1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <gmaxwell@gmail.com>) id 1WCxeE-0004Rh-Vs
for bitcoin-development@lists.sourceforge.net;
Mon, 10 Feb 2014 20:40:11 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.217.172 as permitted sender)
client-ip=209.85.217.172; envelope-from=gmaxwell@gmail.com;
helo=mail-lb0-f172.google.com;
Received: from mail-lb0-f172.google.com ([209.85.217.172])
by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1WCxeE-0002gP-2q
for bitcoin-development@lists.sourceforge.net;
Mon, 10 Feb 2014 20:40:10 +0000
Received: by mail-lb0-f172.google.com with SMTP id c11so5270447lbj.31
for <bitcoin-development@lists.sourceforge.net>;
Mon, 10 Feb 2014 12:40:03 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.112.173.6 with SMTP id bg6mr22189424lbc.17.1392064803464;
Mon, 10 Feb 2014 12:40:03 -0800 (PST)
Received: by 10.112.198.34 with HTTP; Mon, 10 Feb 2014 12:40:03 -0800 (PST)
In-Reply-To: <52F92CE3.7080105@olivere.de>
References: <CAPg+sBi-phaw3hDgguk-LYrPsKX4M5snTJBv_NsQML1M=XgZEw@mail.gmail.com>
<52F92CE3.7080105@olivere.de>
Date: Mon, 10 Feb 2014 12:40:03 -0800
Message-ID: <CAAS2fgRksY-KeD27unAWrNkt3BPjGHMFRis_kyrAfZN-zpyoag@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Oliver Egginger <bitcoin@olivere.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -1.6 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(gmaxwell[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WCxeE-0002gP-2q
Cc: Bitcoin Development <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Malleability and MtGox's announcement
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 20:40:11 -0000
On Mon, Feb 10, 2014 at 11:47 AM, Oliver Egginger <bitcoin@olivere.de> wrot=
e:
> As I understand this attack someone renames the transaction ID before
> being confirmed in the blockchain. Not easy but if he is fast enough it
> should be possible. With a bit of luck for the attacker the new
> transaction is added to the block chain and the original transaction is
> discarded as double-spend. Right?
>
> Up to this point the attacker has nothing gained. But next the attacker
> stressed the Gox support and refers to the original transaction ID. Gox
> was then probably fooled in such cases and has refunded already paid
> Bitcoins to the attackers (virtual) Gox-wallet.
At this point the attack should fail. Before crediting the funds back Gox
should form a new transaction moving at least one of the coins the prior
transaction was spending and wait for that transaction to confirm.
Without performing this step=E2=80=94 even if there were no malleability at=
all
you'd have the risk that someone would go resurrect the old transaction
and get a miner to mine it. Then it goes through.
With performing it, even if they missed the mutated transaction in the chai=
n
their cancellation transaction could not confirm (because its a double spen=
d).
> So far everything is clear. But what I do not understand: Why apparently
> had so many customers of Gox payment defaults or severely delayed
> payments?
Back in September a lot of people were having stuck transactions and
when I looked it was because Mtgox was spending immature coins: newly
generated coins which cannot be spent for 100 blocks since their creation.
(A rule since Bitcoin's started)
Then later it was noticed that they were producing transactions with invali=
d
DER encodings (excessively padded signatures). The Bitcoin network used
to accept these transactions, but in order to more towards eliminating
malleability
Bitcoin 0.8 and later will not relay and mine them.
Then after people started using mutation to fix those excessively padded
transactions and/or someone was exploiting Gox's behavior=E2=80=94 it seems=
that
Gox's wallet may have been in a state where it thought a lot of coins weren=
't
spent that were and was reusing them in new transansactions... this one
is harder to tell externally=E2=80=94 I saw it appeared to be producing a L=
OT of
double spends with different destinations, but I'm guessing as to the exact
cause.
|