Reused R values again

[dexX7]

I may give more details on the rng later.  At the moment there is still too much money lying around.

Does anyone know how to check if there is an unconfirmed transaction trying to spend an output?
Do I have to use bitcoin-cli listtransactions and then dump each transaction to check which output was spent?

The wallet operations on bitcoind are so slow when you have 1400 private keys imported.

I hate that signtransaction or sendtransaction don't tell me which input it is that I shouldn't spend .

Can you rephrase your questions and tell me what you intend to do and then how you do it right now?

Let's skip the part about how you get the information about endangered coins, but I assume you have a list of endangered outputs and you are looking for a handy way to check, if they are already spent. Is that correct?

You may use:

Code:

$ bitcoin-cli help gettxout
gettxout "txid" n ( includemempool )

Returns details about an unspent transaction output.

Arguments:
1. "txid"          (string, required) The transaction id
2. n               (numeric, required) vout value
3. includemempool  (boolean, optional) Whether to included the mem pool

It returns something, if an output is unspent and nothing or empty otherwise. It can only be used to test, if an output is unspent, but not, if an output is spent. Out of range values, invalid transaction hashes, ... are accepted input and result in "nothing" as well. As per default unconfirmed transactions are checked.

Checking an unspent output on mainnet:

Code:

$ bitcoin-cli gettxout ee0e927dc8a0523ca7892e36fb0dbc0dac3b75bdc17903150676fdc604da6628 2
{
  "bestblock": "00000000000000001060e25a1d458ab361863d9f3d5c95481c6caadd40190abc",
  "confirmations": 42629,
  ...
}
$

Checking a spent output on mainnet:

Code:

$ bitcoin-cli gettxout ee0e927dc8a0523ca7892e36fb0dbc0dac3b75bdc17903150676fdc604da6628 3
$

This transaction is few thousand blocks deep, but it should also work for in-mempool transactions.

How do you sweep coins? What do you need to be more efficient? Do you have, besides a list of endangered transactions as I assume, also the associated private keys? Would it help to have a script to autosweep coins based on a list of transactions and private keys?

[johoe]

Can you rephrase your questions and tell me what you intend to do and then how you do it right now?

Let's skip the part about how you get the information about endangered coins, but I assume you have a list of endangered outputs and you are looking for a handy way to check, if they are already spent. Is that correct?

I basically have a list of private keys.   I also imported them in bitcoind.  However without rescanning the wallet (this takes several hours now).

I have my own script that scans the block chain and searches for transactions paying to any of these keys (it also detects multisigs and p2sh but not p2sh to multisigs).  If it finds a transaction spending the output it removes it.  In the end I have a list of UTXO for all private keys.  However, this is based on the confirmed transactions only.

What I then do is to get the 10 or 20 most valuable UTXOs and build a transaction for them.  I sign it and send it to the network.  The problem is that sometimes this doesn't work.  Possible causes:

• one of the inputs is already spent by an unconfirmed transaction
• one of the inputs is a coinbase output and doesn't have 100 confirmations.

I mark coinbase outputs in my list so I can avoid them.  However the spent transactions are not so easy to avoid.  The effect can be that signing return "incomplete" or sending gives a strange error message.  In either case I don't know which input the culprit is.  Usually I have to check each input manually to see if there is an unconfirmed spent on it.

You may use:

Code:

$ bitcoin-cli help gettxout
gettxout "txid" n ( includemempool )

Returns details about an unspent transaction output.

I have to try if it works if the wallet was not rescanned.  If yes, this may be what  I need.

How do you sweep coins? What do you need to be more efficient? Do you have, besides a list of endangered transactions as I assume, also the associated private keys? Would it help to have a script to autosweep coins based on a list of transactions and private keys?

I think what I need is to make this fully automatic.  Take the list of all UTXOs, decide which ones can be spend and then spend them all in one or two larger transactions.  Of course, spent outputs by unconfirmed transactions are not well-defined and may differ from node to node.

The other question is how far should I spend the dust?  If the transaction fee goes to 90 % it does not really matter that we saved the money.  On the other hand, letting them lay around in the block chain for all eternity doesn't help either.  One could also try to suck them in with some high-priority free transactions.

[LFC_Bitcoin]

Other people are going to start sweeping wallets.

This thread is pretty much a step to step guide on how to do it now.

 

[bcearl]

Other people are going to start sweeping wallets.

This thread is pretty much a step to step guide on how to do it now.

 

This has been done before, and it is obvious how to do it. It still requires a lot of skill and work to execute and you have to find the weak addresses in the first place.

EDIT: And by the way: Any wallet service which does not implement RFC6979 soon, is doomed anyway. This kind of bugs will always come up, especially if you run the crypto in a web browser.

[dexX7]

I have to try if it works if the wallet was not rescanned.  If yes, this may be what  I need.

It should work fine for any unspent output.

The other question is how far should I spend the dust?  If the transaction fee goes to 90 % it does not really matter that we saved the money.  On the other hand, letting them lay around in the block chain for all eternity doesn't help either.

Redeeming dust is always to prefer imho. I guess you were referring to the case where, say for example, there is an output close to the dust threshold, which you could move once, but then there would be not enough coins left to move them again, if it were a single transaction where the fee is subtracted from the dust. In this case I'd try to bundle them. It's usually also possible to get away with somewhat lower-than-usual fees at the cost of a moderate confirmation delay. In fact, last time I checked, about three months ago, the average confirmation delay of a sample of 2170 transactions with a size of about ~600+ byte each, with an attached fee of only 0.00001 BTC, was only 20:15 minutes.

What OS are you using?

Other people are going to start sweeping wallets.

This thread is pretty much a step to step guide on how to do it now.

I was thinking something similar, but on the other hand: once it was "out" that there are some transactions which can be sweeped, it was already too late, so to speak. And not only once it was mentioned people are doing this already. If I had to decide between trying to keep all this secret or a public database of endangered transactions, I'd choose the later - for the sake of awareness. Imho it is a bit similar to the chaos related to transaction malleability, which was "known for ages", but it still required a major incident to raise enough awareness to make users and service providers start to care about on a broader level.

[btc6000]

Unfortunately my ssh session timed out and took my script with it  
Have to run it again, it will probably find some more keys.

Try using screen:

screen -dmS sessionname to start a new session (disconnected)
screen -ls to list sessions
screen -r id to reconnect
ctrl+a d to disconnect
exit to ...exit!

If your connection craps out the screen will keep alive. You can even start a session on one PC then disconnect and reconnect to it from another.

[johoe]

I omitted most of the important details of how to do the attack (e.g. how the RNG works, how you get the private key) and don't publish my scripts, so this step by step instruction won't help much  

I have a list of the first million public keys/R values the random number generator can generate.  I think I have spotted every weak transaction now.  If someone is interested to host a 50 MB file (100 MB uncompressed), I can publish it. I also have the corresponding private keys / k values, but I want to keep those secret for now.   The R value list may be useful to check if I found all compromised addresses.

There are still weak transactions. Please, clear your browser cache.

http://btc.blockr.io/tx/info/afcb94f22ceee047fc2b59a55b452e5f9e2bcd697fa2a4056d5ac176020a960c
http://btc.blockr.io/tx/info/549cf7a5a11e7a50ccc634f2edcbcbcbc244a4a42de9f946d3c6a32ced27e6f2
http://btc.blockr.io/tx/info/3f79c9b06d46fbbc3ba6c3fdd0512beeb2e928818cdb7d83035b2575458f55ae

And there are some recent transactions paying to a weak key.



At last, regarding the pronunciation of my nick (since someone asked):  In IPA it is ['joːhø].  It sounds something like English yo-ho.

[yakuza699]

If someone is interested to host a 50 MB file (100 MB uncompressed), I can publish it. I also have the corresponding private keys / k values, but I want to keep those secret for now.   The R value list may be useful to check if I found all compromised addresses.

50MB and not GB? That is not so much just upload it here https://www.sendspace.com/ The max you can upload there is 300MB so a 50MB file is good.

[redsn0w]

If someone is interested to host a 50 MB file (100 MB uncompressed), I can publish it. I also have the corresponding private keys / k values, but I want to keep those secret for now.   The R value list may be useful to check if I found all compromised addresses.

50MB and not GB? That is not so much just upload it here https://www.sendspace.com/ The max you can upload there is 300MB so a 50MB file is good.

Or he can put the file on  www.ge.tt  , I think the max storage (if he register to the site) is 2 GB .

[feryjhie]

If someone is interested to host a 50 MB file (100 MB uncompressed), I can publish it. I also have the corresponding private keys / k values, but I want to keep those secret for now.   The R value list may be useful to check if I found all compromised addresses.

50MB and not GB? That is not so much just upload it here https://www.sendspace.com/ The max you can upload there is 300MB so a 50MB file is good.

Or he can put the file on  www.ge.tt  , I think the max storage (if he register to the site) is 2 GB .

or he can try this solidfiles the max : 50 GB storage

[wantrepreneur]

Johoe,

Blockchain still hasn't given back my 50 BTC 

Please, PLEASE bring their attention to ticket #32230

[CIYAM]

Johoe,

Blockchain still hasn't given back my 50 BTC

Please, PLEASE bring their attention to ticket #32230

You are lucky that the funds were returned at all - now you expect that he should be working for you to get back your funds from blockchain.info (for nothing)?

Sheesh!

I suggest you don't hassle him and you instead hassle blockchain.info who are the obvious problem in all of this (as clearly they did not even bother testing their wallet changes which is why this fiasco has happened).

[wantrepreneur]

Johoe,

Blockchain still hasn't given back my 50 BTC

Please, PLEASE bring their attention to ticket #32230

You are lucky that the funds were returned at all - now you expect that he should be working for you to get back your funds from blockchain.info (for nothing)?

Sheesh!

I suggest you don't hassle him and you instead hassle blockchain.info who are the obvious problem in all of this (as clearly they did not even bother testing their wallet changes which is why this fiasco has happened).

Trust me, I've been hassling blockchain a lot harder.

This is my life on the line 

[CIYAM]

Trust me, I'm hassling them a lot harder,

This is my life on the line.

It is irrelevant whether or not you think your life is on the line (for 50 BTC you should never have stored in an online wallet in the first place).

The OP does not work for blockchain.info nor have access to their DB - so what exactly do you think he can do for you now?

[wantrepreneur]

Trust me, I'm hassling them a lot harder,

This is my life on the line.

It is irrelevant whether or not you think your life is on the line (for 50 BTC you should never have stored in an online wallet in the first place).

The OP does not work for blockchain.info nor have access to their DB - so what exactly do you think he can do for you now?

You have a point, but can you really fault me for atleast trying?

I understand your a legendary user, just go abit easy on me, going thru a really hard time right now.

[bcearl]

Trust me, I've been hassling blockchain a lot harder.

This is my life on the line 

If you don't want to rely on others, run your own client at home. You should not store that huge amounts in a web service in the first place. And after Blockchain.info told you about the RNG bug (a WEEK ago), you should have transferred them to a new address.

[CIYAM]

I understand your a legendary user, just go abit easy on me, going thru a really hard time right now.

The legendary stuff is not important - and I'm not trying to bully you - I just think it is wrong for you to be hassling the OP who has done nothing but try and help people who have been the victim of blockchain.info's incredible incompetence.

You need to calm down and sort your situation out with blockchain.info as they are the only ones that can refund you the BTC. As much as it might be hard right now being patient is going to help you more than not being patient is.

[Mandrik]

Trust me, I've been hassling blockchain a lot harder.

This is my life on the line 

I responded to your open ticket, but I wanted to let you know that we're ready to refund you. Please confirm the information in the ticket so we can proceed. Thanks!

(Please do not PM me here - all support issues should be handled through blockchain.zendesk.com)

[wantrepreneur]

I responded to your open ticket, but I wanted to let you know that we're ready to refund you. Please confirm the information in the ticket so we can proceed. Thanks!

(Please do not PM me here - all support issues should be handled through blockchain.zendesk.com)

Mandrik,

Thanks a lot for your quick response! 

[Artemzz]

hi my 4.96337825 BTC was stolen from 1A2cs4h2K5wW5eK4eVTxbozuj8z5jBgDKV
sorry for my English, i'm from the Ukraine and it's a lot of money, i worked on it for 2 years
on 1st december it was stolen, how can i receive my bitcoin if it were you? thank you
or send it to the same address, i've changed the pass

https://blockchain.info/ru/address/1A2cs4h2K5wW5eK4eVTxbozuj8z5jBgDKV