Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bitcoin Math

MtGox's "Transaction Malleability" Claim Dismissed By Researchers 92

Martin S. (98249) writes "The Register reports on a paper at the arXiv (abstract below) by Christian Decker and Roger Wattenhofer analyzing a year's worth of Bitcoin activity to reach the conclusion that MtGox's claims of losing their bitcoins because of the transaction malleability bug are untrue. The Abstract claims: 'In Bitcoin, transaction malleability describes the fact that the signatures that prove the ownership of bitcoins being transferred in a transaction do not provide any integrity guarantee for the signatures themselves. ... In this work we use traces of the Bitcoin network for over a year preceding the filing to show that, while the problem is real, there was no widespread use of malleability attacks before the closure of MtGox.'" Quoting El Reg: "By extracting transaction keys from the transaction set, the researchers say, they were able to identify more than 35,000 transaction conflicts and more than 29,000 “confirmed attacks” covering more than 300,000 Bitcoins." And less than 6000 were actually successful.
This discussion has been archived. No new comments can be posted.

MtGox's "Transaction Malleability" Claim Dismissed By Researchers

Comments Filter:
  • by Anonymous Coward

    How can this guy not be abducted by mafia yet?

  • The scam unravels (Score:5, Insightful)

    by NotDrWho ( 3543773 ) on Wednesday April 09, 2014 @09:18AM (#46704407)

    The MtGox guys better get on a plane and head for their secret island.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Unfortunately for them, they aren't allowed to (legally) leave the country.

    • by gstoddart ( 321705 ) on Wednesday April 09, 2014 @09:35AM (#46704575) Homepage

      I wonder how this plays into this bit coins they mysteriously found in another wallet later that they said they'd give the refunds from.

      Either this was a scam all along, or these guys really dropped the ball.

      And if the researchers are saying their explanation doesn't hold water, it's increasingly hard to believe them.

      • Re: (Score:2, Insightful)

        by jythie ( 914043 )
        Actually, I think the research lines up rather nicely with them dropping the ball too. It could be an example of them having no clue what they are doing or having their own understanding of how things work. So 'incompetence' is still firmly in the running.
        • "Never attribute to malice that which can be explained by incompetence." -- Hanlon's Razor

          • Yes. This.

            Most likely, they screwed up and lost their private keys. ie: Plain old incompetence.

            The code that was leaked to pastebin made it look like they were storing these in something like instances on Amazon EC2. If it turned out they were storing it on ephemeral storage rather than EBS, I don't know if I'd laugh or cry. But it would be an explanation if it were true. Again tough, that would come back to incompetence.

          • I find stupidity and malice frequently come hand in hand, sometimes in the same individual.

    • by 1s44c ( 552956 )

      Not guys. Guy. Just one man and everyone else was kept in the dark.

  • by Anonymous Coward

    A bank run by drug dealers and drug addicts won't keep your money safe, period.

    • by Anonymous Coward

      That's all banks. The only substantive difference is FDIC insuring your drug money.

    • by Collective 0-0009 ( 1294662 ) on Wednesday April 09, 2014 @11:08AM (#46705411)
      I'd trust a pot head over a money-grubbing corporate overlord. I have personally worked with the type of psychos that run a lot of companies. They are completely immoral. They often cannot even see their lack of integrity as they have rationalized their decisions long ago. They surround themselves with those that won't rock the boat; "yes men/women". And it's so easy to fall into when you are on top... nobody cares that the emperor has no clothes as long as they get the bonus and raise.

      Remember that commercial where they gave some poor dude 100k and asked him to watch it. Pot smokers don't steal it. Asshole libertarian, free market loving, usually conservative pricks steal*.

      So you keep the c-levels of ING, Chase, etc. I'll take The Dude any day.

      * = I am sorta libertarian, like the free market, and agree with some moderate conservatives. But it seems the psychos all LOVE these things and use them as the basis for their rationalizations.
    • by JustNiz ( 692889 )

      That probably applies to just about every bank.

    • A bank run by drug dealers and drug addicts won't keep your money safe, period.

      I know bankers are black, but are the drug lords green or white islandwalkers? Couldn't this disaster just be a big misunderstanding, like manna burn?

  • Flawed assumption (Score:1, Interesting)

    by 0dugo0 ( 735093 )

    They wrongly assume that they were able to capture all MtGox transaction attempts. Many were posted on their API that were never broadcasted over the network because they were broken / invalid. That didn't stop people from fixing and / or malleating (sp?) them.

    • by PRMan ( 959735 )

      The blockchain is PUBLIC. The vulnerability they mentioned is legitimate. They found 6000 successful attempts on the blockchain of double-spending a change transaction (all bitcoin transactions have an initial transaction and a change transaction, unless the amount matches perfectly).

      These weren't related to known Mt. Gox addresses. How is this hard to understand that these guys know what they are talking about? Many of us in the bitcoin community could see this the very next day, as soon as we looked.

  • I mean, if you lost 64,564 bitcoins from a known and easy to research flaw....

    then I'm VERY sure that you had a LOT of other security flaws unpatched on your servers.

    I know that even on my home servers I try and do "enough" diligence to ensure all know flaws are patched.. And on work related boxes, we ALL verify constantly all known vectors are closed...
    The fact that they found 10% of the "lost" coins with publicly available information and widely known bugs, lets me know that there are SURE to be a LOT more hidden flaws bleeding bitcoins like crazy...

      (and I'm sure some employees stole some coins to buy private islands)

    • Re: (Score:2, Insightful)

      by Aaden42 ( 198257 )

      then I’m VERY sure that you had a LOT of other security flaws unpatched on your servers.

      Transaction malleability is a lot different than having an unpatched OpenSSL on your server or something. Security bugs in unpatched software are a thing that are well-understood by sysadmins and security researchers. Weaknesses in the cryptography underlying Bitcoin are truly understood by perhaps a handful of people on the Earth at this time. It would be nice to presume that an organization positioning itself

      • by PRMan ( 959735 )
        This was a KNOWN and PUBLISHED flaw since 2011, along with clear instructions about how to avoid it. Any casual first-time programmer of bitcoin would have seen this when learning how to program bitcoin (it's on the Wiki: https://en.bitcoin.it/wiki/Tra... [bitcoin.it]). Mt. Gox, having been around since 2010, could have not noticed I suppose, except that Gavin Andreson (the lead bitcoin developer) is on record as having warned them about this flaw multiple times. And it was brought up in a Bitcoin Foundation meeting
        • by mbkennel ( 97636 )

          Wouldn't that be more suggestive evidence of a scam? The bug/flaw was clearly and forcefully presented to MtGox, which intentionally didn't patch it because it would be useful cover for insider theft.
      • by ras ( 84108 )

        Security bugs in unpatched software are a thing that are well-understood by sysadmins and security researchers.

        Really? The bitcoin is valued at several billions of dollars. The reward for breaking Keccak was academic creds. The reward for breaking bitcoin is notoriety for life, and being set for life as well. Besides, you do know that nothing in Bitcoin is encrypted, right? There is one signature and a lot of hashing. There isn't even a nonce.

        Additionally, this isn’t an unpatched security flaw where upgrading to Bitcoin 1.1 would have fixed the issue. It’s a weakness inherent to the Bitcoin protocol which may or may not be able to be repaired without invaliding all existing BTC transactions.

        Said like a person who is eager to prove he doesn't know much about the subject he is commenting on. It wasn't the upgrade to bitcoin 1.1 that fixed the issue, it was th

  • Comment removed based on user account deletion
    • by TheCarp ( 96830 )

      You are assuming that an inside job necessarily implicates the owner directly, and not some other technical employee, who may have even signed on to the company with the intention to rob them blind.

      I do agree that it sounds like an inside job, however it looks like an inside job by someone smart enough to be sneaky about it; not someone just reaching into the cookie jar.

      Then again, it could be a little of collumn A, a little of Collumn B, maybe the attack stole some, and someone else saw that and took the r

      • Not necessarily assuming the guy at the top. Regardless of who plans and executes the scam, a bankruptcy is going to suddenly result in massive focus on everything going on, every system and transaction and so on. Outsides who you're unfamiliar with (so can't use your usual bag of tricks to pull the wool over the eyes of) will be brought in, and will investigate what you were doing. Even regular management will suddenly find themselves having to justify their own actions and investigate things they never l

        • by TheCarp ( 96830 )

          > To be honest, if I were a fraudster, the very last place I'd start is a business that is likely to go
          > bankrupt even if it trades honestly

          But that would assume the fraudster understands these particular dynamics and/or agrees it is likely to go bankrupt even if trading honestly. Frankly, I am not sure I agree with that assessment. Had they operated properly and not fucked up so royally (assuming it wasn't intentional) I don't see why they were likely to go bankrupt.

          It is also entirely possible they

      • by PRMan ( 959735 )
        Some of the "missing" bitcoins were found in accounts that Karpeles forgot that he had previously told people he had control over. If he weren't the guilty party, wouldn't he have mentioned this upfront. Looks ultra-shady.
    • by cusco ( 717999 )

      or were Mt. Gox's alleged scam conspirators unusually stupid?

      Considering that most of the company's depositors were unusually stupid I don't think that's much of a stretch.

    • by JustNiz ( 692889 )

      >> If your business goes bankrupt, then it becomes extremely difficult to launder your supposedly stolen assets.

      Well see that's the thing about a bitcoin wallet with a few million in... Its VERY easy to hide then when the shit has died down, later recover it and untraceably sell the bitcoins.

      The only thing the cops would have to go on would be after the suspect starts selling them, by watching any bank account they have access to and how it suddenly got a bunch of dollars credited to it. I'm sure ther

    • by PRMan ( 959735 )
      Karpeles IS unusually stupid (OK, let's say arrogant and naive). He claimed to have lost 2,000,000 bitcoins until people looked at the PUBLIC blockchain and found that he had previously had access to accounts where some of the "missing" bitcoins were still sitting. Then, all of a sudden, when the Japanese court threatened him with arrest, he was suddenly able to "find" and produce them.
  • Dear slashdot, (Score:5, Interesting)

    by Orgasmatron ( 8103 ) on Wednesday April 09, 2014 @10:17AM (#46704951)
    This paper has already been widely dismissed by the bitcoin community. Not that we necessarily think that Mtgox was actually hit by a malleability attack. Just that this paper is nonsense.

    The very short version is that what these "researchers" were looking at isn't actually how the alleged bug would have worked.
    • Re:Dear slashdot, (Score:5, Interesting)

      by kasperd ( 592156 ) on Wednesday April 09, 2014 @10:53AM (#46705295) Homepage Journal

      Just that this paper is nonsense.

      Care to answer a few questions then?

      • How did the transactions found by these researches happen, if not by a malleability attack?
      • If a malleability attack would not result in transactions looking like what was found by these researchers, then what would it look like?
      • What is the explanation for the spike found just after the announcement, if that was not due to copy-cats attempting malleability attacks?
      • The signature is two values (r,s). These values are stored and transmitted as binary strings. They have a maximum length, but not a minimum. So, if your calculated r is less than 2^248, the most significant byte is all zeros, ditto 2^240 and the next byte.

        The spec says to minimize the encoding, but openssl accepts the padded form. The bitcoin software started refusing to relay transactions with improperly padded transactions, even though they are still valid, if they make it into a block.

        So, as the
        • by kasperd ( 592156 )

          The bitcoin software started refusing to relay transactions with improperly padded transactions, even though they are still valid, if they make it into a block.

          Are there any plans to stop accepting them in blocks?

          The claimed attack is that people took these transactions, fixed them, and broadcast them.

          I guess we can agree, that the article is not covering this attack, but rather a very different attack.

          but they don't work very often, since it involves accepting a transaction over the p2p network, changing i

          • No, there is no intention to tighten the blockchain rules at this time. This would cause a hard fork, and breaking compatibility with old versions is not considered lightly.

            Mtgox's software is unique. The reference client, for example, can not be fooled by changing transaction IDs. The frequency of success at actually winning the race to get the modified version into a block only matters if you've written your own software that is totally reliant on transaction IDs.

            There are two values, each with a 1 in

            • by kasperd ( 592156 )

              No, there is no intention to tighten the blockchain rules at this time. This would cause a hard fork, and breaking compatibility with old versions is not considered lightly.

              And it should not be taken lightly. But as I understand it, such forks have been done in the past, and another one will be needed due to transaction volume approaching a hard limit imposed by the current rules. The particular tightening of the rules about signatures could piggyback on another update, which would cause a fork. Is there an

    • by PRMan ( 959735 )
      Um, no. Transaction malleability is easy to find on any miner's log. I am sure these guys are correct.
      • I didn't say that mutated transactions didn't exist, or that the researchers haven't actually seen any.

        They certainly do exist, and I have no reason to doubt that the researchers have found some in the wild.

        I'm saying that if such an attack had been responsible for Mtgox's woes (which I and, I think, most others find extremely unlikely), they would not be visible using the methodology discussed in this paper.

    • by ras ( 84108 )

      The very short version is that what these "researchers" were looking at isn't actually how the alleged bug would have worked.

      That is far too short to be useful.

      Mtgox's malleability problem was caused, ironically, by the protocol fixing once source of it. When that happened the network started rejecting mtgox's transactions, in fact they weren't even relayed.

      The paper says the were no malleability attacks of the scale mtgox claims because they didn't see the required number of malleable transactions. This would have been reasonable if the attacker also depended on seeing the malleable transactions relayed by the network. But the

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...