Instawallet/Bitcoin-Central Security Breach - page 15.

steelboy

hero member

Activity: 756

Merit: 1000

Quote from: SgtSpike on April 01, 2013, 05:53:57 PM

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

They didn't mention instawallet though. Sad

Also, some people have suggested that if you had hacked the website you could put a web page saying all was good relatively easily.

It would be nice to hear from Davout. I believe he is instawallet staff

Mike Hearn

legendary

Activity: 1526

Merit: 1134

There is a patch that makes miners calculate fees recursively like that, as everyone agrees it's a good idea. The problem is the code is rather non-trivial and Gavin isn't yet convinced it's a safe change.

SgtSpike

legendary

Activity: 1400

Merit: 1005

They posted in the Bitcoin-Central thread that all user funds (BTC and Euro) were safe.

lucb1e

newbie

Activity: 47

Merit: 0

Thanks for this explanation, dooglus!

dooglus

legendary

Activity: 2940

Merit: 1333

Quote from: steelboy on April 01, 2013, 05:32:21 PM

The last few posts made no sense to me at all.

Does it look good or bad?

Not bad.

They've moved lots of coins out of bitcoin-central and instawallet cold storage into a different address. Despite paying a relatively large transaction fee of 0.1 BTC on both transactions, the transactions still aren't confirmed after several hours.

It turns out that this is because the coins these transactions are trying to move aren't themselves confirmed yet, and you can't confirm any transaction which moves unconfirmed coins until those coins are confirmed.

The transactions which are holding the ~~bit~~ big transactions up have fees of 0, so miners aren't prioritising them.

A smart miner would look at the big picture, and think "if we mine these two 0 fee transactions now, then we'll be able to also mine the 0.1 BTC transactions at the same time and get the big fee". But apparently there aren't any smart miners yet.

dooglus

legendary

Activity: 2940

Merit: 1333

Quote from: SgtSpike on April 01, 2013, 05:26:33 PM

So, question. Can you create an identifier for unconfirmed inputs, such that they would "pop out" at a person looking at this page: http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

Maybe just mark the text in red, or put a little red "unconfirmed" bubble next to any of them that aren't confirmed.

I'd like this too. When I look at the 'advanced' view of a transaction on blockchain.info I'd like to see unconfirmed inputs marked as such.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: steelboy on April 01, 2013, 05:32:21 PM

The last few posts made no sense to me at all.

Does it look good or bad?

good.

not because of what was talked in the last couple posts. That was just a technical "mystery" explained.

steelboy

hero member

Activity: 756

Merit: 1000

The last few posts made no sense to me at all.

Does it look good or bad?

molecular

donator

Activity: 2772

Merit: 1019

Quote from: piuk on April 01, 2013, 05:24:19 PM

Quote from: dooglus on April 01, 2013, 05:19:11 PM

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees.

There has been talk about optimizing tx prioritization in bitcoind for quite a while. I can now see why it would make sense to have a high-fee tx (such as these 2) "pull in" the no- (or low-) fee inputs. I kinda thought this was the case already.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: piuk on April 01, 2013, 05:28:34 PM

Quote from: molecular on April 01, 2013, 05:27:07 PM

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

It was submitted using https://blockchain.info/pushtx

makes sense

piuk

hero member

Activity: 910

Merit: 1005

Quote from: molecular on April 01, 2013, 05:27:07 PM

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

It was submitted using https://blockchain.info/pushtx

molecular

donator

Activity: 2772

Merit: 1019

Quote from: jabetizo on April 01, 2013, 05:24:09 PM

Quote from: dooglus on April 01, 2013, 05:19:11 PM

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

+1

for some reason the network propagation for both transactions is below 5%, why are nodes not relaying them?

and why does blockchain.info list "blockchain.info" as originating IP for the transactions?

EDIT: piuk, you should probably change your avatar. People (at least I) got used to the new logo.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: piuk on April 01, 2013, 05:24:19 PM

Quote from: dooglus on April 01, 2013, 05:19:11 PM

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees.

Well, invalid tx hash when I click on the link, but that makes sense anyway.

So, question. Can you create an identifier for unconfirmed inputs, such that they would "pop out" at a person looking at this page: http://blockchain.info/address/1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy

Maybe just mark the text in red, or put a little red "unconfirmed" bubble next to any of them that aren't confirmed.

piuk

hero member

Activity: 910

Merit: 1005

Quote from: dooglus on April 01, 2013, 05:19:11 PM

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

They use unconfirmed inputs. Such as this tx: http://blockchain.info/tx/a3aad3ddc180ec33d3060e5b0b048ab07647271db559743b46f4668f7796c6d4 which is too large for no fees.

jabetizo

full member

Activity: 125

Merit: 101

Quote from: dooglus on April 01, 2013, 05:19:11 PM

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

+1

for some reason the network propagation for both transactions is below 5%, why are nodes not relaying them?

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: dooglus on April 01, 2013, 05:19:11 PM

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

That's kind of a huge "wtf" to me as well.

Is Bitcoin broken?? Tongue

dooglus

legendary

Activity: 2940

Merit: 1333

Does anyone have any theories as to how it is possible that the most recent two transactions to 1LrPYjto3hsLzWJNstghuwdrQXB96KbrCy are still confirmed after several hours despite each including a massive 0.1 BTC fee?

Injust

legendary

Activity: 1008

Merit: 1000

Quote from: twolifeinexile on April 01, 2013, 05:11:43 PM

Quote from: ?? on ??

Quote from: lucb1e on April 01, 2013, 04:47:38 PM

Quote from: mccorvic on April 01, 2013, 03:19:51 PM

either way the lesson will be "trust no one to hold your coins".

Seconded

Apparently every new batch of Bitcoiners will need to learn this valuable lesson.

If you aren't the sole controller of your private keys, you don't have any bitcoins.

Take whatever steps necessary to be the sole controller of your private keys people!

yep

But instawallet is really convenent and if you need spend, it is such a snap to use. They even have a iphone HTML5 app.
Anyway, I put some funds there with the intention to spend, but still got a little panic (not really, but my money there is not immaterial either).
I guess I will just take some BTC out there after this fiasco. (It wasn't really signficiant amount money, but BTC keep rising and now not a change any more!)

Essentially, the only way I use Instawallet is I use it to condense all the small transactions that I get from faucets (that's my only source of Bitcoins Tongue

) and when I get BTC0.02, I send BTC0.01 to my other wallet. So I never keep more than BTC0.02 there.

twolifeinexile

full member

Activity: 154

Merit: 100

Quote from: ?? on ??

Quote from: lucb1e on April 01, 2013, 04:47:38 PM

Quote from: mccorvic on April 01, 2013, 03:19:51 PM

either way the lesson will be "trust no one to hold your coins".

Seconded

Apparently every new batch of Bitcoiners will need to learn this valuable lesson.

If you aren't the sole controller of your private keys, you don't have any bitcoins.

Take whatever steps necessary to be the sole controller of your private keys people!

yep

But instawallet is really convenent and if you need spend, it is such a snap to use. They even have a iphone HTML5 app.
Anyway, I put some funds there with the intention to spend, but still got a little panic (not really, but my money there is not immaterial either).
I guess I will just take some BTC out there after this fiasco. (It wasn't really signficiant amount money, but BTC keep rising and now not a change any more!)

twolifeinexile

full member

Activity: 154

Merit: 100

Quote from: dooglus on April 01, 2013, 05:00:13 PM

Quote from: d5000 on April 01, 2013, 04:34:33 PM

We thank you for your patience and will provide updates exclusively on this page as they come in.

What page is that from?

Quote from: twolifeinexile on April 01, 2013, 04:41:33 PM

The wording "exclusive control" is also odd to me, sounds like someone steals it (internal employee?) and they discovered and force the guy give back the key?

Sounds to me like they're just saying "we know this address hasn't been compromised, and we control it, so don't worry".

Hmmm, your explanation makes more sense of the word "exclusive"

.
Guess the implied info is that the two cold storage wallets maybe compromized and not in "exclusive" control, out of caution, they moved to a wallet they feel more secure.

Topic: Instawallet/Bitcoin-Central Security Breach - page 15. (Read 85315 times)