Pages:
Author

Topic: The MtGox Debacle Explained (Read 15810 times)

legendary
Activity: 1680
Merit: 1205
February 11, 2014, 05:42:09 PM
#46
So this declaration from mtgox:

Non-technical Explanation:
A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be resent. MtGox is working with the Bitcoin core development team and others to mitigate this issue.


makes them really assholes right?
full member
Activity: 208
Merit: 106
February 11, 2014, 05:21:40 PM
#45
Nope. It's a bug on Mtgox's wallet software, that should be synchronized with the development updates of the bitcoin protocol.
legendary
Activity: 1680
Merit: 1205
February 11, 2014, 05:12:42 PM
#44
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.

You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.


This do not make sense. Explain again.

In Bitcoin <0.8 The ECDSA signature was allowed to be padded with leading zeros, but in Bitcoin 0.8+ it is no longer allowed. MtGox sometimes issued transactions with leading zeros, and those transactions got stuck (because they were refused by the majority who are running Bitcoin 0.8+). However, MtGox published their failed transactions through an accessible API (https://data.mtgox.com/api/0/bitcoin_tx.php, the signatures are now redacted). Therefore, you could apply withdrawals on purpose until you got a ECDSA signature with leading zeros. Then you take that transaction and remove the leading zeros and rebroadcast the (modified) transaction. This would now be accepted by the network but with a different transaction hash. MtGox however thinks that the transaction never gets through because it is listening for its own transaction hash. Finally MtGox gives up, cancels the transaction, and returns the funds to the customer. Rinse, lather and repeat. In theory you can empty MtGox BTC vault, but they were quick enough to see what was going on and cancelled BTC withdrawals. Now they have to fix their client to listen for malleable transactions.


So this is not a "bug in the bitcoin protocol" at all?
newbie
Activity: 48
Merit: 0
February 11, 2014, 04:19:18 PM
#43
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.

You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.


This do not make sense. Explain again.

In Bitcoin <0.8 The ECDSA signature was allowed to be padded with leading zeros, but in Bitcoin 0.8+ it is no longer allowed. MtGox sometimes issued transactions with leading zeros, and those transactions got stuck (because they were refused by the majority who are running Bitcoin 0.8+). However, MtGox published their failed transactions through an accessible API (https://data.mtgox.com/api/0/bitcoin_tx.php, the signatures are now redacted). Therefore, you could apply withdrawals on purpose until you got a ECDSA signature with leading zeros. Then you take that transaction and remove the leading zeros and rebroadcast the (modified) transaction. This would now be accepted by the network but with a different transaction hash. MtGox however thinks that the transaction never gets through because it is listening for its own transaction hash. Finally MtGox gives up, cancels the transaction, and returns the funds to the customer. Rinse, lather and repeat. In theory you can empty MtGox BTC vault, but they were quick enough to see what was going on and cancelled BTC withdrawals. Now they have to fix their client to listen for malleable transactions.
vip
Activity: 756
Merit: 504
February 10, 2014, 06:02:55 PM
#42
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.

You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.


This do not make sense. Explain again.
legendary
Activity: 1680
Merit: 1205
February 10, 2014, 06:00:52 PM
#41
thank you for the update, that-s the better explanation i've read so far
newbie
Activity: 7
Merit: 0
February 10, 2014, 05:53:16 PM
#40
"We have discussed this solution with the Bitcoin core developers and will allow Bitcoin withdrawals again once it has been approved and standardized. "

But this is utterly absurd. It's most likely never going to happen, or it will take a very long time. And this is a very strange statement because it isn't that hard for MtGox to fix this problem. To check whether a transaction has got through or not is not using the transaction id, but instead compute a hash of:



it is.
look, if a bank, where you deposited your money would say 'sorry, we have some troubles, you can't access it' -- what would you say? unimaginable in today's world.

yet people are fine with their btcs and fiat stucked at mtgox for an unknown time.

unless someone has there only speculative capital affordable to loose (
bonus: if gox would be in trouble (whatever reasons - insolvency, etc...)... whouldnt' they behave exatly the same way? DIVERGE the attention from real problems via hot, controversial, lenghtily discutable technical mumbo-jumbo. this will keep people busy from the real' problems they might have.

in one word: if you are not diversified, overexposed, or at high stakes -> do risk management and try whatever possible to extract resources from gox TODAY
newbie
Activity: 7
Merit: 0
February 10, 2014, 05:33:20 PM
#39
You failed to mention the possibility that they are lying about it being a technical problem and that they do not have all the funds they claim to (I.e. Solvency).

Don't be naive to think that this is not a possibility.

Ponzi operators work in the exact same manner. They try to buy more time with vague excuses.

exactly!
+1
newbie
Activity: 48
Merit: 0
February 10, 2014, 02:14:09 PM
#38

4) Someone looking at this tx list will spot some of the failed transactions and modify them so they become bitcoin-0.8+ compliant. This gives a new tx and the transactions get through. MtGox fails to spot its own tx in the blockchain; gives up and returns funds to the customer.


do you have proof that the balance has been refunded?

This is standard procedure by MtGox. If a transaction gets stuck and doesn't get processed MtGox will refund you. Has happened to me 2 times personally.
legendary
Activity: 1428
Merit: 1000
February 10, 2014, 02:02:35 PM
#37

4) Someone looking at this tx list will spot some of the failed transactions and modify them so they become bitcoin-0.8+ compliant. This gives a new tx and the transactions get through. MtGox fails to spot its own tx in the blockchain; gives up and returns funds to the customer.


do you have proof that the balance has been refunded?
newbie
Activity: 48
Merit: 0
February 10, 2014, 01:59:24 PM
#36
UPDATE 2:

Given the current turmoil I felt I needed to write something more. MtGox is being bashed, and rightly so, but there's one thing that nobody has been talking about. If this issue has been known since 2011, why does suddenly all this happen to MtGox _now_? Isn't that a legitimate question to ask? Because, that will reveal something else that MtGox hasn't mentioned in their press release (blaming the Bitcoin protocol).

So here comes the answer:

1) The Bitcoin core dev team has been addressing this malleability by gradually tightening what counts as a valid signature. For example, this is one of those changes: https://github.com/bitcoin/bitcoin/commit/58bc86e37fda1aec270bccb3df6c20fbd2a6591c
(look at IsCanonicalSignature())

2) MtGox hasn't bothered to keep themselves up to date with the latest Bitcoin client software, so suddenly some transactions will get stuck because they are not complying with these harsher rules in Bitcoin 0.8+.

3) MtGox publishes all failed transactions (used to be with the raw transaction data; now redacted) at
https://data.mtgox.com/api/0/bitcoin_tx.php

4) Someone looking at this tx list will spot some of the failed transactions and modify them so they become bitcoin-0.8+ compliant. This gives a new tx and the transactions get through. MtGox fails to spot its own tx in the blockchain; gives up and returns funds to the customer.

It is correct that MtGox is right that you can never be 100% sure for malleability because the hacker can listen to the Bitcoin network and forward modified tx directly to miners (and out compete MtGox), and although this window has been open since 2011, this is a much harder problem with race conditions. It is because of the steps 1-4 above that made it much easier to apply a malleability attack on MtGox.

MtGox is now claiming that it has to wait until the malleability problem is fixed by the Bitcoin core dev _before_ it will allow BTC withdrawals. That's how I interpret their statement in their press release:

"We have discussed this solution with the Bitcoin core developers and will allow Bitcoin withdrawals again once it has been approved and standardized. "

But this is utterly absurd. It's most likely never going to happen, or it will take a very long time. And this is a very strange statement because it isn't that hard for MtGox to fix this problem. To check whether a transaction has got through or not is not using the transaction id, but instead compute a hash of:

inputs (lexicographically sorted) + outputs (lexicographically sorted)

This will uniquely identify a transaction regardless of the transaction id and it is fast to compute.

So what are they waiting for?
newbie
Activity: 48
Merit: 0
February 10, 2014, 06:45:50 AM
#35
UPDATE:

So MtGox has finally gone public with this information which is good, but I need to say a few words because people are totally panicking on all exchanges.

First, MtGox is exaggerating the problem. It is not as bad as it seems really. This exploit, of modifying transactions but keeping the signatures intact, is quite difficult to begin with. MtGox made it worse by publishing their transactions through an accessible API (but now the signatures have been redacted).

The worst thing that can happen is that the exchange may get stuck with transactions and what all the exchanges need to do is not automatically return the user's balance without doing some investigations first. For example, if some of the inputs (of the transaction) have already been spent, then further investigations are required. That is all.

You cannot steal someones else's coins, and there's nothing wrong with the bitcoin protocol per se.

What the Bitcoin core development team is trying to do, long-term, is to ensure that the byte encoding is unique for a given transaction. If you look at ASN.1 DER encodings, the whole point is to ensure that there's only one way to encode something so there's no ambiguity when to compute digital signatures. Otherwise we have this problem of two chunks of data that are equivalent but syntactically different.

Anyway, all this is just unnecessary panic. And if you have access to fiat I would consider this as an enormous buying opportunity.
newbie
Activity: 16
Merit: 0
February 10, 2014, 01:14:57 AM
#34
This claim of a bug is checkable. Someone should check the block chain for transactions with junk pad bytes at the end of signatures, and note the ones from a Mt. Gox address.
You can find fixed transaction only if you know bad ones (including the scriptsig).
newbie
Activity: 16
Merit: 0
February 10, 2014, 01:08:54 AM
#33
Question is, why are not internal transfers frozen also? I've asked this on #mtgox, because this could leads to more negative balance account and was given "if you think so" answer.
I can think of tree reasons (four actually, they weren't aware of this route and they will freeze internal transactions also):
1. The whole teory is wrong and there's something else going on.
2. The number of coins stolen is just to small and they don't care.
3. The number of coins stolen is just to big and they don't care.
legendary
Activity: 1204
Merit: 1002
February 09, 2014, 11:41:49 PM
#32
This claim of a bug is checkable. Someone should check the block chain for transactions with junk pad bytes at the end of signatures, and note the ones from a Mt. Gox address.
legendary
Activity: 1792
Merit: 1111
February 09, 2014, 11:19:09 PM
#31

2) Bitcoin Foundation could setup some public servers that always run the latest official version of the bitcoin client. Exchanges should then be able to verify that the transaction is legitimate to the latest bitcoin client before broadcasting them.


Do we really need a centralized service like this? Exchanges could setup their own dedicated bitcoind servers by using the code on github.

After all, it is a good idea to use a standard bitcoind server as a firewall between the in-house custom implementation and the real bitcoin network.
hero member
Activity: 602
Merit: 500
February 09, 2014, 09:26:21 PM
#30
who cares as long as people know the coins are 100% and fraudulent account utilizing this exploit have been locked down. if so take as long as necessary to make sure it works CORRECTLY Smiley
legendary
Activity: 2097
Merit: 1070
February 09, 2014, 09:22:18 PM
#29
sr. member
Activity: 406
Merit: 250
February 09, 2014, 08:42:05 PM
#28
Thank you kindly for the update.  Always comforting coming from a completely anonymous, unidentified source with no verifiable credentials.
sr. member
Activity: 311
Merit: 250
February 09, 2014, 08:37:47 PM
#27
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.

You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.


I don't think I buy your explanation without providing more details.

Can you provided more details?

What is the new version of the bitcoin client that caused the problem?

When the version was released and when the problems started at MtGox?

What are the changes on the format that were problematic? 

I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).



sadly its true.
just read the reddit: gmaxwell explains it well

Then someone could surely answer these questions.  No?

Could you provide a link to the reddit post?
Pages:
Jump to: