Pages:
Author

Topic: New Mt Gox Press Release - Feb 10 - they are claiming flaw in bitcoin protocol ! - page 17. (Read 33066 times)

hero member
Activity: 728
Merit: 500
The flaw isn't so much in Bitcoin as it is in exchange-systems. Many exchanges use the tx-id to uniquely identify transactions, but as it turns out, an attacker can change the tx-id without changing the actual transaction, rebroadcast the changed transaction (effectively creating a double-spend) and if his altered transaction gets accepted into a block instead of the legit transaction, the attacker receives his coins and can complain with the exchange that he didn't. The exchange will then check their db, fetch the tx-id from it, look it up in the blockchain and not find it. So they could conclude that the transaction indeed failed and credit the account with the coins.

A simple workaround is to not use the tx-id to identify transactions on the exchange side, but the set of (amount, address, timestamp) instead. If a user complains about not receiving their withdrawal, support can look it up using these 3 variables. It takes a little bit more work from support, but it prevents this attack from succeeding.

While it'd be nice if the tx-id isn't malleable, blaming this problem on a flaw in the protocol is quite a stretch.
member
Activity: 84
Merit: 10
"Bug in the bitcoin software"?

If true, people should be praising Mt.Gox for their diligence.

If false... thanks for the buying opportunity, BTC down, down, down... setting an alarm for $500!
sr. member
Activity: 434
Merit: 250
Gavin's latest posts are visible here:
https://bitcointalksearch.org/user/gavin-andresen-224

If he posts an update, whoever catches it first please provide a reference in this thread.

We should also expect official statements from CoinBase, BitPay, etc.

Unload some BTC if you haven't already.  Re-buy once panic bottoms.

Keep an eye on multiple exchanges in real time here:
http://bitcoinwisdom.com/
or here:
https://www.tradingview.com/e/?symbol=BITSTAMP%3ABTCUSD
or here:
https://bitcoinaverage.com/#USD

Doesn't Gox use a custom version of the client?
They actually do use custom client, but they are blaming the original one am i right?
newbie
Activity: 45
Merit: 0
This is the first HUGE crash ever! Go fiat fast! That bug also affects other Cryptos like LTC!
full member
Activity: 210
Merit: 100
So do not panic. MtGox is not the boss of the Bitcoin. They are an exhange in trouble. With a lot of money but still an exchange.
They better pay the btc to the wallets of the customers and start again...
hero member
Activity: 770
Merit: 500
The whole world is gett GOXXED right now , if there really was a bug why would they annouce it to the whole world ? The normal thing to do would be to contact the Bitcoin Devs and let them know.
member
Activity: 130
Merit: 10
legendary
Activity: 1540
Merit: 1000
Exactly, it doesn't make any sense, there are some very intelligent people behind the Bitcoin code and they always release it to the world of everybody to see so someone would have picked up on this ages ago.
sr. member
Activity: 434
Merit: 250
In Hashrate We Trust!
This is a blame game - they want to buy some time.
If the procol got bugs, how come it's only MtGox that has detected this bug?
global moderator
Activity: 3990
Merit: 2717
Join the world-leading crypto sportsbook NOW!
This isn't good at all. Naysayers will have a field day with this. Panic sellers probably gonna panic.
full member
Activity: 221
Merit: 100
Gavin's latest posts are visible here:
https://bitcointalksearch.org/user/gavin-andresen-224

If he posts an update, whoever catches it first please provide a reference in this thread.

We should also expect official statements from CoinBase, BitPay, etc.

Unload some BTC if you haven't already.  Re-buy once panic bottoms.

Keep an eye on multiple exchanges in real time here:
http://bitcoinwisdom.com/
or here:
https://www.tradingview.com/e/?symbol=BITSTAMP%3ABTCUSD
or here:
https://bitcoinaverage.com/#USD

Doesn't Gox use a custom version of the client?
legendary
Activity: 1232
Merit: 1195
WHAT?!?!!? this is stunning in so many ways.

Quote
We have discussed this solution with the Bitcoin core developers and will allow Bitcoin withdrawals again once it has been approved and standardized.

1. who are these "core developers"?


http://bitcoin.stackexchange.com/questions/1530/who-controls-the-bitcoin-software Don't know if it's up to date or not.
legendary
Activity: 1540
Merit: 1000
How suspicious, we'll have to see what the Bitcoin devs have to say about this, good thing Bitcoin is open source if they don't fix it but to me this looks like MTGOX is trying to cover up it's poor business practices more than anything else but I'll wait for a response on Bitcointalk before I jump to any conclusions.

I thought it might be worth pointing out for the Bitcointalk users who hate altcoins, this kind of thing is precisely why altcoins should be encouraged if it's true.
full member
Activity: 130
Merit: 100
Yes this is really really bad.  They are claiming Bitcoin itself is flawed. 

Whether they are BSing or not, it is really bad for bitcoin in the short term, for sure.
full member
Activity: 151
Merit: 100
Quote from: MtGox
Dear MtGox Customers and Bitcoiners,

As you are aware, the MtGox team has been working hard to address an issue with the way that bitcoin withdrawals are processed. By "bitcoin withdrawal" we are referring to transactions from a MtGox bitcoin wallet to an external bitcoin address. Bitcoin transactions to any MtGox bitcoin address, and currency withdrawals (Yen, Euro, etc) are not affected by this issue.

The problem we have identified is not limited to MtGox, and affects all transactions where Bitcoins are being sent to a third party. We believe that the changes required for addressing this issue will be positive over the long term for the whole community. As a result we took the necessary action of suspending bitcoin withdrawals until this technical issue has been resolved.


Addressing Transaction Malleability
MtGox has detected unusual activity on its Bitcoin wallets and performed investigations during the past weeks. This confirmed the presence of transactions which need to be examined more closely.


Non-technical Explanation:
A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be resent. MtGox is working with the Bitcoin core development team and others to mitigate this issue.


Technical Explanation:
Bitcoin transactions are subject to a design issue that has been largely ignored, while known to at least a part of the Bitcoin core developers and mentioned on the BitcoinTalk forums. This defect, known as "transaction malleability" makes it possible for a third party to alter the hash of any freshly issued transaction without invalidating the signature, hence resulting in a similar transaction under a different hash. Of course only one of the two transactions can be validated. However, if the party who altered the transaction is fast enough, for example with a direct connection to different mining pools, or has even a small amount of mining power, it can easily cause the transaction hash alteration to be committed to the blockchain.

The bitcoin api "sendtoaddress" broadly used to send bitcoins to a given bitcoin address will return a transaction hash as a way to track the transaction's insertion in the blockchain.
Most wallet and exchange services will keep a record of this said hash in order to be able to respond to users should they inquire about their transaction. It is likely that these services will assume the transaction was not sent if it doesn't appear in the blockchain with the original hash and have currently no means to recognize the alternative transactions as theirs in an efficient way.

This means that an individual could request bitcoins from an exchange or wallet service, alter the resulting transaction's hash before inclusion in the blockchain, then contact the issuing service while claiming the transaction did not proceed. If the alteration fails, the user can simply send the bitcoins back and try again until successful.

We believe this can be addressed by using a different hash for transaction tracking purposes. While the network will continue to use the current hash for the purpose of inclusion in each block's Merkle Tree, the new hash's purpose will be to track a given transaction and can be computed and indexed by hashing the exact signed string via SHA256 (in the same way transactions are currently hashed).

This new transaction hash will allow signing parties to keep track of any transaction they have signed and can easily be computed, even for past transactions.

We have discussed this solution with the Bitcoin core developers and will allow Bitcoin withdrawals again once it has been approved and standardized.

In the meantime, exchanges and wallet services - and any service sending coins directly to third parties - should be extremely careful with anyone claiming their transaction did not go through.

Note that this will also affect any other crypto-currency using the same transaction scheme as Bitcoin.


Conclusion
To put things in perspective, it's important to remember that Bitcoin is a very new technology and still very much in its early stages. What MtGox and the Bitcoin community have experienced in the past year has been an incredible and exciting challenge, and there is still much to do to further improve.

MtGox will resume bitcoin withdrawals to outside wallets once the issue outlined above has been properly addressed in a manner that will best serve our customers.

More information on the status of this issue will be released as soon as possible.

We thank you for taking the time to read this, and especially for your patience.

Best Regards,
MtGox Team
full member
Activity: 130
Merit: 100
https://www.mtgox.com/press_release_20140210.html

This is probably worse news than most of us expected. Not only are they not resuming withdrawls, they are claiming it is because of basic flaw in the bitcoin protocol.

If it's not true, it's still some really bad press.  

If it is true, then will hurt the confidence of BTC in the short-term, and the price of course.

This was posted below that the flaw has been discussed elsewhere recently:

https://www.mail-archive.com/[email protected]/msg03890.html
Pages:
Jump to: