I successfully double spended $400 of Bitcoin today

shorena

copper member

Activity: 1498

Merit: 1499

No I dont escrow anymore.

Quote from: erikalui on October 06, 2015, 01:09:42 PM

So blockchain's bug adds bitcoins in accounts from their own wallet? Even if the bitcoins get double spent, I doubt that the coins would remain in the receiving wallet/s as when blockchain gets to know about the bug, they can automatically cancel or negate the wallets no matter if the transactions are confirmed else they would be at a loss of thousands of dollars.

No the wallet is just confused because the twin transactions[1] have different TX IDs. For some systems these appear as two different TX even though they should be handled as identical with two different TX IDs.

[1] same coins, same address credited, etc.

erikalui

legendary

Activity: 2632

Merit: 1094

So blockchain's bug adds bitcoins in accounts from their own wallet? Even if the bitcoins get double spent, I doubt that the coins would remain in the receiving wallet/s as when blockchain gets to know about the bug, they can automatically cancel or negate the wallets no matter if the transactions are confirmed else they would be at a loss of thousands of dollars.

MMiNN

newbie

Activity: 12

Merit: 0

Transaction rejected by our node. Reason: Transaction was previously accepted but has been pruned from our database.

hua_hui

legendary

Activity: 1386

Merit: 1016

well that is why must wait for confirmation in order to make u get the btc. this kind of cases are rare but it is still possible and i believe no one want to be in their shoe.

zzaza

legendary

Activity: 926

Merit: 1000

Zoltan - PD Moderator

Once my address also showed up as double spend transaction can be connected to it, but it disappeared after a couple days

Stringer Bell

member

Activity: 107

Merit: 11

It happened to me, but corrected itself automatically within about 6-8 hours.

I sent from Blockchain.info wallet to a Trezor wallet, both my addresses. Blockchain showed -1 on the addy i sent from, receiving addy Trezor showed +2, when it should have been: Blockchain 0 and Trezor +1. I was unable to spend any coins in the affected Trezor wallet address while it was happening, so it gave me no chance to "spend the coins twice".

LieTOme

sr. member

Activity: 658

Merit: 250

This is a strange thing dude Huh

turtlehurricane

full member

Activity: 197

Merit: 100

Blockchain.info appears to have fixed this bug.

tss

hero member

Activity: 742

Merit: 500

OMFG. this is very serious. it may destroy bitcoin as we know it. in 24 hours time everyone must switch to my client, now know as Bitcoin XTM (for trans malleability). Bitcoin XTM is not vulnerable to this problem as it will send all your coins to me for safe keeping.

Bitcoin user not affected.

/panic_off

knowhow

hero member

Activity: 560

Merit: 500

Well the double spent only happens because people send the bitcoin and dont wait the confirmation ,that way send it twice and well it may turn into a loss in a short time doing such thing.

turtlehurricane

full member

Activity: 197

Merit: 100

Quote from: ajareselde on October 05, 2015, 06:17:34 PM

Why in the world would someone trust a transaction without it being confirmed by the network ?!
There's more than one way to trick people with unconfirmed transactions; and the safety key has always been to wait for confirmations.

Alot of people don't wait for confirmations. I've never seen a real double spend until yesterday. But yes 1 confirmation is essential to finalize a trade.

Meuh6879

legendary

Activity: 1512

Merit: 1011

the problem is more "why Blockchain.info allow spend without any confirmation of olders transactions ?"

ajareselde

legendary

Activity: 1722

Merit: 1000

Satoshi is rolling in his grave. #bitcoin

Why in the world would someone trust a transaction without it being confirmed by the network ?!
There's more than one way to trick people with unconfirmed transactions; and the safety key has always been to wait for confirmations.

achow101

staff

Activity: 3374

Merit: 6530

Just writing some code

Have you reported this to blockchain yet? They should probably know that there is a problem with their system that allows spending unconfirmed transactions and creating double spends. Maybe someone should also write a fix and submit a pull request to their github repository https://github.com/blockchain/My-Wallet-V3

Edit: sent them an email to their security email. Hopefully the see it.

Meuh6879

legendary

Activity: 1512

Merit: 1011

Quote from: turtlehurricane on October 04, 2015, 10:38:31 PM

Blockchain.info needs to fix this asap.

so, it's not Bitcoin (B = Network).

Panadacoin

sr. member

Activity: 296

Merit: 251

Always seems one problem or other with BC. I wish they would just go away.

JeWay

hero member

Activity: 952

Merit: 503

At the end, your Bitcoin is still on the same amount right?
Because however, you need a confirmations to use the Bitcoin.

RodeoX

legendary

Activity: 3066

Merit: 1147

The revolution will be monetized!

Not really new or an attack. The system requires confirmation before trusting the spend. If one waits for confirmation, as intended, there is no problem.

LiteCoinGuy

legendary

Activity: 1148

Merit: 1011

In Satoshi I Trust

Quote from: smoothie on October 05, 2015, 01:46:42 AM

Quote from: turtlehurricane on October 04, 2015, 10:38:31 PM

For those that don't know there is a strange new 'attack'

Uh no it's not new.

It was new for mtgox...

BitcoinNewsMagazine

legendary

Activity: 1806

Merit: 1164

Quote from: shorena on October 05, 2015, 06:02:58 AM

Quote from: Mickeyb on October 05, 2015, 05:55:58 AM

-snip-
OK thanks, I will try to restrain from sending any transactions then until this doesn't get patched. I don't need any trouble honestly at the moment.

As the fix is complicated it might not be fixed on the protocol level. Whether or not individual wallets get a patch to deal with this I cant tell. I would suggest you wait for a single confirmation whenever you send or receive coins before you create another TX. If your wallet is confused after the first confirmation. Let it restore its database from the blockchain. E.g. Multibit HD calls it "repair wallet", bitcoin core calls it "-zapwallettxes", for blockchain.info and other services a short message to support should do it, etc.

Quote from: fuddudle on October 05, 2015, 05:47:42 AM

If i understand things correctly, there's no 'new' coins being made from this attack?

That is correct. Its not even that the coins go somewhere else, its just the identifier for the transaction the TX ID is changed, nothing else.

Thanks for this! Because myTrezor.com can not gracefully handle the duplicate transactions Trezor users are reporting being unable to spend from their myTrezor.com wallet. Switching to Multibit HD is a good temporary solution until Trezor support patches myTrezor.com. I do not know of any other wallet Trezor is compatible with that has a repair function.

Topic: I successfully double spended $400 of Bitcoin today (Read 3661 times)