= Magic the Gathering Online eXchance • July 2010 – MtGox was transformed to a bitcoin exchance site. (31/10/2008 Satoshi's paper) • By 2013 MtGox was handling 70% of all Bitcoin transactions. • February 2014 – closed and filed for bankruptcy claiming attackers used malleability attacks to drain its accounts https://en.bitcoin.it/wiki/History
i.e. ~ $700,000,000 were lost. • But... • This research have shown that barely 386 bitcoins could have been stolen (prior to its bankruptcy) using malleability attacks from MtGox
• UPnP is used to dynamically open ports • Peer discovery – DNS seeds (Demo) • Process is susceptible to MitM attacks therefore client shouldn't rely on DNS seeds exclusively • The nodes on the network exchange transactions, blocks, and addresses of other peers with each other
Collision resistance; hard to find m1!=m2 such that h(m1)=h(m2) • Appear random & hide info. (1st / 2nd pre-image resistance) • Hence, if two strings have the same digest, one can be very confident that they are identical • Usage: storing password in DB, Linux PRNG, Bitcoin, etc.
key. • Everything encrypted with the public key can only be decrypted using the private key. • Everything 'encrypted' with the private key can only be decrypted using the public key. • RSA → N=p*q, ECC/ECDSA → n*P=Q • Bitcoin uses the secp256k1 curve: • In ECC keys are much smaller: 224 → 2048 (https://www.nsa.gov/business/programs/elliptic_curve.shtml) y2=x3+7
told Ars. "Goodman showed up at his house, scared his elderly mother, obtained his e-mail address by deception, and misquoted or invented quotes from both him and his brothers. They published his health, financial, and employment history recklessly. They need to account for what they did." Bitcoin community raised about $23,000 to help Dorian
a transaction is signed, unlike most systems where the public key is made public. • provides security against unanticipated problems which might allow reconstruction of private keys from public key data at some later point. • Example: Paper - Mining your Ps and Qs – Heninger et al. https://factorable.net/weakkeys12.extended.pdf • * d ≡ e−1 (mod φ(n)), φ(n) = φ(p)φ(q) = (p − 1)(q − 1)
of a passphrase • e.g. Private key = SHA256("The Times 03/Jan/2009 Chancellor on brink of second bailout for banks") • Demo time, Cool eh? NOT!! (Another demo)
of a passphrase • e.g. Private key = SHA256("The Times 03/Jan/2009 Chancellor on brink of second bailout for banks") • Demo time, Cool eh? NOT!! (Another demo) • The first rule of Security is: You do not trust user input. • The second rule of Security is: You DO NOT trust user input. *Rainbow-table *Space-time t.o *Bots *A5.1-kraken
= 10-8BTC • Moves bitcoins between one or more inputs and outputs (each tx has at least one i/o) • Each output then waits as an Unspent Transaction Output (UTXO) until a later input spends it • Each input used must be entirely spent in a transaction.
knows Bob's bitcoin address • She creates a standard P2PKH transaction output containing instructions which allow anyone to spend that output if they can prove they control the private key corresponding to Bob’s hashed public key. These instructions are called scriptPubKey. • Alice broadcasts the transaction and it is added to the block chain. The network categorizes it as an Unspent Transaction Output (UTXO), and Bob's wallet software displays it as a spendable balance.
an input which references the transaction Alice created by its hash – txid, and the specific output she used by its index number (output index). • He must then create a signature script— called scriptSig – which contains his own public key and a signature of the transaction with its private key. • Bob's input scriptSig must satisfy the conditions of Alice's scriptPubKey .
that comes from nature or nurture, I cannot say. Part of being optimistic is keeping one’s head pointed toward the sun, one’s feet moving forward. There were many dark moments when my faith in humanity was sorely tested, but I would not and could not give myself up to despair. That way lays defeat and death." "I learned that courage was not the absence of fear, but the triumph over it. The brave man is not he who does not feel afraid, but he who conquers that fear." "Difficulties break some men but make others. No axe is sharp enough to cut the soul of a sinner who keeps on trying, one armed with the hope that he will rise even in the end." "It always seems impossible until it’s done." "When a man has done what he considers to be his duty to his people and his country, he can rest in peace." "Real leaders must be ready to sacrifice all for the freedom of their "Everyone can rise above their circumstances and achieve success if they are dedicated to and passionate about what they do." "Education is the most powerful weapon which you can use to change the world." "For to be free is not merely to cast off one’s chains, but to live in a way that respects and enhances the freedom of others." "There is no passion to be found playing small – in settling for a life that is less than the one you are capable of living." “There is nothing like returning to a place that remains unchanged to find the ways in which you yourself have altered.” -Nelson Mandela
Prayers from miners • Tribute to cryptographer Len Sassaman • by Dan Kaminsky and Travis Goodspeed(Demo) • Prayers from miners (Demo) • The original bitcoin paper, Wikileaks data Firmware private keys Oh shit," he mumbled. "I just broke the Internet."
that a valid transaction has the following scriptSig: A copy of the transaction with the following scriptSig What do the transactions share? transaction_malleability_OP_PUSHDATA2
say that a valid transaction has the following scriptSig: A copy of the transaction with the following scriptSig What do the transactions share? Same SIGNATURE! [bcz as we've seen the scriptSig isn't signed]
that a valid transaction has the following scriptSig: A copy of the transaction with the following scriptSig What do the transactions share? Same SIGNATURE! [bcz as we've seen the scriptSig isn't signed] What don't the transactions share? transaction_malleability_OP_PUSHDATA2
that a valid transaction has the following scriptSig: A copy of the transaction with the following scriptSig What do the transactions share? Same SIGNATURE! [bcz as we've seen the scriptSig isn't signed] What don't the transactions share? Different txid ! transaction_malleability_OP_PUSHDATA2
that a valid transaction has the following scriptSig: A copy of the transaction with the following scriptSig: What do the transactions share? Same SIGNATURE! [bcz as we've seen the scriptSig isn't signed] What don't the transactions share? Different txid ! [bcz we change data in the transaction] transaction_malleability_OP_PUSHDATA2
A tx that transfers some of its funds to Payee#1 {say Amazon} • A tx that transfers the same funds back to himself • Goal: convince Payee#1 that it received the funds, triggering a transfer of goods from Payee#1 to the Attacker. • Bitcoin 'solves' it with its confirmation system [6 confirmations = pretty good security] https://en.bitcoin.it/wiki/Weaknesses - haven't read; no time Sends a laptop
send him funds • Attacker waits for tx1 to be broadcast in the network • Attacker received tx1, broadcasts tx2=f(tx1) – tx1 with modified scriptSig • Either tx1 or tx2 may be confirmed, if tx2 is confirmed mal. Atk. is successful • If the Payer's client rely solely on the txid to track and verify its balance, it will see tx1 as unconf., and send tx3 tx2=f(tx1) tx1 tx3 Payer thinks that the funds Didnt reach payee bcz the tx1_id was unconfirmed (he thinks it was unconfirmed)
not susceptible to this attack – it tracks the UTXO and verifies it tx2=f(tx1) tx1 tx3 Payer thinks that the funds Didnt reach payee bcz the tx1_id was unconfirmed
of Bitcoin Withdrawals February 7 2014 February 8 2014 February 9 2014 February 28 2014 February 10 2013 2nd Press Release Blamed tx malleability For unconf. tx ??th Press Release Filing for bankruptcy in Japan and USA February 23 2014 Collection of Transaction Begins Collection of Transaction Stops Mtgox.com returned blank page; trading halt Period1: Over a year of measurements until the closure of withdrawals from MtGox Period2: Withdrawals are stopped but no details about the attack known to public Period3: time following the press release blaming tx malleability as the root cause of missing bitcoins until MtGox filed for bankruptcy
or more transactions, these transactions are said to conflict • As soon of one of the two conflicting transactions(d.spend, m.atk) is considered to be confirmed the nodes will drop all other conflicting transactions. • They created specialized nodes that would trace and dump all transactions from the Bitcoin network (mainnet) • Each node was connected to 992 on average (recall Balmert et al.) [w.p. ~1 the node see every tx on the net]
the txs, [?and hash it?] will result in a unique key • The unique key group txs together into conflict sets • During the measurement period a total of 35,002 conflict sets were identified. • Out of these conflict setts 29,139 contained a transaction that would later be confirmed by a block. Remaining 6,603 were invalid bcz they claimed non-existent output, had an incorrect signature ...
values of one of the tx in the conflict set (each tx in the conflict is identical minus the scriptSig ). • Summing the value of all the conflict sets result in a total of 302,700 BTC that were involved in malleability attacks • There exists other tx mal. Atks other than OP_PUSHDATA2 [in the signature of the e.g. Inherent ECDSA signature malleability – more at BIP-0062] • 28,595 out of the 29,139 confirmed attacks had the OP_PUSHDATA2 modification • For the remaining 544 they were unable to identify the original transaction. All of them had original opcodes. ???? ...
values of one of the tx in the conflict set (each tx in the conflict is identical minus the scriptSig ). • Summing the value of all the conflict sets result in a total of 302,700 BTC that were involved in malleability attacks • There exists other tx mal. Atks other than OP_PUSHDATA2 [in the signature of the e.g. Inherent ECDSA signature malleability – more at BIP-0062] • 28,595 out of the 29,139 confirmed attacks had the OP_PUSHDATA2 modification • For the remaining 544 they were unable to identify the original transaction. All of them had original opcodes. ???? ... “DEMO”
• 1. the modified tx has to be confirmed • 2. the system issuing the tx must rely solely on the txid to track its confirmation • • 1. can be easily reconstructed from the blockchain • 2. “can't”. “It is not possible to determine if two payments with the same value to the same address were intended as two separate payments or an automated system issued the second one believing the first to be invalid.” ?? • Out of the 28,595 tx mal. Atk.s only 5,670 were sucessful. i.e. 19.46%. ...
5,670 were sucessful. i.e. 19.46%. • [ Val{28,595}/Val{5,760} ]*100 = 21.36% • This reducess the total profit of the successful attacks from 302,700 to 64,564 • Strong bias towards the original tx. Why ? ...
over 850,000 BTC out of which 750,000 BTC are customer-owned. • At the time of the first press release bitcoins were trading at $827 i.e. ~ $700,000,000 were lost. • But... As we've seen the total conflict set value of our dataset is 302,700 BTC. {lie?} • More than that
of Bitcoin Withdrawals February 7 2014 February 8 2014 February 9 2014 February 28 2014 February 10 2013 2nd Press Release Blamed tx malleability For unconf. tx ??th Press Release Filing for bankruptcy in Japan and USA February 23 2014 Collection of Transaction Begins Collection of Transaction Stops Mtgox.com returned blank page; trading halt Period1: Over a year of measurements until the closure of withdrawals from MtGox Period2: Withdrawals are stopped but no details about the attack known to public Period3: time following the press release blaming tx malleability as the root cause of missing bitcoins until MtGox filed for bankruptcy Malleability attacks in period 2 and 3 could not Contribute to the losses declared by MtGox since They happened after withdrawals have been stopped
conflict sets were identified for a total value of 1,811.53 BTC • In combination with the ~20% success rate we conclude that malleability attacks did not have any substantial influence in the loss of bitcoins incurred by MtGox. (around 380 BTC could have been stolen from MtGox or from other businesses)
totalling 5,470 BTC • A noticeable increase of attacks at 17:00 UTC on February 9, from 0.15 attacks per hour to 132 attacks per hour • The sudden increase suggests that immediately following the second press release other attackers started imitating the attack. • During period 3 – After the second press release between Feb. 10 and 11 they identified 25,752 individual attacks totalling 286,076 BTC.
[Maybe the courts handling the bankruptcy ?] • A speculation: it was an inside job/hackers at MtGox {using bots named by the community Willy and Markus}. • More information: http://willyreport.wordpress.com/
the courts handling the bankruptcy ?] • A speculation: it was an inside job/hackers at MtGox {using bots named by the community Willy and Markus}. • More information: http://willyreport.wordpress.com/ PLEASE FIND A WAY TO HARNESS BITCOIN “PROOF-OF-WORK” TO SOLVE SOME OF HUMANITIES PROBLEMS. E.G: EBOLA.
http://www.nadjakahan.com If you're interested in the “Attacking the Linux PRNG on Android” talk We're presenting it again at DC9723 on 18/11 At Checkpoint offices
sagi
recruitengineers
makky_tyuyan
trycycle
yajihum
dayjournal
nakasho
kawaguti
paraworld
coconala_engineer
bkuhlmann
saramune
doradora09
akosma
csswizardry
matthewcrist
gr2m
kevinliebholz
samlambert
paigeccino
addyosmani
lemiorhan
ufuk
tmm1
maggiecrowley
![Bitcoin Transaction Malleability & MtGox [C.Decker, R.Wattenhofer] Sagi Kedmi Advanced](https://files.speakerdeck.com/presentations/5cece34f245e47888e1a1560510d20ee/slide_0.jpg){kind=link}
![P2PKH_transaction Demo [Transaction on testnet3]](https://files.speakerdeck.com/presentations/5cece34f245e47888e1a1560510d20ee/slide_29.jpg){kind=link}
![blockchain_treasures • XSS Payload! (Demo) [*SQLinjection] https://blockchain.info/tx/59bd7b2cff5d a929581fc9fef31a2fba14508f1477e366befb1 eb42a8810a000 •](https://files.speakerdeck.com/presentations/5cece34f245e47888e1a1560510d20ee/slide_32.jpg){kind=link}
