Bitcoin Forum
November 06, 2024, 04:47:25 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: MTGOX hits $570 "A bug in the bitcoin software makes it possible for someone to"  (Read 3455 times)
btcmad1337
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
February 10, 2014, 12:37:14 PM
 #21

Show me why other exchanges do not have this problem with withdrawals but ONLY MTGOX?

Remember MTGOX is using a custom version of the bitcoin software. This is likely the reason they have issues with their exchange platform.

Because the attack involves mining your own block, hence requires lots of hash power so is difficult to execute unless you've got stacks of hashpower. It may also be noticed by a smaller exchange when they noticed their balance is much lower than it should be. A couple hundred BTC missing from Mt Gox wouldn't go noticed, it would go noticed from cryptsy.

They will most likely try to execute this attack on other exchanges unless the devs push a fix fast which they are working on right now.
oda.krell
Legendary
*
Offline Offline

Activity: 1470
Merit: 1007



View Profile
February 10, 2014, 12:37:20 PM
 #22

Gox is willing to damage the reputation of the *entire* Bitcoin ecosystem, so *they* don't have to take the blame for not implementing their wallet software properly.

Have any of you actually looked at this flaw?

It's been a known flaw for a while, here is the fix:
https://gist.github.com/sipa/8907691

Find me one Bitcoin wallet software that has this fixed as of right now and I will pay you 1BTC. HINT: there are none.

Reading comprehension isn't your strong side, huh?

Quote
<gmaxwell> Oh there is a “problem” in the Bitcoin protocol, known since at least 2011 (see the link I gave). But for normal applications, not involving unconfirmed transactions, it shouldn’t cause any severe problems because wallets can handle it locally.

Don't blame on the protocol what can be contained locally.


@Blitz

I don't share your cynicism on this one. I'm not "butthurt" the slightest, in fact, I profited nicely of this swing. But mtgox *is* in a very real sense a major factor in limiting usefulness and reliability of BTC as a whole. It would benefit everyone if they were taken out of the equation.



Not sure which Bitcoin wallet you should use? Get Electrum!
Electrum is an open-source lightweight client: fast, user friendly, and 100% secure.
Download the source or executables for Windows/OSX/Linux/Android from, and only from, the official Electrum homepage.
Teodor
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


View Profile
February 10, 2014, 12:39:58 PM
 #23

MTgox should be completely ignored...
I don't think so, as others are following and also dropping... people get scared and sell so the price drops... we'll see what's next in the market.

Ekaros
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
February 10, 2014, 12:41:06 PM
 #24

Show me why other exchanges do not have this problem with withdrawals but ONLY MTGOX?

Remember MTGOX is using a custom version of the bitcoin software. This is likely the reason they have issues with their exchange platform.

Because the attack involves mining your own block, hence requires lots of hash power so is difficult to execute unless you've got stacks of hashpower. It may also be noticed by a smaller exchange when they noticed their balance is much lower than it should be. A couple hundred BTC missing from Mt Gox wouldn't go noticed, it would go noticed from cryptsy.

They will most likely try to execute this attack on other exchanges unless the devs push a fix fast which they are working on right now.

Who wants to keep their wealth on service that doesn't exactly track their funds or audit them regularly?

12pA5nZB5AoXZaaEeoxh5bNqUGXwUUp3Uv
http://firstbits.com/1qdiz
Feel free to help poor student!
btcmad1337
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
February 10, 2014, 12:41:16 PM
 #25

Don't blame on the protocol what can be contained locally.

So your saying we should ignore all the bitcoind API documentation which tracks by txid and everyone should be responsible for making their own systems for tracking payments?

Reading comprehension isn't your strong side, huh?

Please find me a wallet that prevents the transaction ID from being modified in-transit. Thats all I said. There are none so if your tracking payment by transaction ID's which is something almost everyone does then your vulnerable.
mmortal03
Legendary
*
Offline Offline

Activity: 1762
Merit: 1011


View Profile
February 10, 2014, 12:42:28 PM
 #26

"MtGox will resume bitcoin withdrawals to outside wallets once the issue outlined above has been properly addressed in a manner that will best serve our customers."

Put another way: We will hold all our customers' bitcoins hostage, to save ourselves from an alleged potential few who might scam us, until the community does what we please -- and we will do this even though there is probably another way for us work around the problem in the near term. Also, we don't care about spreading fear and crashing the price in the meantime by coming out with a press release that fixes nothing; come on, now, why would we want to work behind the scenes with the devs until a solution is developed and THEN put out a release?
seriouscoin
Hero Member
*****
Offline Offline

Activity: 658
Merit: 500


View Profile
February 10, 2014, 12:43:39 PM
 #27

Don't blame on the protocol what can be contained locally.

So your saying we should ignore all the bitcoind API documentation which tracks by txid and everyone should be responsible for making their own systems for tracking payments?

Reading comprehension isn't your strong side, huh?

Please find me a wallet that prevents the transaction ID from being modified in-transit. Thats all I said. There are none so if your tracking payment by transaction ID's which is something almost everyone does then your vulnerable.

Any bitcoin-QT since 2012 idiot.
btcmad1337
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
February 10, 2014, 12:44:58 PM
 #28

Any bitcoin-QT since 2012 idiot.

Nope wrong. There are none. If you can find one thats available right now I'll pay you 1BTC. I'm putting my money where my mouth is.
btcmad1337
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
February 10, 2014, 12:47:45 PM
 #29

Who wants to keep their wealth on service that doesn't exactly track their funds or audit them regularly?

The whole point of Bitcoin is so you can take control of your own money and can transact without having to trust third parties.

Why did you give your money to to Gox? should have kept it in your wallet Tongue
oda.krell
Legendary
*
Offline Offline

Activity: 1470
Merit: 1007



View Profile
February 10, 2014, 12:49:24 PM
 #30

Reading comprehension isn't your strong side, huh?

Please find me a wallet that prevents the transaction ID from being modified in-transit. Thats all I said. There are none so if your tracking payment by transaction ID's which is something almost everyone does then your vulnerable.

You're technically correct on that point. But it's only one exchange, mtgox, that allowed this limitation to grow unchecked into a major problem, you agree? The problem is removed if only sufficiently* confirmed transactions are accepted. (* I'll admit I don't know how deep into the chain they need to be before the risk is neutralized)


EDIT: I'll admit, I reacted unfairly to your first post on this. You did, in fact, only point out it a real flaw. But maybe you can see that this thread is about discussing mtgox' responsibilities. And they *are* fully responsible for not locally adressing and containing a know flaw. That's the basic point I would make here.

Not sure which Bitcoin wallet you should use? Get Electrum!
Electrum is an open-source lightweight client: fast, user friendly, and 100% secure.
Download the source or executables for Windows/OSX/Linux/Android from, and only from, the official Electrum homepage.
btcmad1337
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
February 10, 2014, 12:53:02 PM
 #31

You're technically correct on that point. But it's only one exchange, mtgox, that allowed this limitation to grow unchecked into a major problem, you agree? The problem is removed if only sufficiently* confirmed transactions are accepted. (* I'll admit I don't know how deep into the chain they need to be before the risk is neutralized)

Your misunderstanding here is how it works

I deposit money into gox and withdraw it

mtgox sends it to my address and it get transaction ID A

I mine a block and include the transaction in my block, but as the miner I can CHANGE THE TRANSACTION ID TO B.

I then tell MtGox staff that transaction A didn't confirm. They check it and they see transaction A was rejected and will never confirm but what they don't realize is it was just changed to transaction B by me, so they resend the transaction.

Huh

Profit.
Ekaros
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
February 10, 2014, 12:54:59 PM
 #32

You're technically correct on that point. But it's only one exchange, mtgox, that allowed this limitation to grow unchecked into a major problem, you agree? The problem is removed if only sufficiently* confirmed transactions are accepted. (* I'll admit I don't know how deep into the chain they need to be before the risk is neutralized)

Your misunderstanding here is how it works

I deposit money into gox and withdraw it

mtgox sends it to my address and it get transaction ID A

I mine a block and include the transaction in my block, but as the miner I can CHANGE THE TRANSACTION ID TO B.

I then tell MtGox staff that transaction A didn't confirm. They check it and they see transaction A was rejected on the blockchain but what they don't realize is it was just changed to transaction B by me, so they resend the transaction.

Huh

Profit.

And no one knows how long it took for them to notice that numbers don't quite line up in their balance sheet...

12pA5nZB5AoXZaaEeoxh5bNqUGXwUUp3Uv
http://firstbits.com/1qdiz
Feel free to help poor student!
btcmad1337
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
February 10, 2014, 12:57:47 PM
 #33

And no one knows how long it took for them to notice that numbers don't quite line up in their balance sheet...

no one knows how much was stolen. It's quite difficult to noticed 10BTC missing out of hundreds of thousands. You could easily write that off as a mistake. That could be extra transaction fees that accumulated.

But the thing I will say is once this attack was executed it would be very obvious what has happened because when Gox tries to spend the change those transactions won't work etc etc.
oda.krell
Legendary
*
Offline Offline

Activity: 1470
Merit: 1007



View Profile
February 10, 2014, 12:58:36 PM
 #34

You're technically correct on that point. But it's only one exchange, mtgox, that allowed this limitation to grow unchecked into a major problem, you agree? The problem is removed if only sufficiently* confirmed transactions are accepted. (* I'll admit I don't know how deep into the chain they need to be before the risk is neutralized)

Your misunderstanding here is how it works

I deposit money into gox and withdraw it

mtgox sends it to my address and it get transaction ID A

I mine a block and include the transaction in my block, but as the miner I can CHANGE THE TRANSACTION ID TO B.

I then tell MtGox staff that transaction A didn't confirm. They check it and they see transaction A was rejected and will never confirm but what they don't realize is it was just changed to transaction B by me, so they resend the transaction.

Huh

Profit.

I'm not a dev, so I can be corrected on this one, but to my understanding the solution is for mtgox to check their outputs and keep track of them, before deciding to trust the claim and resend the tx.

Not sure which Bitcoin wallet you should use? Get Electrum!
Electrum is an open-source lightweight client: fast, user friendly, and 100% secure.
Download the source or executables for Windows/OSX/Linux/Android from, and only from, the official Electrum homepage.
VanillaHeaven
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile
February 10, 2014, 12:59:50 PM
 #35

MTgox should be completely ignored...

It's not their fault bitcoin is broke...  Cheesy
But it's their fault they spread FUD about something that's not true. It's not BTC that is the problem, it's Mtgox internal system.
http://www.cryptocoinsnews.com/2014/02/10/mt-gox-blames-bitcoin-core-developer-greg-maxwell-responds/

I trust Maxwell more than I trust Mtgox.
Asrael999
Hero Member
*****
Offline Offline

Activity: 703
Merit: 502


View Profile
February 10, 2014, 01:01:30 PM
 #36

You're technically correct on that point. But it's only one exchange, mtgox, that allowed this limitation to grow unchecked into a major problem, you agree? The problem is removed if only sufficiently* confirmed transactions are accepted. (* I'll admit I don't know how deep into the chain they need to be before the risk is neutralized)

Your misunderstanding here is how it works

I deposit money into gox and withdraw it

mtgox sends it to my address and it get transaction ID A

I mine a block and include the transaction in my block, but as the miner I can CHANGE THE TRANSACTION ID TO B.

I then tell MtGox staff that transaction A didn't confirm. They check it and they see transaction A was rejected and will never confirm but what they don't realize is it was just changed to transaction B by me, so they resend the transaction.

Huh

Profit.


and they don't notice that they have paid another "unauthorised" transaction? Transaction ID B will still show as a payment by them - and they will not know why they made that payment (by unauthorised I mean a transaction without a corresponding withdrawl request on their system). If they are not running a double check on every outgoing transaction to ensure against employees quietly defrauding them if nothing else, then they deserve to fail.
mmortal03
Legendary
*
Offline Offline

Activity: 1762
Merit: 1011


View Profile
February 10, 2014, 01:02:09 PM
 #37


...

I then tell MtGox staff that transaction A didn't confirm. They check it and they see transaction A was rejected and will never confirm but what they don't realize is it was just changed to transaction B by me, so they resend the transaction.

Huh

Profit.

Can they not just go back to such conversations with people that claimed this, and then figure out who was scamming them? Is there some sort of plausible deniability here for the scammer in this method that I'm missing, or not?
ehoffman
Sr. Member
****
Offline Offline

Activity: 378
Merit: 250


View Profile
February 10, 2014, 01:08:32 PM
 #38

I would have said that Gox is dead, especially in light of spreading this FUD...  But then again, I'm sure we'll still find morons going back to it and maintaining it...  As there's still morons who went back to 50BTC after doing this same exact sh!t...

Like my comments?  Cheer me up at 137s1qFV63M6SXWhKkwjaZKEeZX23pq1hw
Don't like my comments, donate to the BCRT (better comment research team) here at 1A1PbZypjEe7yanj69ApVS1FhK8UMW7Wdc Smiley
Ekaros
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500



View Profile
February 10, 2014, 01:10:46 PM
 #39


...

I then tell MtGox staff that transaction A didn't confirm. They check it and they see transaction A was rejected and will never confirm but what they don't realize is it was just changed to transaction B by me, so they resend the transaction.

Huh

Profit.

Can they not just go back to such conversations with people that claimed this, and then figure out who was scamming them? Is there some sort of plausible deniability here for the scammer in this method that I'm missing, or not?

They should know who got extra coins out, but if they cleared their account there isn't much to do. There is even possibility they didn't provide real ID...

12pA5nZB5AoXZaaEeoxh5bNqUGXwUUp3Uv
http://firstbits.com/1qdiz
Feel free to help poor student!
Boxman90
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


View Profile
February 10, 2014, 01:25:26 PM
 #40

They worded this pretty nicely, I must say. Let me bold up the proper translation:

MtGox language: "A bug in the Bitcoin software"

Proper English: "A bug in OUR Bitcoin software."

That is all there is to this. Thanks for panicing on the other exchanges.

LTC: LKKy4eDWyVtSrQAJy7Qmmz61RaFY91D9yC   BTC: 18fzdnCkuUNthCD8hM36UBGopFa9ij78gG
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!