering with one another, or via BlueMatt's backbone, including Eligius. It would be strange to discover that they can successfully race that; still, the coins are spent. This is how the satoshidice mutated bets were re-rolled (and how the *.io miners are or were recently re-rolling the latest SD incarnation.)

<@MagicalTux> midnightmagic, and they also peer with wallet & exchange services?

<@MagicalTux> [19:33:32] <archminer> MagicalTux: If you don't need a new bitcoin release for it to work, then you don't need an agreement for it to work. Why not make it work and seek agreement afterwards? <- if the bitcoin core devs settle for a different solution then we'll have to re-implement it from zero

<@MagicalTux> [19:34:36] <midnightmagic> MagicalTux: I know I am, minus those goons at blockchain.info. <- inversely, it means it's easy for someone to catch the tx at the source and push it quickly to all miners

<@MagicalTux> [19:37:16] <under_hood> however from what is studiet it shoult be easy to prevent this attack and check if transaction really went trough with different hash <- that's our suggestion, however since that new hash doesn't exist as of today in Bitcoin, it wouldn't mean much to people receiving txs - also since this potentially affects other exchanges, it's better to get a global fix

<@MagicalTux> [19:40:33] <Mike_B> magicaltux: have the developers indicated to you that they're on board with the new proposed standard? <- waiting on that for now

Why the hell do they need a fix in the protocol, when they already have their own SIGNATURE on the transaction? And most of it's content unchanged? It's trivial to check whether the block includes your transaction without any modification of the protocol. They just want to come out heroes from this. "We saved bitcoins". And crash the price to recover their losses. Fucking bastards.
EDIT: sorry for being emotional, it's just such an obvious lie for anybody familiar with how blockchain is organized.

Well look at it in optimists way ===> cheap bitcoins 
I don't think they will bring bitcoin down. My plan is buy now sell when bitcoin recovers.

[underhood]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

There is a bug found/known where transaction hash can change. Attacker cannot change the transaction only the hash. This way transaction goes trough and to sender it seems it didn't.
There is workaround where you simply look at transaction with same inputs and outputs in block-chain (ignoring hash)

Truth seems to be that Bitcoin protocol is simply flawed ... thankfully only in very non critical way (you cannot alter transaction only fool sender for some time and only if he doesn't implement additional checks).

proof issue is known: https://en.bitcoin.it/wiki/Transaction_Malleability

[fairglu]

Well that's why each users on the exchange will have a unique deposit address....

Not really, because:

• people don't regenerate the address before each deposit
• people will have the address copy-pasted in their wallet address book and reuse it even if the exchange regenerates it each time
• doesn't solve a deposit followed by multiple withdrawals in smaller amounts

For the address to be significant, it needs to be handled under the hood by the exchange, as a dust/signature.

[turtle83]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

No

[dave111223]

Well that's why each users on the exchange will have a unique deposit address....

Not really, because:

• people don't regenerate the address before each deposit
• people will have the address copy-pasted in their wallet address book and reuse it even if the exchange regenerates it each time
• doesn't solve a deposit followed by multiple withdrawals in smaller amounts

For the address to be significant, it needs to be handled under the hood by the exchange, as a dust/signature.

You seem to totally be missing the point here.  This does not affect mt gox deposits at all.

This is *withdrawals* from mt gox....under their current system they track withdrawals that they sent to users via the transaction hash.  Which is apparently a f***** way to track them.  So they should track the withdrawals via the input/output/amount instead.

It's impossible that two withdrawals would have the same inputs/outputs; provided that mt gox use change addresses.

[OutCast3k]

Surely, with out even needing to modify the bitcoin client or protocol an easy solution would have been to monitor the inputs of a transaction when a user withdraws. Then, if a user ever claims they didn't receive the funds, mtgox can just check the inputs and follow them through the block chain. Assuming the date, receivers address and withdrawal amount are the same, and only the transaction id differs, you could quite easily determine if the user received their funds or not - and even identify the new transaction id.

[underhood]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

No

No ... Bitcoin is safe. What i think however is Bitcoin foundation should also make press release to calm down this fear. People not really understanding Bitcoin could easily missinterpret it the same way as "dafqok" did.

[jl2012]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

No. Everything is just the same

Let say bitcoin transaction is like a banknote. You can write something on a banknote but the note itself is still valid. When gox sending a banknote to its customer, they take a picture of the note, and use the picture of the note as an evidence of delivery. Some customer, however, write something on the note when they get it from gox, and claim they have not received the note. Since the note looks different from the photo, gox can't recognize it and wrongly believes that the note is not delivered, and send another note to the customer (so the customer gets double paid by exploiting the gox's bug). Since gox believe the original said note is not spent, they try to send it to a different customer. Of course this won't work and led to all those bitcoin withdraw problem we have seen.

So gox now proposes to use a different method to track the banknote. Instead of taking a photo, they propose to use the unique serial number on every note for tracking propose.

Bitcoin is still the bitcoin we know yesterday

[dafqok]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

No. Everything is just the same

Let say bitcoin transaction is like a banknote. You can write something on a banknote but the note itself is still valid. When gox sending a banknote to its customer, they take a picture of the note, and use the picture of the note as an evidence of delivery. Some customer, however, write something on the note when they get it from gox, and claim they have not received the note. Since the note looks different from the photo, gox can't recognize it and wrongly believes that the note is not delivered, and send another note to the customer (so the customer gets double paid by exploiting the gox's bug). Since gox believe the original said note is not spent, they try to send it to a different customer. Of course this won't work and led to all those bitcoin withdraw problem we have seen.

So gox now proposes to use a different method to track the banknote. Instead of taking a photo, they propose to use the unique serial number on every note for tracking propose.

Bitcoin is still the bitcoin we know yesterday

Fine, thx to you and underhood. So basically the only problem is with senders who believe in complaints of receivers upon a forgeable fact. Whereas if they take public available information into consideration, the sender arrive at a fully deterministic conclusion about whether the BTC arrived or not and therefore if the receiver's complaint is valid. Well, no big deal at all I would say.

[Trillium]

Just so I'm 100% clear on the development of this situation:

1. Over one year ago a (minor?) issue with the protocol was identified and some general information was added to the bitcoin wiki. http://en.bitcoin.it/wiki/Transaction_Malleability‎, a publicly viewable resource.

2. Engineers at Mt Gox, historically the most significant - and for a long time the largest - bitcoin exchange in the world, either were not aware of this information (on the public wiki? really), disregarded the issue, and/or failed to implement a solution on their end to prevent or at least monitor and warn of this kind of activity taking place between their backend and their customers.

(edit: From my understanding of their statement, it would seem that the attacker would start a support ticket, and inform Gox that their funds are not recieved. Gox would investigate on their end, only to find that their records show this is true, when in fact, it is not true, and the attacker already has the funds. It would then be sent again. This seems like the kind of thing that could be avoided by careful training of support staff.)

3. An attacker or group(s) of attackers realize that a vulnerability exists with some exchanges, or, at least just Mt Gox. Presumably they "extract" some funds without Mt Gox realizing right away.

4. Mt Gox audits their wallet balances and finds a discrepancy.

5. Mt Gox continues its hold on withdrawals, until the issue, known for over 12 months, is resolved with great urgency by the devs.

How very curious indeed!

[delulo]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

No. Everything is just the same

Let say bitcoin transaction is like a banknote. You can write something on a banknote but the note itself is still valid. When gox sending a banknote to its customer, they take a picture of the note, and use the picture of the note as an evidence of delivery. Some customer, however, write something on the note when they get it from gox, and claim they have not received the note. Since the note looks different from the photo, gox can't recognize it and wrongly believes that the note is not delivered, and send another note to the customer (so the customer gets double paid by exploiting the gox's bug). Since gox believe the original said note is not spent, they try to send it to a different customer. Of course this won't work and led to all those bitcoin withdraw problem we have seen.

So gox now proposes to use a different method to track the banknote. Instead of taking a photo, they propose to use the unique serial number on every note for tracking propose.

Bitcoin is still the bitcoin we know yesterday

Following this analogy how do other exchanges tackle this problem?

[bitdude]

Just so I'm 100% clear on the development of this situation:

1. Over one year ago a (minor?) issue with the protocol was identified and some general information was added to the bitcoin wiki. http://en.bitcoin.it/wiki/Transaction_Malleability‎, a publicly viewable resource.

2. Engineers at Mt Gox, historically the most significant - and for a long time the largest - bitcoin exchange in the world, either were not aware of this information (on the public wiki? really), disregarded the issue, and/or failed to implement a solution on their end to prevent or at least monitor and warn of this kind of activity taking place between their backend and their customers.

3. An attacker or group(s) of attackers realize that a vulnerability exists with some exchanges, or, at least just Mt Gox. Presumably they "extract" some funds without Mt Gox realizing right away.

4. Mt Gox audits their wallet balances and finds a discrepancy.

5. Mt Gox continues its hold on withdrawals, until the issue, known for over 12 months, is resolved with great urgency by the devs.

How very curious indeed!

Seems so, more or less

[underhood]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

No. Everything is just the same

Let say bitcoin transaction is like a banknote. You can write something on a banknote but the note itself is still valid. When gox sending a banknote to its customer, they take a picture of the note, and use the picture of the note as an evidence of delivery. Some customer, however, write something on the note when they get it from gox, and claim they have not received the note. Since the note looks different from the photo, gox can't recognize it and wrongly believes that the note is not delivered, and send another note to the customer (so the customer gets double paid by exploiting the gox's bug). Since gox believe the original said note is not spent, they try to send it to a different customer. Of course this won't work and led to all those bitcoin withdraw problem we have seen.

So gox now proposes to use a different method to track the banknote. Instead of taking a photo, they propose to use the unique serial number on every note for tracking propose.

Bitcoin is still the bitcoin we know yesterday

Following this analogy how do other exchanges tackle this problem?

Simply they don't look only at hash to confirm transaction was sent. Same thing Gox now needs to implement

[grau]

Such a bullshit. Malleability exists and is a pain. I can however not draw the line between this and stopping withdrawals.

Performing such an attack is non-trivial and unlikely common for the entire customer base. Even if some customer are attacking Gox like described, they should be able to spot and deal with them, without the need to generally stop withdrawals.

Added: Maybe they were incompetent enough not to spot the attack for a longer time, automatically resubmitting same withdrawals again and again until they discovered that they are bankrupt.

[il--ya]

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.

No. Everything is just the same

Let say bitcoin transaction is like a banknote. You can write something on a banknote but the note itself is still valid. When gox sending a banknote to its customer, they take a picture of the note, and use the picture of the note as an evidence of delivery. Some customer, however, write something on the note when they get it from gox, and claim they have not received the note. Since the note looks different from the photo, gox can't recognize it and wrongly believes that the note is not delivered, and send another note to the customer (so the customer gets double paid by exploiting the gox's bug). Since gox believe the original said note is not spent, they try to send it to a different customer. Of course this won't work and led to all those bitcoin withdraw problem we have seen.

So gox now proposes to use a different method to track the banknote. Instead of taking a photo, they propose to use the unique serial number on every note for tracking propose.

Bitcoin is still the bitcoin we know yesterday

Following this analogy how do other exchanges tackle this problem?

Well they don't tackle it because they don't need to. Their transactions are correctly formed, and are readily accepted by the nodes and miners without modification. To force the network to accept modified transaction would take some effort now, because current version of bitcoin node would not retransmit non-canonical transaction. This is actually what made this attack on MtGox possible - and not the speedy link to the miners, or significant mining power of the exploiters. And that's another implied lie in their statement. MtGox issued not-quite-correct transactions to start with, they were rejected by the nodes, and then replayed by the hackers with fixed format. Now I hope you get a better picture of how filthy their lies are.

UPDATE: In the event there are indeed any rejected transactions, they are very rare and far apart, can be easily investigated and dealt with appropriately.

[il--ya]

Such a bullshit. Malleability exists and is a pain. I can however not draw the line between this and stopping withdrawals.

Performing such an attack is non-trivial and unlikely common for the entire customer base. Even if some customer are attacking Gox like described, they should be able to spot and deal with them, without the need to generally stop withdrawals.

Exactly, and that's yet another level of their hypocrisy.