Author

Topic: This message was too old and has been purged (Read 1921 times)

jr. member
Activity: 50
Merit: 10
November 30, 2014, 02:36:42 PM
#21
Thanks for the info, it seems there are a lot of issues in using them. I'm surprised though it took this long for it to turn up, maybe it's a recent flaw with an update to the API? Maybe they'll give you a reward for finding it.

this is NO RECENT FLAW!
the default bitcoin wallet(back in the wxWidgets times) used to be able to spend 0conf inputs. People used this to scam other people, and those 0conf sourced transactions wouldnt ever confirm. this is why this got removed from bitcoin-gui in the first place. This has been almost 2 years ago I think!
legendary
Activity: 1260
Merit: 1019
November 29, 2014, 02:19:40 AM
#20
Quote
Huge problem for 0-confirmation services.

I repeat: this is only a problem for those who rely on the information from blockchain.info API
legendary
Activity: 1260
Merit: 1168
November 28, 2014, 08:03:34 PM
#19
This message was too old and has been purged
legendary
Activity: 1512
Merit: 1057
SpacePirate.io
November 28, 2014, 07:31:12 PM
#18
Thanks for the info, it seems there are a lot of issues in using them. I'm surprised though it took this long for it to turn up, maybe it's a recent flaw with an update to the API? Maybe they'll give you a reward for finding it.
legendary
Activity: 1260
Merit: 1168
November 28, 2014, 06:35:44 PM
#17
This message was too old and has been purged
newbie
Activity: 4
Merit: 0
November 28, 2014, 11:55:59 AM
#16
Thanks. I was planning to use Blockchain.info API.
legendary
Activity: 1260
Merit: 1019
November 28, 2014, 11:26:45 AM
#15
Quote
If, and I say it again --- IF --- a site uses the Blockchain.info API to check for payments,
The most stupid thing I have ever heard - is to rely on untrusted third-party in decentralized network, which was created to eliminate trusted third-parties Smiley

Quote
If luckyb.it uses the Blockchain.info API...
Definitely not.
legendary
Activity: 1260
Merit: 1168
November 28, 2014, 11:07:03 AM
#14
This message was too old and has been purged
legendary
Activity: 1260
Merit: 1019
November 28, 2014, 11:02:54 AM
#13
The stuck tx is https://blockchain.info/tx/4f83091073fff087cbe65d2017ab2f2e926602e7d0cc0bf11c55192d9bc72e25

It is valid, but no nodes accept it.
Every transaction which spends outputs from it will be orphan
So, LuckyBit will not receive your deposit. You can not gamble with this "flaw" - there is no bet from the casino side from you.

Of course, this transaction can be included to a block.
I do not see new flaws here.
No one should accept and redeem 0-confirmed transactions, especially if they have non-standard parents
hero member
Activity: 935
Merit: 1002
November 28, 2014, 10:54:18 AM
#12
I am not sure if this is the correct topic and the discussion is about the thing that happened to me earlier. But this is my experience. I gambled on lucky bit. I sent 0.25 x2 bets on green, both of them hit x0.4 and in return I got 0.2 HTC.  I got disappointed because I lost a big amount on it. All the transactions even confirmed. After losing the money, I roughly had 1.02,earlier it was 1.32. But two days later when I saw my balance  it was back to 1.32 btc. I was astonished. I even went through the transactions of the address from which I gambled. Only 3 transactions showed up which were not from the gambling day. I even went through the bet browser of lucky bit. When I clicked on the transaction link, bc used to show that transaction was not found.

I am still unsure how this happened even after the transactions gained good number of confirmations.
If you would read the posts above you would see that blockchain.info isn't good at it's job and is sometimes showing bad information.
newbie
Activity: 23
Merit: 0
November 28, 2014, 10:38:16 AM
#11
I am not sure if this is the correct topic and the discussion is about the thing that happened to me earlier. But this is my experience. I gambled on lucky bit. I sent 0.25 x2 bets on green, both of them hit x0.4 and in return I got 0.2 HTC.  I got disappointed because I lost a big amount on it. All the transactions even confirmed. After losing the money, I roughly had 1.02,earlier it was 1.32. But two days later when I saw my balance  it was back to 1.32 btc. I was astonished. I even went through the transactions of the address from which I gambled. Only 3 transactions showed up which were not from the gambling day. I even went through the bet browser of lucky bit. When I clicked on the transaction link, bc used to show that transaction was not found.

I am still unsure how this happened even after the transactions gained good number of confirmations.
legendary
Activity: 1260
Merit: 1168
November 28, 2014, 10:29:22 AM
#10
This message was too old and has been purged
hero member
Activity: 935
Merit: 1002
November 28, 2014, 10:25:50 AM
#9
Quote
When sending the last output to the victim, it appears as a regular Pay-to-Address transaction with a standard Pay-to-Address input.
The victim will hold this transaction as orphan, because it will not receive previous "flawed" transactions
No service processes orphan transactions.

And yes. Accepting 0-confirmed transactions is known flaw.

Actually this will not happen,
as long as they stay within blockchain.info which essentially happens when using the API or a blockchain.info bitcoin node (and this is the flaw that I am describing) it will look like a regular transaction,
no orphan, no Nonstandard, nothing. Perfectly valid, canonical signature, canonical pubkey.

Please setup a blockchain.info wallet and you will see what I mean. I will send you some "coins".
Ok lets see how it goes send me some "coins" to this address 1FnHPWNjXbaS8k7jxkHBJbzBNPc6ymKnwA
legendary
Activity: 1260
Merit: 1168
November 28, 2014, 10:14:15 AM
#8
This message was too old and has been purged
legendary
Activity: 1260
Merit: 1019
November 28, 2014, 09:53:07 AM
#7
Quote
When sending the last output to the victim, it appears as a regular Pay-to-Address transaction with a standard Pay-to-Address input.
The victim will hold this transaction as orphan, because it will not receive previous "flawed" transactions
No service processes orphan transactions.

And yes. Accepting 0-confirmed transactions is known flaw.
legendary
Activity: 1260
Merit: 1168
November 28, 2014, 09:48:28 AM
#6
This message was too old and has been purged
hero member
Activity: 935
Merit: 1002
November 28, 2014, 09:46:04 AM
#5
3. See if you win, if so push the TX directly to Eligius-Node (only needed if they take our TX in one of their inputs, if not - even this is not necessary)
Ahh I see what you did here.So the tx isn't invalid in no way it's just non standard and yes I know that you can push them right here http://eligius.st/~wizkid057/newstats/pushtxn.php.I discovered that flaw like 2 months ago but I didn't knew that blockchain.info accepts non-standard tx's .But did you know that Discus fish also mines non standard transactions and may include your loosing transactions on their block? Did you know that a service or gambling site can include your loosing tx's here https://www.f2pool.com/pushtx?

Also what kind of non-standard transactions you were using?
legendary
Activity: 1260
Merit: 1019
November 28, 2014, 09:42:29 AM
#4
Quote
1. Push flawed TX to blockchain.info
2. It does not get forwarded, but it appears in receipient's wallet.
Only if victim is connected to blockchain.info through the chain of nodes which relay "flawed" transactions
Quote
3. See if you win, if so push the TX directly to Eligius-Node (only needed if they take our TX in one of their inputs, if not - even this is not necessary)
Eligius does not accept every valid transaction. It has a check method for malled signatures.
Code:
bool IsCanonicalSignature(const valtype &vchSig, unsigned int flags) {
...
}
legendary
Activity: 1260
Merit: 1168
November 28, 2014, 09:21:41 AM
#3
This message was too old and has been purged
hero member
Activity: 935
Merit: 1002
November 28, 2014, 07:21:45 AM
#2
invalid TX in between.
What do you mean by invalid transactions? If its non standard it doesn't mean that it's invalid? What kind of transactions their node accepts?
if interested I can replay this attack live with an advanced member here by sending you some amount in BTC to your blockchain.info wallet, and take it back a few hours later.

Does this attack only works against blockchain.info sites I mean the ones that uses it's api? Does that tx appears on other block explorers? If you are serious that it's a real flaw as a lot of the sites uses bblockchain.info api I think even luckyb.it uses it.
legendary
Activity: 1260
Merit: 1168
November 28, 2014, 06:07:56 AM
#1
This message was too old and has been purged
Jump to: