Bitcoin in danger!? Received <Sent!?!

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: runeks on February 11, 2012, 01:25:06 PM

Quote from: bittenbob on February 10, 2012, 12:56:49 AM

My guess would be never at all. Testnet is where new code is tested out before it is released.

It has happened on the main network. The following transaction is present in both block 91812 and 91842: http://blockexplorer.com/tx/d5d27987d2a3dfc724e359870c6644b40e497bdc0589a033220fe15429d88599

Quote from: malevolent on February 10, 2012, 05:26:11 PM

Quote from: kjj on February 10, 2012, 11:36:52 AM

From Gavin's post, it sounds like they are changing the default client to actually check the database to make sure that a newly created coinbase doesn't collide with a prior transaction.

I at least hope it will not slow down bitcoin client as downloading all the blocks (and verifying them?) takes already too long.

Quote from: kjj on February 10, 2012, 07:47:17 PM

Quote from: malevolent on February 10, 2012, 05:26:11 PM

Quote from: kjj on February 10, 2012, 11:36:52 AM

From Gavin's post, it sounds like they are changing the default client to actually check the database to make sure that a newly created coinbase doesn't collide with a prior transaction.

I at least hope it will not slow down bitcoin client as downloading all the blocks (and verifying them?) takes already too long.

No, those are in the past; it is too late for them. This would apply only when your node creates a new candidate block in response to a getwork request, and then later when a brand new block comes in over the network, fresh from some dude's GPU.

In order to check if a generation transaction with the same transaction ID is already existant in the block chain we will obviously have to check past generation transactions. Luckily, only one is created circa every 10 minutes, so even in a 1000 years, we will only have to check around 90 million transactions for duplicates (which can probably be done in a fraction of a pico second in the year 3012).

The absolute worst case for a binary tree search over 256 bits is 256 comparisons. BDB uses something better, probably a btree (I'm too lazy to look it up). After 90 million coinbases, the typical search will probably take less than 30 comparisons. Both of these numbers are trivial and won't add more than a couple of microseconds to block processing time (not counting I/O if the index isn't in memory for some bizarre reason).

runeks

legendary

Activity: 980

Merit: 1008

Quote from: bittenbob on February 10, 2012, 12:56:49 AM

My guess would be never at all. Testnet is where new code is tested out before it is released.

It has happened on the main network. The following transaction is present in both block 91812 and 91842: http://blockexplorer.com/tx/d5d27987d2a3dfc724e359870c6644b40e497bdc0589a033220fe15429d88599

Quote from: malevolent on February 10, 2012, 05:26:11 PM

Quote from: kjj on February 10, 2012, 11:36:52 AM

From Gavin's post, it sounds like they are changing the default client to actually check the database to make sure that a newly created coinbase doesn't collide with a prior transaction.

I at least hope it will not slow down bitcoin client as downloading all the blocks (and verifying them?) takes already too long.

Quote from: kjj on February 10, 2012, 07:47:17 PM

Quote from: malevolent on February 10, 2012, 05:26:11 PM

Quote from: kjj on February 10, 2012, 11:36:52 AM

From Gavin's post, it sounds like they are changing the default client to actually check the database to make sure that a newly created coinbase doesn't collide with a prior transaction.

I at least hope it will not slow down bitcoin client as downloading all the blocks (and verifying them?) takes already too long.

No, those are in the past; it is too late for them. This would apply only when your node creates a new candidate block in response to a getwork request, and then later when a brand new block comes in over the network, fresh from some dude's GPU.

In order to check if a generation transaction with the same transaction ID is already existant in the block chain we will obviously have to check past generation transactions. Luckily, only one is created circa every 10 minutes, so even in a 1000 years, we will only have to check around 90 million transactions for duplicates (which can probably be done in a fraction of a pico second in the year 3012).

RaggedMonk

sr. member

Activity: 308

Merit: 250

Please edit the title of the OP. Bitcoin is NOT in danger. You misunderstood.

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: makomk on February 10, 2012, 05:56:07 PM

Quote from: theymos on February 10, 2012, 01:15:04 AM

More serious issues might be possible when there is a reorg. For example, when one coinbase is disconnected, all of its duplicates will also be disconnected.

Yeah, which in theory means that all the nodes that had the block containing that duplicate coinbase in their main chain would wrongly treat an attempt to spend it as invalid and all those that hadn't would correctly consider it valid. This may be usable to create a persistent fork in Bitcoin - that is to say, one that can never actually resolve itself without a huge amount of manual intervention by everyone involved.

That would take quite a bit of planning and effort, and the attacker would need to have huge amounts of hashing power plus incredibly good timing. Oh, and they would only get one shot getting it right, since that fork is only possible during the moment when the network changes rules. Plus, I'm not sure what anyone could possibly hope to gain by doing it.

And if it even looked like it was possible that someone might do it, we could randomize the rule change time. Instead of coding it so that the rules change starting with block # X, we could say that the new rules take effect on the first block following # X where the last 8 bits of the header hash are all zero. That would be totally unambiguous on the network, but still impossible to predict.

Note that under the current rules, if you generate two coinbases with the same transaction and wish to spend both of them, you must spend the first one before you generate the second one. The duplicates in the past can't be fixed. All in all, this is a very strange quirk of the system that needs to be fixed, but not a security issue.

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: malevolent on February 10, 2012, 05:26:11 PM

Quote from: kjj on February 10, 2012, 11:36:52 AM

From Gavin's post, it sounds like they are changing the default client to actually check the database to make sure that a newly created coinbase doesn't collide with a prior transaction.

I at least hope it will not slow down bitcoin client as downloading all the blocks (and verifying them?) takes already too long.

No, those are in the past; it is too late for them. This would apply only when your node creates a new candidate block in response to a getwork request, and then later when a brand new block comes in over the network, fresh from some dude's GPU.

makomk

hero member

Activity: 686

Merit: 564

Quote from: theymos on February 10, 2012, 01:15:04 AM

More serious issues might be possible when there is a reorg. For example, when one coinbase is disconnected, all of its duplicates will also be disconnected.

Yeah, which in theory means that all the nodes that had the block containing that duplicate coinbase in their main chain would wrongly treat an attempt to spend it as invalid and all those that hadn't would correctly consider it valid. This may be usable to create a persistent fork in Bitcoin - that is to say, one that can never actually resolve itself without a huge amount of manual intervention by everyone involved.

malevolent

legendary

Activity: 3472

Merit: 1722

Quote from: kjj on February 10, 2012, 11:36:52 AM

From Gavin's post, it sounds like they are changing the default client to actually check the database to make sure that a newly created coinbase doesn't collide with a prior transaction.

I at least hope it will not slow down bitcoin client as downloading all the blocks (and verifying them?) takes already too long.

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: payb.tc on February 10, 2012, 02:07:39 AM

Quote from: bittenbob on February 10, 2012, 12:56:49 AM

My guess would be never at all. Testnet is where new code is tested out before it is released.

oh, did satoshi test out his very first attempt on the test network before creating the main genesis block?

i thought we were talking about a bug in satoshi's creation, as old as bitcoin itself.

My guess is that there were several genesis blocks while he was working on it, and once everything was ready he released it and the last one he made became The Genesis Block.

As to the overwrite issue, it might be better to think of this as a hash collision. Think hash function rather than cryptographic hash.

Cryptographic hashes are intentionally very hard to collide, and the default client uses a new address for each generation, so in a way the default client had solved the problem. But, it didn't expect that someone else might use different software to reuse the same inputs to the hash and end up with the same transaction id.

From Gavin's post, it sounds like they are changing the default client to actually check the database to make sure that a newly created coinbase doesn't collide with a prior transaction. And in the future, they will set it to reject blocks that include duplicates, which would be a de facto protocol change, and a good one.

payb.tc

hero member

Activity: 812

Merit: 1000

Quote from: bittenbob on February 10, 2012, 12:56:49 AM

My guess would be never at all. Testnet is where new code is tested out before it is released.

oh, did satoshi test out his very first attempt on the test network before creating the main genesis block?

i thought we were talking about a bug in satoshi's creation, as old as bitcoin itself.

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: payb.tc on February 10, 2012, 12:35:32 AM

so to clarify, the main consequence of the bug was that a block reward could become lost forever?

still... turning 100 BTC into 50 is less serious of a bug than being able to turn 50 BTC into 100 Cheesy

More serious issues might be possible when there is a reorg. For example, when one coinbase is disconnected, all of its duplicates will also be disconnected.

bittenbob

hero member

Activity: 560

Merit: 500

My guess would be never at all. Testnet is where new code is tested out before it is released.

payb.tc

hero member

Activity: 812

Merit: 1000

would it be possible to see exactly how many times this occurred on the main network?

ThiagoCMC

legendary

Activity: 1204

Merit: 1000

฿itcoin: Currency of Resistance!

Quote from: payb.tc on February 10, 2012, 12:35:32 AM

so to clarify, the main consequence of the bug was that a block reward could become lost forever?

still... turning 100 BTC into 50 is less serious of a bug than being able to turn 50 BTC into 100 Cheesy

Well, I think that ANY overwrite is serious...

But you got a point!

payb.tc

hero member

Activity: 812

Merit: 1000

so to clarify, the main consequence of the bug was that a block reward could become lost forever?

still... turning 100 BTC into 50 is less serious of a bug than being able to turn 50 BTC into 100 Cheesy

ThiagoCMC

legendary

Activity: 1204

Merit: 1000

฿itcoin: Currency of Resistance!

Quote from: theymos on February 10, 2012, 12:12:11 AM

Quote from: FreeMoney on February 10, 2012, 12:05:48 AM

Do you lose the original if it isn't spent when you make the new identical one? Because when you spend either now it'll be marked as spent?

Right. This has happened a few times on the main network, actually. Not sure if anyone realized until recently that it was possible to spend both, though.

Anyway, now this guys will solve a bug!

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: FreeMoney on February 10, 2012, 12:05:48 AM

Do you lose the original if it isn't spent when you make the new identical one? Because when you spend either now it'll be marked as spent?

Right. This has happened a few times on the main network, actually. Not sure if anyone realized until recently that it was possible to spend both, though.

FreeMoney

legendary

Activity: 1246

Merit: 1016

Strength in numbers

Quote from: theymos on February 09, 2012, 11:49:02 PM

Technical explanation:

When you create a block, the coinbase transaction which generates 50 BTC can easily be made to exactly equal a past coinbase transaction: it just needs to pay out to the same address and have the same (arbitrary) scriptSig. Unfortunately, this transaction will then have the exact same hash as another transaction in the chain. Satoshi did not anticipate this, so it's allowed by the protocol and it confuses the Bitcoin code.

In this case, roconnor:
- Generated a block containing a normal coinbase transaction.
- Spend the BTC generated in the coinbase transaction. Bitcoin nodes mark the coinbase transaction's output as spent.
- Created a block containing a duplicate of the first coinbase transaction. Bitcoin nodes will now overwrite the first coinbase transaction in the transaction database. The output of the coinbase transaction is marked as unspent. The transaction spending the original coinbase output is not affected and is still considered valid.
- Spent the BTC generated in the second coinbase. There are now two transactions spending the "same" output.

Do you lose the original if it isn't spent when you make the new identical one? Because when you spend either now it'll be marked as spent?

theymos

administrator

Activity: 5222

Merit: 13032

Technical explanation:

When you create a block, the coinbase transaction which generates 50 BTC can easily be made to exactly equal a past coinbase transaction: it just needs to pay out to the same address and have the same (arbitrary) scriptSig. Unfortunately, this transaction will then have the exact same hash as another transaction in the chain. Satoshi did not anticipate this, so it's allowed by the protocol and it confuses the Bitcoin code.

In this case, roconnor:
- Generated a block containing a normal coinbase transaction.
- Spend the BTC generated in the coinbase transaction. Bitcoin nodes mark the coinbase transaction's output as spent.
- Created a block containing a duplicate of the first coinbase transaction. Bitcoin nodes will now overwrite the first coinbase transaction in the transaction database. The output of the coinbase transaction is marked as unspent. The transaction spending the original coinbase output is not affected and is still considered valid.
- Spent the BTC generated in the second coinbase. There are now two transactions spending the "same" output.

ineededausername

hero member

Activity: 784

Merit: 1000

bitcoin hundred-aire

Quote from: theymos on February 09, 2012, 09:59:47 PM

Notice that tx 0018417e23... and fae8bfd6a2... on that address ledger spend the exact same output. It looks like a double-spend, but it's actually a less severe bug in the protocol that probably doesn't allow for any easy attacks. (Because the bug causes very strange behavior, though, it might allow for attacks that have not been thought of yet.)

That sounds pretty terrible. Shocked

ThiagoCMC

legendary

Activity: 1204

Merit: 1000

฿itcoin: Currency of Resistance!

Good job Gavin!! Testnet is... FOR TEST!!! Wink

Topic: Bitcoin in danger!? Received <Sent!?! (Read 4936 times)