Pages:
Author

Topic: New Attack Vector (Read 46618 times)

newbie
Activity: 140
Merit: 0
May 13, 2018, 03:21:45 PM
Why should Bitcoin protocol accept all openssl formats?
What we need is a protocol, not mad people whining in a forum. That sure won't make them change.
Thanks
newbie
Activity: 5
Merit: 0
May 09, 2018, 03:17:07 AM
For the record, there is another possibility of signature malleability.

For every ECDSA signature (r,s), the signature (r, -s (mod N)) is a valid signature of the same message. Note that the new signature has the same size as the original, as opposite as the malleabillity of padding.


i can complete right upto sending then i get an error.. and its not scriptsig64 i have a solution for tht
donator
Activity: 1218
Merit: 1079
Gerald Davis
February 19, 2014, 02:32:00 PM
Perhaps i didn't read it right; does malleability cause any issues in the real world for anyone that only deals with confirmed transactions?

Potentially.

https://bitcointalksearch.org/topic/what-the-average-user-needs-to-know-about-transaction-mutability-460944

The two issues that would face a user using a stock client would be incorrect reporting of duplicate tx and problems with spending unconfirmed change output.  Both are described in the linked thread. 

There are pull requests to provide better handling of both issues and eventually they will be included in the mainline client. These "fixes" don't make tx id immutable (that will require a protocol enhancement) but they will cause wallets to behave in a more expected manner when they encounter duplicate transactions. The long term solution is to make tx ids immutable (or at least immutable by third party) but that will take a lot longer as it may require a hard fork.
hero member
Activity: 616
Merit: 500
Firstbits.com/1fg4i :)
February 19, 2014, 02:25:32 PM
Perhaps i didn't read it right; does malleability cause any issues in the real world for anyone that only deals with confirmed transactions?
hero member
Activity: 896
Merit: 532
Former curator of The Bitcoin Museum
February 15, 2014, 08:30:45 AM
I believe the attack you describe is possible and real, but the effect is less troublesome. As soon as a modified echo of the transaction is included in a block, both sender and receiver will see this transaction too. The old transaction will linger on however, unconfirmed.


Ouch. I don't think he took all the variables when be made this call   Roll Eyes
hero member
Activity: 546
Merit: 500
EOS Auctions
February 14, 2014, 07:14:18 PM
This actually is quite similar to another "corner case" that I've been wondering about.  Consider the following scenario:

User downloads installs bitcoin into a windows virtual machine, the copies the virtual machine to multiple locations.

Each of the virtual machines attempt to engage in transactions (receiving, sending, or even mining and block verification.)

What function is mitigating the collisions between clients, and which client becomes most authorative?  While I see how this could result in issues in transaction confirmation, wouldn't confirmations by those cloned entities result in confirmation corruption?
Collisions are handled by the Bitcoin protocol. When you submit a transaction to the network, miners will begin to try to add it to the block chain. When a miner successfully mines a block, it is added to the block chain and other miners see this and begin working off of the new top block. There is a chance that two blocks are submitted nearly at the same time - and some miners see one block and other see the other block. This results in a fork of the block chain. Some miners will be working on one prong of the fork, while others work on the other prong. At each new block, miners will always begin working on the longest prong. Eventually, the longer prong becomes so long that all mining stops on the shorter prong, and it is orphaned - never to surface again.
legendary
Activity: 1148
Merit: 1018
February 14, 2014, 12:11:35 PM
It might be a good idea to patch this before some enterprising person with excess time on their hands (cough) makes a cloned transaction echobot.

Yep, that might have been a good idea

Cheesy
legendary
Activity: 2097
Merit: 1070
February 14, 2014, 11:44:23 AM
Well this really came back as a big issue didn't it.
sr. member
Activity: 271
Merit: 254
February 14, 2014, 11:13:17 AM
It might be a good idea to patch this before some enterprising person with excess time on their hands (cough) makes a cloned transaction echobot.

Gotta say Enochian gets props for seeing this so far ahead of time. It's almost too bad someone didn't make an echo bot to force the issue 2 years ago, so it'd have been fixed one way or another before bitcoin was so massive.

While Bitcoin is brilliant in that it makes mining significantly more profitable than cracking passwords, we do not yet have an altcoin that creates currency from proof-of-exploit.

So while it's easy to see some of these holes, there are perverse financial incentives that make it significantly more profitable for news media to make superheros and villians of the developers and hackers, depending on which side of the market you are on. In the meantime they have shell companies that tie up all the people who DO see the holes with non-disclosure agreements, and exploit insider access to that information to take the unsuspecting public's money.

The first step is admitting you have a problem.

The second step is charging a retainer any time someone uses the word 'confidential', 'proprietary' or 'shareholder value'
sr. member
Activity: 434
Merit: 250
February 14, 2014, 10:07:56 AM
It might be a good idea to patch this before some enterprising person with excess time on their hands (cough) makes a cloned transaction echobot.

Gotta say Enochian gets props for seeing this so far ahead of time. It's almost too bad someone didn't make an echo bot to force the issue 2 years ago, so it'd have been fixed one way or another before bitcoin was so massive.
sr. member
Activity: 271
Merit: 254
February 14, 2014, 09:45:55 AM
Is there concrete evidence in the block chain?  Are there indeed altered transactions in the pool?  Is Mt. Gox blowing smoke?
In my opinion, the answers are no, possibly, and yes. 

The issue is that I create and broadcast a transaction with TxId "X".  Someone can tweak it to an equivalent (same send and receive addresses) transaction with TxId "Y".  Assuming everything else about the transactions are valid, either one (but not both) might get pulled into the blockchain.  I say there's no concrete evidence in the blockchain because the TxId only has an unambiguous meaning once it's incorporated into a block.  At any given time, it's possible that both "X" and "Y" flavors of a transaction could be floating around in different unmined tx pools, but any given miner should only accept one.  I think Mt. Gox is blowing smoke because everyone else seems to be able to deal with this issue satisfactorily, and the issue by itself doesn't explain all the problems folks are seeing at Gox.

Do you work for Gox?

Have you seen their code?

If not, then you are blowing smoke, and contributing a smokescreen to a market-manipulation coin-robbery of epic proportions.

If any exchange wants an independent review of their code, and a productive environment in which to fix any problems found,  I will do it at no cost for code that will be disclosed to the public. If you have proprietary exchange code, my retainer for an NDA starts at $5000.

We have a bunch of guys with NDAs and 'secret proprietary code' all running around issuing press releases about how the other guy sucks, while the handlers that pay their bills are scooping up all the bitcoins they can before the heroic developers, who have been working on this day and night, issue a magical fix and the price of bitcoin doubles.

If broadcasting transactions to the entire network was a good idea for bitcoin, it's probably a good idea to broadcast the code that runs exchanges too. Unless you like handing your money over to the banksters, in which case I guess I can take your money too.
sr. member
Activity: 434
Merit: 250
February 11, 2014, 10:08:41 PM
Interestingly other exchanges are having problems today also ...
Bitstamp and BTC-E
https://bitcointalksearch.org/topic/bitstamp-btc-withdrawal-problem-459836

Bter also suspended BTC withdrawals.
legendary
Activity: 4634
Merit: 1851
Linux since 1997 RedHat 4
February 11, 2014, 03:46:41 PM
Interestingly other exchanges are having problems today also ...
Bitstamp and BTC-E
https://bitcointalksearch.org/topic/bitstamp-btc-withdrawal-problem-459836
newbie
Activity: 57
Merit: 0
February 11, 2014, 12:51:21 AM
Is there concrete evidence in the block chain?  Are there indeed altered transactions in the pool?  Is Mt. Gox blowing smoke?
In my opinion, the answers are no, possibly, and yes. 

The issue is that I create and broadcast a transaction with TxId "X".  Someone can tweak it to an equivalent (same send and receive addresses) transaction with TxId "Y".  Assuming everything else about the transactions are valid, either one (but not both) might get pulled into the blockchain.  I say there's no concrete evidence in the blockchain because the TxId only has an unambiguous meaning once it's incorporated into a block.  At any given time, it's possible that both "X" and "Y" flavors of a transaction could be floating around in different unmined tx pools, but any given miner should only accept one.  I think Mt. Gox is blowing smoke because everyone else seems to be able to deal with this issue satisfactorily, and the issue by itself doesn't explain all the problems folks are seeing at Gox.
hero member
Activity: 709
Merit: 503
February 10, 2014, 04:39:27 PM
Is there concrete evidence in the block chain?  Are there indeed altered transactions in the pool?  Is Mt. Gox blowing smoke?
sr. member
Activity: 437
Merit: 260
balance
February 10, 2014, 02:08:15 PM
#99
I was wondering how block intervals relate to this issue.

Would a coin with a 30 minute block interval be more susceptible to such a problem?
The coin itself isn't affected by transaction malleability, as one of the transactions will eventually be mined and at some point the coins will successfully be sent to their destination address as the sender intended. Software written to rely on tracking a txid alone is susceptible to such a problem. A solution would be tracking coins by their confirmed (immutable) outputs rather than tracking the txid that contains those outputs.

Block time specifically, or any function of time, does not have much to do with this.
full member
Activity: 168
Merit: 100
February 10, 2014, 12:17:45 PM
#98
I was wondering how block intervals relate to this issue.

Would a coin with a 30 minute block interval be more susceptible to such a problem?
full member
Activity: 237
Merit: 101
February 10, 2014, 08:54:47 AM
#97
great thread reboot.
a very interesting read.
this issue has been know about for a long time, but it's still here and now it's causing problems.
legendary
Activity: 1072
Merit: 1189
July 19, 2013, 12:05:55 PM
#95
it makes it nearly impossible to create a alternative client, when the "standard" mutates all the time. bitcoin needs diversity in clients.

Do you have any idea what you're talking about?

The DER encoding for signatures is the most standard one that exists. We've been discussing enforcing the standard for a _year_ before implementing it - because, unfortunately, not everyone was following the same rules.

Do you know why we want to enforce this standard? To make sure Bitcoin can be implemented without relying on OpenSSL.
Pages:
Jump to: