Pages:
Author

Topic: The MtGox Debacle Explained - page 2. (Read 15794 times)

newbie
Activity: 47
Merit: 0
February 09, 2014, 07:57:23 PM
#26
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.

https://en.bitcoin.it/wiki/Transaction_Malleability
newbie
Activity: 47
Merit: 0
February 09, 2014, 07:49:31 PM
#25

2) Bitcoin Foundation could setup some public servers that always run the latest official version of the bitcoin client. Exchanges should then be able to verify that the transaction is legitimate

I  guess any self-respecting exchange is already running their own instance of the latest bitcoind for that purpose.

But MtGox is not a self-respecting exchange, that is the problem.

The funny bit is.. they keep sending transactions with spend inputs! Right now! With withdrawals blocked and problem, as you claim, being identified.
sr. member
Activity: 408
Merit: 261
February 09, 2014, 07:48:12 PM
#24
Thanks for the write-up, nice job.  This feels to me like the most plausible story to go with the facts observed ... and you've done a far better job of explaining things than Mt.Gox.
legendary
Activity: 1428
Merit: 1000
February 09, 2014, 07:38:29 PM
#23
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.

You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.


I don't think I buy your explanation without providing more details.

Can you provided more details?

What is the new version of the bitcoin client that caused the problem?

When the version was released and when the problems started at MtGox?

What are the changes on the format that were problematic? 

I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).



sadly its true.
just read the reddit: gmaxwell explains it well
hero member
Activity: 575
Merit: 500
February 09, 2014, 07:24:29 PM
#22
So I guess buying "goxbtc" just got a lot more risky, even if they sort this out you might end up with nothing.
sr. member
Activity: 311
Merit: 250
February 09, 2014, 06:51:07 PM
#21
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.

You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.


I don't think I buy your explanation without providing more details.

Can you provided more details?

What is the new version of the bitcoin client that caused the problem?

When the version was released and when the problems started at MtGox?

What are the changes on the format that were problematic?  

I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).

newbie
Activity: 48
Merit: 0
February 09, 2014, 05:52:48 PM
#20
Thanks for your support. Unfortunately, I cannot reveal my sources.
He's just posting a garbled rewrite of this post on Reddit.



nullc has access to the same facts as me. His post is more into the actual technical details of the exploit. The intention of my post is to bring this topic to higher level because the concept itself is a real problem that exchanges should be aware of.


not really.
its just that mtgox instead of looking at their coins just looks if the tx they have created goes through - and only in that case subtracts some kind of internal balance.

i dont think any other service works this way. just crappy coders there.

but you may be right that this could be used to steal btc from gox. but i dont know if mtgox actually refunded tx which they think did not get through (but did because of the changed txid).

You may be right as I cannot be sure how other exchanges work, but I do know MtGox has a problem with "double refunding." This is the reason why they halted all BTC withdrawals. They are currently going through all the transactions to check which ones did go through.
newbie
Activity: 1
Merit: 0
February 09, 2014, 05:48:42 PM
#19
Thanks for your post. I share the same conviction about a hack and the fact it's certainly limited.

Bitcoin exchanges are an easy and not risky target for hackers. Exchanges don't have the ressources to sue hackers. It's a miracle there is not more problems everyday!

On the other hand, I don't expect a lot from their tomorrow's announcement...
legendary
Activity: 1428
Merit: 1000
February 09, 2014, 05:47:25 PM
#18
Thanks for your support. Unfortunately, I cannot reveal my sources.
He's just posting a garbled rewrite of this post on Reddit.



nullc has access to the same facts as me. His post is more into the actual technical details of the exploit. The intention of my post is to bring this topic to higher level because the concept itself is a real problem that exchanges should be aware of.


not really.
its just that mtgox instead of looking at their coins just looks if the tx they have created goes through - and only in that case subtracts some kind of internal balance.

i dont think any other service works this way. just crappy coders there.

but you may be right that this could be used to steal btc from gox. but i dont know if mtgox actually refunded tx which they think did not get through (but did because of the changed txid).
newbie
Activity: 48
Merit: 0
February 09, 2014, 05:43:40 PM
#17
Thanks for your support. Unfortunately, I cannot reveal my sources.
He's just posting a garbled rewrite of this post on Reddit.



nullc has access to the same facts as me. His post is more into the actual technical details of the exploit. The intention of my post is to bring this topic to higher level because the concept itself is a real problem that exchanges should be aware of.
legendary
Activity: 1204
Merit: 1002
February 09, 2014, 05:35:53 PM
#16
Thanks for your support. Unfortunately, I cannot reveal my sources.
He's just posting a garbled rewrite of this post on Reddit.

newbie
Activity: 48
Merit: 0
February 09, 2014, 05:22:55 PM
#15
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.

You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.
hero member
Activity: 644
Merit: 500
Invest & Earn: https://cloudthink.io
February 09, 2014, 05:19:00 PM
#14
How could the transaction be changed without needing to be re-signed?  I lack the technical knowledge to understand how what you describe is possible.
newbie
Activity: 42
Merit: 0
February 09, 2014, 05:12:59 PM
#13
thanks for the reply!

seemed hoax to me, glad it is not related
newbie
Activity: 48
Merit: 0
February 09, 2014, 05:00:30 PM
#12
Hi OP, I was told there wasa software could hack into gox account and "create" BTCs on the fly using fractions of micro transactions other users are doing.
there was a video of it online some time ago.

is there any connection or that is just hoax?


I don't have any information on that. Even if that's true this particular issue is unrelated to that.
newbie
Activity: 48
Merit: 0
February 09, 2014, 04:59:06 PM
#11
Have you considered that Gox could be turned into a Ponzi scheme by the technique described above. 

It's not impossible of course, but I believe that the hacker attacks have caused limited damage. The main reason is that MtGox only allows 100 BTC withdrawals per day. Each unsuccessful withdrawal takes a week (before the balance is returned). This started two weeks ago and MtGox got warned early enough and took countermeasures before everything got out of control. This is the reason why they frozen all BTC withdrawals. I believe they'll be able to clean up everything, but it will take some time. It's certainly a very interesting situation. There are multiple different problems that magnifies the situation. Again, other exchanges could suffer from the same problem. As far as I understand, all the exchanges are currently being contacted and warned about the current situation.
newbie
Activity: 42
Merit: 0
February 09, 2014, 04:57:28 PM
#10
Hi OP, I was told there wasa software could hack into gox account and "create" BTCs on the fly using fractions of micro transactions other users are doing.
there was a video of it online some time ago.

is there any connection or that is just hoax?
legendary
Activity: 1414
Merit: 2174
Degenerate bull hatter & Bitcoin monotheist
February 09, 2014, 04:49:22 PM
#9
Have you considered that Gox could be turned into a Ponzi scheme by the technique described above. 
legendary
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
February 09, 2014, 03:39:15 PM
#8
You failed to mention the possibility that they are lying about it being a technical problem and that they do not have all the funds they claim to (I.e. Solvency).

Don't be naive to think that this is not a possibility.

Ponzi operators work in the exact same manner. They try to buy more time with vague excuses.

So the proper way to run a ponzi scheme is to broadcast failed transactions for all the world to see? Thanks that is good to know. The brilliance of people here is staggering.

If it buys them time why not?

They just claim the issue is "technical" which is vague BS for saying we need more time.
newbie
Activity: 48
Merit: 0
February 09, 2014, 03:04:09 PM
#7
Thanks for your support. Unfortunately, I cannot reveal my sources.

Understood.  Is it safe to say that for someone with some BTC in Gox, they should be somewhat comforted in the fact that the problem is identified and being worked on and they will receive their coins back in the near future?

I'm pretty sure that this is the case. Once they resolved all the transactions everything will return to normal. However, I fully understand people who lost faith in MtGox; it's a very natural reaction.
 
Pages:
Jump to: