Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WCxeE-0004Rh-Vs for bitcoin-development@lists.sourceforge.net; Mon, 10 Feb 2014 20:40:11 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.217.172 as permitted sender) client-ip=209.85.217.172; envelope-from=gmaxwell@gmail.com; helo=mail-lb0-f172.google.com; Received: from mail-lb0-f172.google.com ([209.85.217.172]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WCxeE-0002gP-2q for bitcoin-development@lists.sourceforge.net; Mon, 10 Feb 2014 20:40:10 +0000 Received: by mail-lb0-f172.google.com with SMTP id c11so5270447lbj.31 for ; Mon, 10 Feb 2014 12:40:03 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.112.173.6 with SMTP id bg6mr22189424lbc.17.1392064803464; Mon, 10 Feb 2014 12:40:03 -0800 (PST) Received: by 10.112.198.34 with HTTP; Mon, 10 Feb 2014 12:40:03 -0800 (PST) In-Reply-To: <52F92CE3.7080105@olivere.de> References: <52F92CE3.7080105@olivere.de> Date: Mon, 10 Feb 2014 12:40:03 -0800 Message-ID: From: Gregory Maxwell To: Oliver Egginger Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gmaxwell[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WCxeE-0002gP-2q Cc: Bitcoin Development Subject: Re: [Bitcoin-development] Malleability and MtGox's announcement X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 20:40:11 -0000 On Mon, Feb 10, 2014 at 11:47 AM, Oliver Egginger wrot= e: > As I understand this attack someone renames the transaction ID before > being confirmed in the blockchain. Not easy but if he is fast enough it > should be possible. With a bit of luck for the attacker the new > transaction is added to the block chain and the original transaction is > discarded as double-spend. Right? > > Up to this point the attacker has nothing gained. But next the attacker > stressed the Gox support and refers to the original transaction ID. Gox > was then probably fooled in such cases and has refunded already paid > Bitcoins to the attackers (virtual) Gox-wallet. At this point the attack should fail. Before crediting the funds back Gox should form a new transaction moving at least one of the coins the prior transaction was spending and wait for that transaction to confirm. Without performing this step=E2=80=94 even if there were no malleability at= all you'd have the risk that someone would go resurrect the old transaction and get a miner to mine it. Then it goes through. With performing it, even if they missed the mutated transaction in the chai= n their cancellation transaction could not confirm (because its a double spen= d). > So far everything is clear. But what I do not understand: Why apparently > had so many customers of Gox payment defaults or severely delayed > payments? Back in September a lot of people were having stuck transactions and when I looked it was because Mtgox was spending immature coins: newly generated coins which cannot be spent for 100 blocks since their creation. (A rule since Bitcoin's started) Then later it was noticed that they were producing transactions with invali= d DER encodings (excessively padded signatures). The Bitcoin network used to accept these transactions, but in order to more towards eliminating malleability Bitcoin 0.8 and later will not relay and mine them. Then after people started using mutation to fix those excessively padded transactions and/or someone was exploiting Gox's behavior=E2=80=94 it seems= that Gox's wallet may have been in a state where it thought a lot of coins weren= 't spent that were and was reusing them in new transansactions... this one is harder to tell externally=E2=80=94 I saw it appeared to be producing a L= OT of double spends with different destinations, but I'm guessing as to the exact cause.