Excellant answers!!
I had some same question. I stop use bitcoin-qt week problem occur due fear client suffer same problem.
I read user DannyH reply in many thread. you asset in forum just on user and not mod! not if mean you would no time to help answer other user.
keep going as user!
Topic: Trying to understand the malleability issue (Read 927 times)
You sir are a champion.
Thank you so much. You explanations and summary, well summarized it perfectly for me.
Why have you not been made a mod ?
Thank you so much. You explanations and summary, well summarized it perfectly for me.
Why have you not been made a mod ?
Because being a mod has nothing to do with understanding or explaining how bitcoin works.
Being a mod requires understanding the Terms of Service of this forum and accurately determining whether a post should be left alone, modified, removed, or moved to another forum.
I have made no effort to prove that I am capable of such things. Would you prefer that I spend all my time deleting and moving threads, or are my skills and talents better spent actually responding to the posts in the forum?
You sir are a champion.
Thank you so much. You explanations and summary, well summarized it perfectly for me.
Why have you not been made a mod ?
Ok, I'll try.
True.
Possibly, but more often it is non-signature portions of the ScriptSig
Well, I suppose you could say the original txID is "invalid", really it's just different. I guess it's going to depend on what we mean by "invalid".
Only if the entity you are withdrawing from is unaware of transaction malleability, relies on the transaction ID to determine if a transaction exists, and has horrible accounting protocols. (Or if they are aware of malleability and are just incompetent).
Imagine you send transactions to customers, and are unaware of transaction malleability. Each time you send a transaction, you write down on a sheet of paper amount that the transaction was supposed to send, the address it was supposed to go to, and the transactionID that you generated before you broadcast it. Then you give the customer a piece of paper with the same information on it.
Now, a couple of days later, one of your customers comes to you and says, "I never received the bitcoins that I requested, here's my receipt." You take a look at the transactionID on the receipt, and you match it up to the list that you keep. You see that all the information on the customer's receipt matches all the information on your list, so you decide that the customer is presenting you with a transaction that you expect to have sent. Next you search for that transactionID on the blockchain. You don't find it at all. You also find that the transactionID doesn't exist in the memory pool of any peers either. You assume that something must have gone wrong with the transaction, and that your customer never received their bitcoins. In the interest of maintaining good customer relations, you send a new transaction transferring the same amount of bitcoins to the customer.
What you didn't realize was that the customer actually did receive the earlier transaction, but the transactionID changed. Since you didn't know this, you didn't think to look for any alternate transactionID's that sent the same amount of bitcoins at the same time using the same inputs. Now your second transaction confirms. Your customer just got paid from you twice for the same bitcoins in their "account" on your system.
Your customer, realizing that he just discovered a way to steal money from you without you knowing quickly learns how to create malleated transactions. He signs up for multiple false IDs on your system and tells some of his friends about it. They all repeat this processes on an occasional basis. You continue to send more and more bitcoins out of your system without noticing the drastic reduction in bitcoins on hand.
Eventually one day someone points out this transaction malleability issue to you and you decide to audit your accounts to see how short you are.
This is one example of how someone can take advantage of transaction malleability.
There are a few other ways, but the basic concept is the same (relying exclusively on original transactionID to determine if a transaction exists in the bitcoin network).
That really depends on how often you send bitcoins, and what process you use to track those bitcoins. Some exchanges used their own custom code to track withdrawals. That custom code may not have been aware of this issue and may have needed to be updated to look at spent inputs (or some other unmodifiable portion of the transaction). If you are just using one of the well known wallets, and always wait for at least 1 confirmation before sending any bitcoins anywhere then you shouldn't have a problem.
Thank you so much. You explanations and summary, well summarized it perfectly for me.
Why have you not been made a mod ?
So I am trying to get my head around the issue. Correct me at each point where I am wrong.
Ok, I'll try.
From what I understand, if a tx is sent, someone can change a portion of the txid before it confirms
True.
- the signature maybe?
Possibly, but more often it is non-signature portions of the ScriptSig
I thought the txid just becomes invalid
Well, I suppose you could say the original txID is "invalid", really it's just different. I guess it's going to depend on what we mean by "invalid".
however I read people can use it to withdraw and say it never worked, when really it did and get the bitcoins back.
Only if the entity you are withdrawing from is unaware of transaction malleability, relies on the transaction ID to determine if a transaction exists, and has horrible accounting protocols. (Or if they are aware of malleability and are just incompetent).
Can someone summarize it simply please ?
Imagine you send transactions to customers, and are unaware of transaction malleability. Each time you send a transaction, you write down on a sheet of paper amount that the transaction was supposed to send, the address it was supposed to go to, and the transactionID that you generated before you broadcast it. Then you give the customer a piece of paper with the same information on it.
Now, a couple of days later, one of your customers comes to you and says, "I never received the bitcoins that I requested, here's my receipt." You take a look at the transactionID on the receipt, and you match it up to the list that you keep. You see that all the information on the customer's receipt matches all the information on your list, so you decide that the customer is presenting you with a transaction that you expect to have sent. Next you search for that transactionID on the blockchain. You don't find it at all. You also find that the transactionID doesn't exist in the memory pool of any peers either. You assume that something must have gone wrong with the transaction, and that your customer never received their bitcoins. In the interest of maintaining good customer relations, you send a new transaction transferring the same amount of bitcoins to the customer.
What you didn't realize was that the customer actually did receive the earlier transaction, but the transactionID changed. Since you didn't know this, you didn't think to look for any alternate transactionID's that sent the same amount of bitcoins at the same time using the same inputs. Now your second transaction confirms. Your customer just got paid from you twice for the same bitcoins in their "account" on your system.
Your customer, realizing that he just discovered a way to steal money from you without you knowing quickly learns how to create malleated transactions. He signs up for multiple false IDs on your system and tells some of his friends about it. They all repeat this processes on an occasional basis. You continue to send more and more bitcoins out of your system without noticing the drastic reduction in bitcoins on hand.
Eventually one day someone points out this transaction malleability issue to you and you decide to audit your accounts to see how short you are.
This is one example of how someone can take advantage of transaction malleability.
There are a few other ways, but the basic concept is the same (relying exclusively on original transactionID to determine if a transaction exists in the bitcoin network).
Also if the exchanges had to change their software to deal with this, does that no mean all merchants and clients need to as well ?
That really depends on how often you send bitcoins, and what process you use to track those bitcoins. Some exchanges used their own custom code to track withdrawals. That custom code may not have been aware of this issue and may have needed to be updated to look at spent inputs (or some other unmodifiable portion of the transaction). If you are just using one of the well known wallets, and always wait for at least 1 confirmation before sending any bitcoins anywhere then you shouldn't have a problem.
Just a question if you dont mind. If I understand everything right this means that "stealing Bitcoins" like in the case of Mt.Gox and smaller exchanges only occurs due to stupidity of the people handling the transactions? If somehow the exchanges would force the client first to prove he didnt receive the transaction, this could never happen?
MtGox hasn't told us yet exactly what happened. There are a lot of guesses, assumptions, and rumors, but there is no concrete evidence yet.
"stealing" bitcoins can happen in a variety of ways. Generally it either involves convincing someone with access to the bitcoins to send them to you, or gaining unauthorized access to the private keys from someone's wallet.
I suppose, depending on how you look at it, this can be due to "stupidity" of the people handling the bitcoins, or it can be due to the "intelligence" of the thief.
So technically there is no way to "hack" any Bitcoins?
There is not currently any known way to take control of anyone's bitcoins without either accessing the private keys from their wallet, or convincing them to send the bitcoins to you.
If for example, following the explanation, a court would agree on this then exchanges losing Bitcoins should be held responsible for losses like banks which go bankrupt due to idiotic investments.
I am not a lawyer, and I am not going to try to predict what sort of decisions a court might make about a technology that they barely even understand.
Still unbelievable for me to understand how its possible to not notice anything wrong, when Bitcoins are missing ... already after 24h with todays technology it should be possible. If i can set an alarm on my phone then I guess even the worst kind of system today should be able to have some sort of automatic auditing and alert if something doesnt match up.
"worst kind of system"? I've seen some pretty bad systems in my life. Perhaps you need a bit more real world experience before you try to guess just how bad the "worst kind of system" can be.
Thanks for your answer.
So, after having understood all of the above I believe the general misconception of Bitcoin is a misunderstanding of the logic of security. Bitcoin itself is safe and since its origin has never been compromised in any way because as you say, the intelligence of the thief is a factor but its always based on a scam like tricking you into sending Bitcoins somehow .. which can happen with everything, not only Bitcoin.
System-wise, Im not an administrator of any sorts but ... well...I have worked with various systems, usually citrix stuff.... im still surprised about this. Every kebab-shop with a certain turnover most likely has a better security than Mt.Gox but yes, im sure there are still alot of awfully bad ones around. Anyway, thanks for your time, appreciated.
Just a question if you dont mind. If I understand everything right this means that "stealing Bitcoins" like in the case of Mt.Gox and smaller exchanges only occurs due to stupidity of the people handling the transactions? If somehow the exchanges would force the client first to prove he didnt receive the transaction, this could never happen?
MtGox hasn't told us yet exactly what happened. There are a lot of guesses, assumptions, and rumors, but there is no concrete evidence yet.
"stealing" bitcoins can happen in a variety of ways. Generally it either involves convincing someone with access to the bitcoins to send them to you, or gaining unauthorized access to the private keys from someone's wallet.
I suppose, depending on how you look at it, this can be due to "stupidity" of the people handling the bitcoins, or it can be due to the "intelligence" of the thief.
So technically there is no way to "hack" any Bitcoins?
There is not currently any known way to take control of anyone's bitcoins without either accessing the private keys from their wallet, or convincing them to send the bitcoins to you.
If for example, following the explanation, a court would agree on this then exchanges losing Bitcoins should be held responsible for losses like banks which go bankrupt due to idiotic investments.
I am not a lawyer, and I am not going to try to predict what sort of decisions a court might make about a technology that they barely even understand.
Still unbelievable for me to understand how its possible to not notice anything wrong, when Bitcoins are missing ... already after 24h with todays technology it should be possible. If i can set an alarm on my phone then I guess even the worst kind of system today should be able to have some sort of automatic auditing and alert if something doesnt match up.
"worst kind of system"? I've seen some pretty bad systems in my life. Perhaps you need a bit more real world experience before you try to guess just how bad the "worst kind of system" can be.
So I am trying to get my head around the issue. Correct me at each point where I am wrong.
Ok, I'll try.
From what I understand, if a tx is sent, someone can change a portion of the txid before it confirms
True.
- the signature maybe?
Possibly, but more often it is non-signature portions of the ScriptSig
I thought the txid just becomes invalid
Well, I suppose you could say the original txID is "invalid", really it's just different. I guess it's going to depend on what we mean by "invalid".
however I read people can use it to withdraw and say it never worked, when really it did and get the bitcoins back.
Only if the entity you are withdrawing from is unaware of transaction malleability, relies on the transaction ID to determine if a transaction exists, and has horrible accounting protocols. (Or if they are aware of malleability and are just incompetent).
Can someone summarize it simply please ?
Imagine you send transactions to customers, and are unaware of transaction malleability. Each time you send a transaction, you write down on a sheet of paper amount that the transaction was supposed to send, the address it was supposed to go to, and the transactionID that you generated before you broadcast it. Then you give the customer a piece of paper with the same information on it.
Now, a couple of days later, one of your customers comes to you and says, "I never received the bitcoins that I requested, here's my receipt." You take a look at the transactionID on the receipt, and you match it up to the list that you keep. You see that all the information on the customer's receipt matches all the information on your list, so you decide that the customer is presenting you with a transaction that you expect to have sent. Next you search for that transactionID on the blockchain. You don't find it at all. You also find that the transactionID doesn't exist in the memory pool of any peers either. You assume that something must have gone wrong with the transaction, and that your customer never received their bitcoins. In the interest of maintaining good customer relations, you send a new transaction transferring the same amount of bitcoins to the customer.
What you didn't realize was that the customer actually did receive the earlier transaction, but the transactionID changed. Since you didn't know this, you didn't think to look for any alternate transactionID's that sent the same amount of bitcoins at the same time using the same inputs. Now your second transaction confirms. Your customer just got paid from you twice for the same bitcoins in their "account" on your system.
Your customer, realizing that he just discovered a way to steal money from you without you knowing quickly learns how to create malleated transactions. He signs up for multiple false IDs on your system and tells some of his friends about it. They all repeat this processes on an occasional basis. You continue to send more and more bitcoins out of your system without noticing the drastic reduction in bitcoins on hand.
Eventually one day someone points out this transaction malleability issue to you and you decide to audit your accounts to see how short you are.
This is one example of how someone can take advantage of transaction malleability.
There are a few other ways, but the basic concept is the same (relying exclusively on original transactionID to determine if a transaction exists in the bitcoin network).
Also if the exchanges had to change their software to deal with this, does that no mean all merchants and clients need to as well ?
That really depends on how often you send bitcoins, and what process you use to track those bitcoins. Some exchanges used their own custom code to track withdrawals. That custom code may not have been aware of this issue and may have needed to be updated to look at spent inputs (or some other unmodifiable portion of the transaction). If you are just using one of the well known wallets, and always wait for at least 1 confirmation before sending any bitcoins anywhere then you shouldn't have a problem.
Just a question if you dont mind. If I understand everything right this means that "stealing Bitcoins" like in the case of Mt.Gox and smaller exchanges only occurs due to stupidity of the people handling the transactions? If somehow the exchanges would force the client first to prove he didnt receive the transaction, this could never happen?
So technically there is no way to "hack" any Bitcoins?
If for example, following the explanation, a court would agree on this then exchanges losing Bitcoins should be held responsible for losses like banks which go bankrupt due to idiotic investments.
Still unbelievable for me to understand how its possible to not notice anything wrong, when Bitcoins are missing ... already after 24h with todays technology it should be possible. If i can set an alarm on my phone then I guess even the worst kind of system today should be able to have some sort of automatic auditing and alert if something doesnt match up.
So I am trying to get my head around the issue. Correct me at each point where I am wrong.
Ok, I'll try.
From what I understand, if a tx is sent, someone can change a portion of the txid before it confirms
True.
- the signature maybe?
Possibly, but more often it is non-signature portions of the ScriptSig
I thought the txid just becomes invalid
Well, I suppose you could say the original txID is "invalid", really it's just different. I guess it's going to depend on what we mean by "invalid".
however I read people can use it to withdraw and say it never worked, when really it did and get the bitcoins back.
Only if the entity you are withdrawing from is unaware of transaction malleability, relies on the transaction ID to determine if a transaction exists, and has horrible accounting protocols. (Or if they are aware of malleability and are just incompetent).
Can someone summarize it simply please ?
Imagine you send transactions to customers, and are unaware of transaction malleability. Each time you send a transaction, you write down on a sheet of paper amount that the transaction was supposed to send, the address it was supposed to go to, and the transactionID that you generated before you broadcast it. Then you give the customer a piece of paper with the same information on it.
Now, a couple of days later, one of your customers comes to you and says, "I never received the bitcoins that I requested, here's my receipt." You take a look at the transactionID on the receipt, and you match it up to the list that you keep. You see that all the information on the customer's receipt matches all the information on your list, so you decide that the customer is presenting you with a transaction that you expect to have sent. Next you search for that transactionID on the blockchain. You don't find it at all. You also find that the transactionID doesn't exist in the memory pool of any peers either. You assume that something must have gone wrong with the transaction, and that your customer never received their bitcoins. In the interest of maintaining good customer relations, you send a new transaction transferring the same amount of bitcoins to the customer.
What you didn't realize was that the customer actually did receive the earlier transaction, but the transactionID changed. Since you didn't know this, you didn't think to look for any alternate transactionID's that sent the same amount of bitcoins at the same time using the same inputs. Now your second transaction confirms. Your customer just got paid from you twice for the same bitcoins in their "account" on your system.
Your customer, realizing that he just discovered a way to steal money from you without you knowing quickly learns how to create malleated transactions. He signs up for multiple false IDs on your system and tells some of his friends about it. They all repeat this processes on an occasional basis. You continue to send more and more bitcoins out of your system without noticing the drastic reduction in bitcoins on hand.
Eventually one day someone points out this transaction malleability issue to you and you decide to audit your accounts to see how short you are.
This is one example of how someone can take advantage of transaction malleability.
There are a few other ways, but the basic concept is the same (relying exclusively on original transactionID to determine if a transaction exists in the bitcoin network).
Also if the exchanges had to change their software to deal with this, does that no mean all merchants and clients need to as well ?
That really depends on how often you send bitcoins, and what process you use to track those bitcoins. Some exchanges used their own custom code to track withdrawals. That custom code may not have been aware of this issue and may have needed to be updated to look at spent inputs (or some other unmodifiable portion of the transaction). If you are just using one of the well known wallets, and always wait for at least 1 confirmation before sending any bitcoins anywhere then you shouldn't have a problem.
So I am trying to get my head around the issue. Correct me at each point where I am wrong.
From what I understand, if a tx is sent, someone can change a portion of the txid before it confirms - the signature maybe? - and if they are successful in doing that and Their txid is confirmed first, ummmm err I'm totally confused at that part. I thought the txid just becomes invalid; however I read people can use it to withdraw and say it never worked, when really it did and get the bitcoins back.
Can someone summarize it simply please ?
Also if the exchanges had to change their software to deal with this, does that no mean all merchants and clients need to as well ?
Thank you.
From what I understand, if a tx is sent, someone can change a portion of the txid before it confirms - the signature maybe? - and if they are successful in doing that and Their txid is confirmed first, ummmm err I'm totally confused at that part. I thought the txid just becomes invalid; however I read people can use it to withdraw and say it never worked, when really it did and get the bitcoins back.
Can someone summarize it simply please ?
Also if the exchanges had to change their software to deal with this, does that no mean all merchants and clients need to as well ?
Thank you.
Jump to: