Author

Topic: Re: Discussion: The major exploit and related discussion (2010) (Read 223 times)

legendary
Activity: 3472
Merit: 4801
Quote
It was a single mined block that mined the bitcoins to two addresses.  There may have been more than one person involved in creating that block, but it seems unlikely.
It's unlikely that the exploit was abused by two separate people in such a short period of time.

No.  It's unlikely that two people collaborated to mine the single block.

Let's just assume that it was only one person why would they send to two address? Why not just 1 or multiple addresses.

Because, that's how the vulnerability worked.  Each output was approximately the maximum that could be held in the available bytes of data.  Either alone would have been bigger than the block reward limit, but when added together they appeared to the software to be a negative number.  It isn't possible to perform the attack with a single address.  It isn't necessary to use more than two.

It would of likely gone unnoticed longer if they had used hundreds of addresses to distribute the coin.

No, it wouldn't.  It still would have been obvious that the block reward was larger than the reward limit.

Quote
Where did you get the date of August 6?

It looks like I can't find the original source that I was studying but it could of been my mistake anyway. As far as I can tell from my quick research now this isn't valid. Could of been that I've just got confused whilst reading two different sources.

Seems likely.

I don't know code and it looks like Gavin Andersen provided a short term fix in the thread that you linked. Would you or anyone else be willing to explain what this code involves and alters that fixed the exploit?

Gavin added code that checked to make sure that values are not less than 0  AND are not greater than 21 million.

Since the exploit requires that the sum of the outputs be negative, it required very large values (close to the maximum value that an integer can hold) and resulted in very small values (sums that appeared to be negative).

Also Satoshi also provides a preliminary fix and then later a final fix. What's the difference between Gavins approach and Satoshi's?

The two approaches are similar.

Gavin addressed the immediate problem (individual outputs that were too big) by limiting individual outputs to be no less than zero and no more than 21 million BTC.

Satoshi implemented the exact same fixes as Gavin:
(They BOTH have the following in their code)
Code:
if (txout.nValue < 0)
    return error("CTransaction::CheckTransaction() : txout.nValue negative");

if (txout.nValue > 21000000 * COIN)
    return error("CTransaction::CheckTransaction() : txout.nValue too high");
(Actually Gavin used an error message of "over max" where Satoshi used "too high".  That's just a test message for the user, and they mean the same thing).

The code Satoshi posted in the thread has some additional checks, but I don't know if those checks were already there, or if those were additions that he thought of while he was working on this. It's not clear if failing to add these checks would have left an exploitable vulnerability, but it's a good practice to explicitly enforce such things if your software depends on such values. Here is what else I see in the code that he posted:

He checks to make sure that the transaction has at least 1 input and at least 1 output.
He also checks to make sure that coinbase output scripts are at least 2 bytes long and no more than 100 bytes long.
He also checks to make sure that non-coinbase inputs have a reference to an output that is being spent.
legendary
Activity: 1232
Merit: 1080
You've got some of your facts wrong.  Additionally, you've stated some additional information that I haven't heard before, and you haven't provided any source for that information.
I'll apologize for any information I've provide that is wrong and I'll try and link to any sources that I think need to be clarified.

Quote
Here is the original thread identifying, discussing, and solving the problem:
https://bitcointalksearch.org/topic/overflow-bug-serious-823

Thank you for providing that thread. I'll be sure to read it thoroughly.

Quote

19-and-a-half months. (closer to two years than 1 year)
 
I was not around when the bug was found and my maths may be at fault here.

Quote
It was a single mined block that mined the bitcoins to two addresses.  There may have been more than one person involved in creating that block, but it seems unlikely.
It's unlikely that the exploit was abused by two separate people in such a short period of time. Let's just assume that it was only one person why would they send to two address? Why not just 1 or multiple addresses. It would of likely gone unnoticed longer if they had used hundreds of addresses to distribute the coin.

Quote
Where did you get the date of August 6?

It looks like I can't find the original source that I was studying but it could of been my mistake anyway. As far as I can tell from my quick research now this isn't valid. Could of been that I've just got confused whilst reading two different sources.

Quote
That is not true.  Transactions WERE verified, but the verification had a bug that allowed someone to take advantage of the way computers store integers.


Quote
ABSOLUTELY NOT.

What you COULD do is award yourself multiple outputs when mining which, when added added together, were larger than the maximum positive amount that could be stored in a 4 byte integer. When the validation code added these output values together, the result would be a negative integer (due to the way computers handle integers).  Therefore, the sum of the outputs (a negative integer) would appear to the code to be less than the allowed block reward (50 BTC) even though each of the individual outputs was larger than 50 BTC (and less than the maximum positive integer).


Thanks for correcting me on both of these statements. This is why I'm glad that I created this topic and you responded.

Quote
Thanks.  It's been great reviewing what I remember about the issue.
I would like to thank you too. I've gained a little more clarity of the issue and have come out of it a little bit more knowledgeable because of your replies. It looks like I was wrong on a few things.

I don't know code and it looks like Gavin Andersen provided a short term fix in the thread that you linked. Would you or anyone else be willing to explain what this code involves and alters that fixed the exploit?

Also Satoshi also provides a preliminary fix and then later a final fix. What's the difference between Gavins approach and Satoshi's?
legendary
Activity: 3472
Merit: 4801
You've got some of your facts wrong.  Additionally, you've stated some additional information that I haven't heard before, and you haven't provided any source for that information.

Here is the original thread identifying, discussing, and solving the problem:
https://bitcointalksearch.org/topic/overflow-bug-serious-823

Looks like people would prefer to spam the same old replies in the mega threads than engage in actual conversations.

Which is why this sub-forum was created.

In Bitcoins early days in fact just over 1 year

19-and-a-half months. (closer to two years than 1 year)

a major exploit was found and abused by two addresses on the network which were likely controlled by one person although this hasn't been proven or found out to date.

It was a single mined block that mined the bitcoins to two addresses.  There may have been more than one person involved in creating that block, but it seems unlikely.

The major security vulnerability was first spotted in what I presume was in the code and by Satoshi himself or some other developer on 6 August 2010.

Where did you get the date of August 6?

To my knowledge this is the only major vulnerability that was discovered in Bitcoins history.

I guess that depends on how you define "major vulnerability". There have been a variety of bugs that have been fixed over the years (including but not limited to transaction maleability).

what happened in these 9 days.

I still don't understand why you think 9 days were involved.

1. How was the vulnerability spotted and by who?

I suspect multiple people spotted it.  It was first reported to bitcointalk by jgarzik when he noticed the problem in transaction 012cd8f8910355da9dd214627a31acfeb61ac66e13560255bfd87d3e9c50e1ca of block 0000000000790ab3f22ec756ad43b6ab569abf0bddeb97c67a6f7b1470a7ec1c

2. If this was public knowledge why was it only exploited 9 days after?

Why do you believe it was public knowledge?

3. The transaction/exploit was erased from the network how so?

An overwhelming majority of the hash power at the time all agreed to run code that would invalidate the block.  Then they re-synchronized their blockchains.  The invalid block (and any subsequent blocks) were rejected, and the blockchain continued along a valid path.

4. Was it discovered who exploited the network and controlled the addresses?

Not that I ever heard.

I am assuming the vulnerability was first discovered by either Satoshi or another developer that was working on Bitcoin at that time.

I believe it was first discovered by the person that exploited it. Once exploited, it was very quickly discovered by several of the developers that were working on Bitcoin at the time.

Maybe the vulnerability was discovered by a member of the public?

Define "the public".  As far as I can tell, if you weren't Satoshi at that time, then you were "the public".

It's odd that knowing there was a vulnerability in the code and was probably public knowledge at the time because of Bitcoin being open source

Being open source doesn't mean that the vulnerability was public knowledge.  It is possible that nobody noticed the vulnerability until the attacker discovered it.

why did it take 9 days for

Again with the 9 days.  Where are you getting that number?

A. Something to be done about it

As far as I can tell, a fix was provided within 150 minutes of the exploit first being reported here at bitcointalk.

B. For someone to exploit it.

I don't think anyone knows how long the attacker knew about the vulnerability before he chose to exploit it.

This was very early days for Bitcoin and the exploit was spotted before it was abused.

Are you sure about that?  Where did you get that information?


So why risk it and wait until someone does exploit it to actually patch the code?

Why do you think there was any waiting?

Did it really take 9 days to come up with a solution and it just so happens that it was exploited the same day too.

Seems unlikely.  I suspect it took less than 3 hours to come up with and implement a solution.

Once the vulnerability was exploited it only took a few hours for it to  be patched and the transaction log to be cleared.

Correct.

How did this happen? Surely the coins would of confirmed on the network and because Bitcoin isn't reversible would of stayed on the network?

You can read the thread at the link above for the details.

Effectively, code was added to check for negative and overflow values, most of the hashpower installed that code, and then the blockchain was re-synchronized.

I know that the network would of had to been forked.  But was this a hard fork?

This would have been a soft fork.

As long as the majority of the hash power on the network implemented the change, their chain would grow to be the longest.  Anyone that did not update to the new software would see BOTH forks as valid, and would simply follow the longest.  With the majority of the hash power, the fork that did not have the attack would eventually become longest.

If so what we are using today could be considered Bitcoin 2.0 and thus the original Bitcoin failed within a year and half due to this exploit.

Call it whatever you want.  There is no authority in charge of naming Bitcoin.  The general public, however, recognizes the current bitcoin as the original bitcoin (regardless of all the enhancements and bug fixes that have been implemented over the past 9+ years).

Finally does anyone know what the two addresses were and could link them in this thread? It would be interesting to know who abused the vulnerability and if the addresses have been used since.

According to this post:
92,233,720,368.54277039 BTC was sent to address 1Hk51V49a58fC2r471hScXopEQpioDEuqx
92,233,720,368.54277039 BTC was sent to address 12vRJXnnA21YAaLacWXpNshy7MBAwrigtQ

Those amounts are both very close to the maximum value that can be stored in a positive 8 byte integer.

The sum of those two values (when represented in a 8 byte integer) is a small negative integer.

For anyone who is wondering how the vulnerability worked is transactions were not verified before they were included in the blockchain.

That is not true.  Transactions WERE verified, but the verification had a bug that allowed someone to take advantage of the way computers store integers.

Therefore you could send any amount of coin you wanted as it would not check if you had that amount to send.

ABSOLUTELY NOT.

What you COULD do is award yourself multiple outputs when mining which, when added added together, were larger than the maximum positive amount that could be stored in a 4 byte integer. When the validation code added these output values together, the result would be a negative integer (due to the way computers handle integers).  Therefore, the sum of the outputs (a negative integer) would appear to the code to be less than the allowed block reward (50 BTC) even though each of the individual outputs was larger than 50 BTC (and less than the maximum positive integer).

So someone generated 184 billion bitcoins

Correct.

and sent it to two addresses on the network it existed on the network for a brief amount of time.

Did they send it?  I don't recall hearing that the bitcoins were ever spent.

I wish for us to discuss this and provide further insight for not only myself but for the others which maybe don't know too much about the vulnerability and Bitcoin itself. I welcome both technical and non technical discussion.

Thanks.  It's been great reviewing what I remember about the issue.
legendary
Activity: 1232
Merit: 1080
So this is a repost due to not having any replies in Bitcoin discussion. This thread was buried to page 2 within a hour. Looks like people would prefer to spam the same old replies in the mega threads than engage in actual conversations.

In Bitcoins early days in fact just over 1 year a major exploit was found and abused by two addresses on the network which were likely controlled by one person although this hasn't been proven or found out to date. The major security vulnerability was first spotted in what I presume was in the code and by Satoshi himself or some other developer on 6 August 2010. To my knowledge this is the only major vulnerability  that was discovered in Bitcoins history.

I would like to discuss this with the people at Bitcointalk to get a better understanding and some insight on what happened in these 9 days. Here are the main questions:

1. How was the vulnerability spotted and by who?
2. If this was public knowledge why was it only exploited 9 days after?
3. The transaction/exploit was erased from the network how so?
4. Was it discovered who exploited the network and controlled the addresses?

I am assuming the vulnerability was first discovered by either Satoshi or another developer that was working on Bitcoin at that time. As far as I'm aware Gavin Andersen wasn't involved in developing Bitcoin directly at this point but was developing for the Bitcoin market. Maybe the vulnerability was discovered by a member of the public?

It's odd that knowing there was a vulnerability in the code and was probably public knowledge at the time because of Bitcoin being open source why did it take 9 days for A. Something to be done about it and B. For someone to exploit it. This was very early days for Bitcoin and the exploit was spotted before it was abused. So why risk it and wait until someone does exploit it to actually patch the code? Did it really take 9 days to come up with a solution and it just so happens that it was exploited the same day too.

Once the vulnerability was exploited it only took a few hours for it to  be patched and the transaction log to be cleared. How did this happen? Surely the coins would of confirmed on the network and because Bitcoin isn't reversible would of stayed on the network?  I know that the network would of had to been forked. But was this a hard fork? If so what we are using today could be considered Bitcoin 2.0 and thus the original Bitcoin failed within a year and half due to this exploit.

Finally does anyone know what the two addresses were and could link them in this thread? It would be interesting to know who abused the vulnerability and if the addresses have been used since.

For anyone who is wondering how the vulnerability worked is transactions were not verified before they were included in the blockchain. Therefore you could send any amount of coin you wanted as it would not check if you had that amount to send. So someone generated 184 billion bitcoins and sent it to two addresses on the network it existed on the network for a brief amount of time.

I wish for us to discuss this and provide further insight for not only myself but for the others which maybe don't know too much about the vulnerability and Bitcoin itself. I welcome both technical and non technical discussion.
Jump to: