<p>Over the past few hours many large bitcoin exchanges have frozen account withdrawals due to a bug which is present in many implementations of bitcoin software. We'll open by assuring that it currently does not seem that anyone is in danger of losing money and the freeze is no more than a precaution (update: as of 25/2/14 it seems <a href="http://www.wired.com/wiredenterprise/2014/02/bitcoins-mt-gox-implodes/">Mt. Gox has lost millions of dollars to theft</a>). We expect this freeze to last between a few hours to days.</p> <p>Bits of Gold clients are not affected from this bug, we take extreme efforts to ensure our clients' privacy and data security, and we follow the latest developments in the bitcoin protocol in order to ensure against such cases.</p> <p>We will try to succinctly explain the bug as well as a possible exploitation in order to attack an exchange. We'll also touch how this bug will be fixed.</p> <p>The transaction malleability bug had first been reported during May 2011 on Bitcointalk by user Enochian. It is not a bug in the Bitcoin protocol, rather in a software library called OpenSSL which most Bitcoin clients use. In order to understand this bug and its exploit it is first important to understand generally how a typical Bitcoin transaction is built.</p> <p>When Alice sends Bob a bitcoin, what is she actually doing? Alice is broadcasting to the Bitcoin network that she is passing to Bob ownership of a bitcoin that she received in the past, and signs this broadcast. Alice creates a transaction with the following data: id of the previous transaction (the one in which Alice received her bitcoin, for instance from Bits of Gold), Bob's bitcoin address, amount to transfer to Bob, and a signature on all of the above data which proves that she is indeed the owner of the money from the previous transaction.</p> <p>The above transaction is broadcast to the network, and all the Bitcoin users and specifically the miners validate that the transaction is indeed legal. A unique id is created for the transaction, which is a special sort of compression (Hashing) of all said data.</p> <p>Now, if Bob wants to spend the money he received, he must first give the id of the previous transaction, the one Alice created. Now we arrive at the Transaction Malleability bug. One of the parameters needed for Alice's digital signature is a number called 's', for instance let's imagine Alice chose 42. If we were to change this number to 042 or 0042 or 00042 the transaction would still be valid because the numerical value is the same. In the other hand, when we compress the data in order to find the transaction id, we'd get a different id from the original. How could a hacker wxploit this?</p> <p>A hacker can listen to the Bitcoin network for a transaction from Alice to Bob, and change the number 42 to 042 and re-send the new transaction. It is important to understand that Alice's money will still be sent to Bob, only the transaction id will differ. Now let's say that Alice is actually an exchange MtAlice and the hacker is Bob and he requested to withdraw 100 bitcoins from his account. Once MtAlice sends him the money he immediately broadcasts to the miners an identical transaction with a different id. Bob receives 100 bitcoins but now it is possible that MtAlice's internal accounting software doesn't find the transaction id it expects to see on the blockchain and so it leaves Bob the 100 bitcoins in his account balance. No he can repeat this process and take more and more money from MtAlice.</p> <p>The bug we explained is easy to fix. We simply check all parameters of the signature and make sure we delete any leading 0's (this is a bit of a simplification, sometimes there are leading 1's but the idea is the same).In addition, the internal accounting software should not be dependent on transaction ids. It is important we point out that it is not known that this bug has been exploited, and the withdrawal freeze is a precaution until further auditing of the exchanges' control and accounting procedures. As we pointed out, Bits of Gold's systems are not affected by this bug and neither are our clients.</p> <p>The most important lesson is we recommend to our clients to hold their own bitcoins and not hold large amounts of bitcoin overtime with an exchange. We will soon offer our clients solutions to keep bitcoin in their hands safely over time. We at Bits of Gold continue towards our vision to make bitcoin accessible to the Israeli community by allowing easy purchase, safeguarding and usage of bitcoin in Israel. You are always welcome to turn to us with any question or remark, we'll be happy to help!</p>
Denial of Service at bitcoin exchanges – What happened there? (and why you shouldn't worry)
Bits of Gold team.