MtGox's "Transaction Malleability" Claim Dismissed By Researchers

Martin S. (98249) writes "The Register reports on a paper at the arXiv (abstract below) by Christian Decker and Roger Wattenhofer analyzing a year's worth of Bitcoin activity to reach the conclusion that MtGox's claims of losing their bitcoins because of the transaction malleability bug are untrue. The Abstract claims: 'In Bitcoin, transaction malleability describes the fact that the signatures that prove the ownership of bitcoins being transferred in a transaction do not provide any integrity guarantee for the signatures themselves. ... In this work we use traces of the Bitcoin network for over a year preceding the filing to show that, while the problem is real, there was no widespread use of malleability attacks before the closure of MtGox.'" Quoting El Reg: "By extracting transaction keys from the transaction set, the researchers say, they were able to identify more than 35,000 transaction conflicts and more than 29,000 “confirmed attacks” covering more than 300,000 Bitcoins." And less than 6000 were actually successful.

Re:

[erroneus]

This is all to be expected isn't it? It seems like when there is opportunity to scam people out of money, someone will set up an operation to exploit it. Every natural disaster results in hundreds of fake charities being set up to collect donations. And digital currency saw all manner of opportunists attempting to participate at every level from bitcoin mining viruses to setting up exchanges with disappearing money "bugs."

Anyone who didn't expect it was born yesterday under a rock.

Re:As it was weeks ago...

[jythie]

Yeah, but it is still kinda cool to see people dissect exactly how it happens or how claims are untrue. Suspecting and knowing are two very different things.

Re:

[Tom]

It also gives Bitcoin a lot of reputation back. If you can actually trace what happens, then the resilience of the whole system is much higher than it appeared to be otherwise.

Re:

[BourneTolouse]

I don't know what prompted the Red Cross comment, but is is easy enough to check through Charity Navigator. The Red Cross spends 4% on administration and 5.1% on fund raising; the rest goes to programs.

Re:

[krakelohm]

Can you please expand... Last time I looked Red Cross was donating 91 cents out of every dollar so about a 9% overhead.

The fake is a lie.

[Anonymous Coward]

How can this guy not be abducted by mafia yet?

Re:

[Bill, Shooter of Bul]

Obviously, the guy was a criminal, not an idiot. You *always* pay for protection.

Re:

[PRMan]

Nobody has seen Karpeles lately, BTW.

The scam unravels

[NotDrWho]

The MtGox guys better get on a plane and head for their secret island.

Re:

[Anonymous Coward]

Unfortunately for them, they aren't allowed to (legally) leave the country.

Re:The scam unravels

[gstoddart]

I wonder how this plays into this bit coins they mysteriously found in another wallet later that they said they'd give the refunds from.

Either this was a scam all along, or these guys really dropped the ball.

And if the researchers are saying their explanation doesn't hold water, it's increasingly hard to believe them.

Re:

[jythie]

Actually, I think the research lines up rather nicely with them dropping the ball too. It could be an example of them having no clue what they are doing or having their own understanding of how things work. So 'incompetence' is still firmly in the running.

Re:

[prisoner-of-enigma]

"Never attribute to malice that which can be explained by incompetence." -- Hanlon's Razor

Re:

[DarkHelmet433]

Yes. This.

Most likely, they screwed up and lost their private keys. ie: Plain old incompetence.

The code that was leaked to pastebin made it look like they were storing these in something like instances on Amazon EC2. If it turned out they were storing it on ephemeral storage rather than EBS, I don't know if I'd laugh or cry. But it would be an explanation if it were true. Again tough, that would come back to incompetence.

Re:

[CrazyDuke]

I find stupidity and malice frequently come hand in hand, sometimes in the same individual.

Re:

[1s44c]

Not guys. Guy. Just one man and everyone else was kept in the dark.

Money and marijuana don't mix

[Anonymous Coward]

A bank run by drug dealers and drug addicts won't keep your money safe, period.

Re:

[Anonymous Coward]

That's all banks. The only substantive difference is FDIC insuring your drug money.

Re:

[Anonymous Coward]

You got
that [rollingstone.com]
right [rollingstone.com]

Re:

[Desler]

You act like that isn't a huge difference. It is.

Re:Money and marijuana don't mix

[Collective 0-0009]

I'd trust a pot head over a money-grubbing corporate overlord. I have personally worked with the type of psychos that run a lot of companies. They are completely immoral. They often cannot even see their lack of integrity as they have rationalized their decisions long ago. They surround themselves with those that won't rock the boat; "yes men/women". And it's so easy to fall into when you are on top... nobody cares that the emperor has no clothes as long as they get the bonus and raise.

Remember that commercial where they gave some poor dude 100k and asked him to watch it. Pot smokers don't steal it. Asshole libertarian, free market loving, usually conservative pricks steal*.

So you keep the c-levels of ING, Chase, etc. I'll take The Dude any day.

* = I am sorta libertarian, like the free market, and agree with some moderate conservatives. But it seems the psychos all LOVE these things and use them as the basis for their rationalizations.

Re:

[JustNiz]

That probably applies to just about every bank.

Re:

[VortexCortex]

A bank run by drug dealers and drug addicts won't keep your money safe, period.

I know bankers are black, but are the drug lords green or white islandwalkers? Couldn't this disaster just be a big misunderstanding, like manna burn?

Flawed assumption

[0dugo0]

They wrongly assume that they were able to capture all MtGox transaction attempts. Many were posted on their API that were never broadcasted over the network because they were broken / invalid. That didn't stop people from fixing and / or malleating (sp?) them.

Re:

[Anonymous Coward]

You don't seem to understand the purpose of Bitcoin, or what a Ponzi scheme is. Ponzi schemes have nothing to do with exchanging money for virtual items, and Bitcoin itself has nothing to do with investment (although some people might use it for speculative reasons). The cause of all these recent Bitcoin problems is shady characters running the exchanges. But that is a problem with all currency, virtual or not.

Re:

[Aaden42]

You don’t seem to understand the purpose of Bitcoin, or what a Ponzi scheme is...

... Or what money is. Fiat currency has no value other than to 1) Pay your taxes, and 2) Conduct business with others who mutually agree that said currency has an effective value. Within about 15 miles of me, there’s at least one pizza joint and one car dealer that will accept Bitcoin in exchange for their products.

No argument that BTC is less widely accepted than most other currencies, but don’t conflate w

Re:

[lgw]

Fiat currency has no value other than to 1) Pay your taxes, and 2) Conduct business with others who mutually agree that said currency has an effective value.

None of that is unique to fiat currency. Gold just isn't that useful. Currency backed by something useful is sufficiently rare that it's clearly not important.

Currency is a useful medium of exchange. Intrinsic value isn't important, only current value (thus the name). Bitcoin is still pretty iffy in its ability to buy anything anywhere, but that's the only hurdle it needs to jump. It prospered in a black market, sure, but as a "legit" currency it has yet to establish itself.

Re:

[Maritz]

None of that is unique to fiat currency. Gold just isn't that useful.

Gold may not be incredibly useful, but it is (a) rare and (b) unreactive and (c) pretty and malleable. So it definitely has intrinsic properties that make it valuable. Probably scarcity above all though.

Re:

[lgw]

Gold's value as an industrial metal is quite small. The features you mention make it a good choice for specie-based currency. Having value in that it's well suited for use as currency is not intrinsic value, it's value-as-currency.

Re:

[hawkfish]

You don't seem to understand the purpose of Bitcoin, or what a Ponzi scheme is. Ponzi schemes have nothing to do with exchanging money for virtual items, and Bitcoin itself has nothing to do with investment (although some people might use it for speculative reasons). The cause of all these recent Bitcoin problems is shady characters running the exchanges. But that is a problem with all currency, virtual or not.

You don't seem to understand why Bitcoins are a Ponzi scheme (and neither does the GP who brought it up.)

Bitcoin mining is designed to decrease over time [bitcoin.it] until all 21 million coins have been mined. This means that the folks who got in early (i.e. the inventors) make out like bandits and the late arrivals are left holding the bag. The best part is that they have all sorts of true believers out there running interference for them in tech forums like /. It's like printing (real) money. Oh, wait...

Re:

[radiumsoup]

I'm not sure you understand what a Ponzi scheme actually is. Bitcoin isn't one. MtGox, however, appears to have been simply a case of embezzlement.

As for the rest of your rant, yes, you can buy groceries with Bitcoin. http://online.wsj.com/news/art... [wsj.com]

Re:

[PRMan]

The blockchain is PUBLIC. The vulnerability they mentioned is legitimate. They found 6000 successful attempts on the blockchain of double-spending a change transaction (all bitcoin transactions have an initial transaction and a change transaction, unless the amount matches perfectly).

These weren't related to known Mt. Gox addresses. How is this hard to understand that these guys know what they are talking about? Many of us in the bitcoin community could see this the very next day, as soon as we looked.

sounds like it really was sheer incompetence....

[Mr Krinkle]

I mean, if you lost 64,564 bitcoins from a known and easy to research flaw....

then I'm VERY sure that you had a LOT of other security flaws unpatched on your servers.

I know that even on my home servers I try and do "enough" diligence to ensure all know flaws are patched.. And on work related boxes, we ALL verify constantly all known vectors are closed...
The fact that they found 10% of the "lost" coins with publicly available information and widely known bugs, lets me know that there are SURE to be a LOT more hidden flaws bleeding bitcoins like crazy...

  (and I'm sure some employees stole some coins to buy private islands)

Re:

[Aaden42]

then I’m VERY sure that you had a LOT of other security flaws unpatched on your servers.

Transaction malleability is a lot different than having an unpatched OpenSSL on your server or something. Security bugs in unpatched software are a thing that are well-understood by sysadmins and security researchers. Weaknesses in the cryptography underlying Bitcoin are truly understood by perhaps a handful of people on the Earth at this time. It would be nice to presume that an organization positioning itself

Re:

[PRMan]

This was a KNOWN and PUBLISHED flaw since 2011, along with clear instructions about how to avoid it. Any casual first-time programmer of bitcoin would have seen this when learning how to program bitcoin (it's on the Wiki: https://en.bitcoin.it/wiki/Tra... [bitcoin.it]). Mt. Gox, having been around since 2010, could have not noticed I suppose, except that Gavin Andreson (the lead bitcoin developer) is on record as having warned them about this flaw multiple times. And it was brought up in a Bitcoin Foundation meeting

Re:

[mbkennel]

Wouldn't that be more suggestive evidence of a scam? The bug/flaw was clearly and forcefully presented to MtGox, which intentionally didn't patch it because it would be useful cover for insider theft.

Re:

[ras]

Security bugs in unpatched software are a thing that are well-understood by sysadmins and security researchers.

Really? The bitcoin is valued at several billions of dollars. The reward for breaking Keccak was academic creds. The reward for breaking bitcoin is notoriety for life, and being set for life as well. Besides, you do know that nothing in Bitcoin is encrypted, right? There is one signature and a lot of hashing. There isn't even a nonce.

Additionally, this isn’t an unpatched security flaw where upgrading to Bitcoin 1.1 would have fixed the issue. It’s a weakness inherent to the Bitcoin protocol which may or may not be able to be repaired without invaliding all existing BTC transactions.

Said like a person who is eager to prove he doesn't know much about the subject he is commenting on. It wasn't the upgrade to bitcoin 1.1 that fixed the issue, it was th

Re:

[1s44c]

Really? Is the Beta bashing still going on?

Re:

[Dishevel]

Yes. It will continue till those who hate beta pick up and leave. I wonder if the final numbers will hurt Dice?

Re:

[kaizendojo]

Yes, because if you come here from an RSS link and choose to go to the classic site, you're looped right back into beta. It's more than an annoyance and it took me a few tries befoer I figured out that I was better off cut and pasting the link in direct. I'm really starting to sour on the whole experience - and since 90% of what /. posts lately is stuff that I've already seen on a number of my source feeds, the only reason to come here is for the comments - whcih beta is making it hard to get to. Give it

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheCarp]

You are assuming that an inside job necessarily implicates the owner directly, and not some other technical employee, who may have even signed on to the company with the intention to rob them blind.

I do agree that it sounds like an inside job, however it looks like an inside job by someone smart enough to be sneaky about it; not someone just reaching into the cookie jar.

Then again, it could be a little of collumn A, a little of Collumn B, maybe the attack stole some, and someone else saw that and took the r

Re:

[s slash]

Not necessarily assuming the guy at the top. Regardless of who plans and executes the scam, a bankruptcy is going to suddenly result in massive focus on everything going on, every system and transaction and so on. Outsides who you're unfamiliar with (so can't use your usual bag of tricks to pull the wool over the eyes of) will be brought in, and will investigate what you were doing. Even regular management will suddenly find themselves having to justify their own actions and investigate things they never l

Re:

[TheCarp]

> To be honest, if I were a fraudster, the very last place I'd start is a business that is likely to go
> bankrupt even if it trades honestly

But that would assume the fraudster understands these particular dynamics and/or agrees it is likely to go bankrupt even if trading honestly. Frankly, I am not sure I agree with that assessment. Had they operated properly and not fucked up so royally (assuming it wasn't intentional) I don't see why they were likely to go bankrupt.

It is also entirely possible they

Re:

[PRMan]

Some of the "missing" bitcoins were found in accounts that Karpeles forgot that he had previously told people he had control over. If he weren't the guilty party, wouldn't he have mentioned this upfront. Looks ultra-shady.

Re:

[cusco]

or were Mt. Gox's alleged scam conspirators unusually stupid?

Considering that most of the company's depositors were unusually stupid I don't think that's much of a stretch.

Re:

[PRMan]

The people that left their coins sitting on Mt. Gox's servers instead of getting them off immediately? Yes, those people are unusually stupid.

The people that are buying Lambroghinis ( http://articles.latimes.com/20... [latimes.com] ), apartments ( http://www.uproxx.com/webcultu... [uproxx.com] ) and even castles in Estonia ( http://thebitcoinnews.co.uk/20... [thebitcoinnews.co.uk] ) for mere pennies on the dollar don't seem very stupid.

Re:

[JustNiz]

>> If your business goes bankrupt, then it becomes extremely difficult to launder your supposedly stolen assets.

Well see that's the thing about a bitcoin wallet with a few million in... Its VERY easy to hide then when the shit has died down, later recover it and untraceably sell the bitcoins.

The only thing the cops would have to go on would be after the suspect starts selling them, by watching any bank account they have access to and how it suddenly got a bunch of dollars credited to it. I'm sure ther

Re:

[PRMan]

Karpeles IS unusually stupid (OK, let's say arrogant and naive). He claimed to have lost 2,000,000 bitcoins until people looked at the PUBLIC blockchain and found that he had previously had access to accounts where some of the "missing" bitcoins were still sitting. Then, all of a sudden, when the Japanese court threatened him with arrest, he was suddenly able to "find" and produce them.

Dear slashdot,

[Orgasmatron]

This paper has already been widely dismissed by the bitcoin community. Not that we necessarily think that Mtgox was actually hit by a malleability attack. Just that this paper is nonsense.

The very short version is that what these "researchers" were looking at isn't actually how the alleged bug would have worked.

Re:Dear slashdot,

[kasperd]

Just that this paper is nonsense.

Care to answer a few questions then?

• How did the transactions found by these researches happen, if not by a malleability attack?
• If a malleability attack would not result in transactions looking like what was found by these researchers, then what would it look like?
• What is the explanation for the spike found just after the announcement, if that was not due to copy-cats attempting malleability attacks?

Re:

[kasperd]

The transactions did happen by malleability attack. What makes you think they did not?

The paper suggested they happened due to a malleability attack, I have no reason to think otherwise. It was not me who said that was nonsense.

It would look like any other transaction.

The paper carefully explained difference in the looks of the involved transactions. By saying an attack would look like any other transaction, you are contradicting the paper, and you are providing less evidence to support your case than the p

Re:

[Orgasmatron]

The signature is two values (r,s). These values are stored and transmitted as binary strings. They have a maximum length, but not a minimum. So, if your calculated r is less than 2^248, the most significant byte is all zeros, ditto 2^240 and the next byte.

The spec says to minimize the encoding, but openssl accepts the padded form. The bitcoin software started refusing to relay transactions with improperly padded transactions, even though they are still valid, if they make it into a block.

So, as the

Re:

[kasperd]

The bitcoin software started refusing to relay transactions with improperly padded transactions, even though they are still valid, if they make it into a block.

Are there any plans to stop accepting them in blocks?

The claimed attack is that people took these transactions, fixed them, and broadcast them.

I guess we can agree, that the article is not covering this attack, but rather a very different attack.

but they don't work very often, since it involves accepting a transaction over the p2p network, changing i

Re:

[Orgasmatron]

No, there is no intention to tighten the blockchain rules at this time. This would cause a hard fork, and breaking compatibility with old versions is not considered lightly.

Mtgox's software is unique. The reference client, for example, can not be fooled by changing transaction IDs. The frequency of success at actually winning the race to get the modified version into a block only matters if you've written your own software that is totally reliant on transaction IDs.

There are two values, each with a 1 in

Re:

[kasperd]

No, there is no intention to tighten the blockchain rules at this time. This would cause a hard fork, and breaking compatibility with old versions is not considered lightly.

And it should not be taken lightly. But as I understand it, such forks have been done in the past, and another one will be needed due to transaction volume approaching a hard limit imposed by the current rules. The particular tightening of the rules about signatures could piggyback on another update, which would cause a fork. Is there an

Re:

[kasperd]

Sorry to reply off-topic, but this part isn't true. We'll just start using more off-chain transactions.

That's actually not off-topic at all. The description of off-chain transactions [bitcoin.it] mention that one way to do it is through the use of trusted third parties such as Mt. Gox! It does proceed to describe how a system could potentially be designed with auditing that can prove if fraud is happening, which would be an improvement, but it does not suggest any way to avoid such fraud.

If we forked every time transact

Re:

[kasperd]

Transaction fees prevent DoS attacks too, even with infinite block size.

I don't think so. Let's say somebody wants to perform a DoS attack spending as few bitcoins as possible. Just take a tiny amount of bitcoins and spend it all on transaction fees one satoshi at a time. With transactions spending one satoshi in fee and not actually transferring any bitcoins anywhere, miners would have incentive to include those transactions in the blocks. After all, if there is no limit on the block size, a miner may as w

Re:

[kasperd]

Standard bitcoin community response to any bad news: it's not really bad.

Except the comment you are replying to said the opposite. It was denying the statement made by these researches saying that the alleged theft did not happen. (I know that's a lot of negations, better count them before replying.)

Re:

[Orgasmatron]

In my opinion, this was most likely incompetence. Or, possibly Mtgox stole from their users (or Mark stole from his own company, which is the same, as far as I'm concerned).

It is extremely unlikely, in my view, that transaction malleability played much of a role.

A malleability exploit is something that people might be willing to accept as "could have happened to anyone", so I think it was tried as cover for incompetence of the more ordinary "not clever enough to safely hold other people's money" variety.

Re:

[tulcod]

This would have been a useful comment if facts would have been about your opinion.

Re:

[radiumsoup]

you are aware that the groups are not mutually exclusive, right?

Re:

[PRMan]

Um, no. Transaction malleability is easy to find on any miner's log. I am sure these guys are correct.

Re:

[Orgasmatron]

I didn't say that mutated transactions didn't exist, or that the researchers haven't actually seen any.

They certainly do exist, and I have no reason to doubt that the researchers have found some in the wild.

I'm saying that if such an attack had been responsible for Mtgox's woes (which I and, I think, most others find extremely unlikely), they would not be visible using the methodology discussed in this paper.

Re:

[ras]

The very short version is that what these "researchers" were looking at isn't actually how the alleged bug would have worked.

That is far too short to be useful.

Mtgox's malleability problem was caused, ironically, by the protocol fixing once source of it. When that happened the network started rejecting mtgox's transactions, in fact they weren't even relayed.

The paper says the were no malleability attacks of the scale mtgox claims because they didn't see the required number of malleable transactions. This would have been reasonable if the attacker also depended on seeing the malleable transactions relayed by the network. But the