On Mon, Feb 10, 2014 at 11:47 AM, Oliver Egginger <bitc...@olivere.de> wrote: > As I understand this attack someone renames the transaction ID before > being confirmed in the blockchain. Not easy but if he is fast enough it > should be possible. With a bit of luck for the attacker the new > transaction is added to the block chain and the original transaction is > discarded as double-spend. Right? > > Up to this point the attacker has nothing gained. But next the attacker > stressed the Gox support and refers to the original transaction ID. Gox > was then probably fooled in such cases and has refunded already paid > Bitcoins to the attackers (virtual) Gox-wallet.
At this point the attack should fail. Before crediting the funds back Gox should form a new transaction moving at least one of the coins the prior transaction was spending and wait for that transaction to confirm. Without performing this step— even if there were no malleability at all you'd have the risk that someone would go resurrect the old transaction and get a miner to mine it. Then it goes through. With performing it, even if they missed the mutated transaction in the chain their cancellation transaction could not confirm (because its a double spend). > So far everything is clear. But what I do not understand: Why apparently > had so many customers of Gox payment defaults or severely delayed > payments? Back in September a lot of people were having stuck transactions and when I looked it was because Mtgox was spending immature coins: newly generated coins which cannot be spent for 100 blocks since their creation. (A rule since Bitcoin's started) Then later it was noticed that they were producing transactions with invalid DER encodings (excessively padded signatures). The Bitcoin network used to accept these transactions, but in order to more towards eliminating malleability Bitcoin 0.8 and later will not relay and mine them. Then after people started using mutation to fix those excessively padded transactions and/or someone was exploiting Gox's behavior— it seems that Gox's wallet may have been in a state where it thought a lot of coins weren't spent that were and was reusing them in new transansactions... this one is harder to tell externally— I saw it appeared to be producing a LOT of double spends with different destinations, but I'm guessing as to the exact cause. ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
