Transaction ID malleability attack spreads to Bitcoin-wide DDoS attempt

bitcoin-question-markIt all started with such humble beginnings: when MtGox blamed the Bitcoin protocol for their own woes of poorly implemented code. Then someone decided to use what had been harassing MtGox network-wide and exchanges across the Bitcoin industry itself started checking their own code.

The attack takes advantage of a characteristic of the Bitcoin protocol that allows transaction IDs to change after a transaction happens but before it is forever enshrined in the Blockchain. Due to this malleability, it has been suggested that clients not use transaction IDs to verify that bitcoins have changed hands for over a year. However, it seems to be an industry-wide problem that some codebases that run bitcoin wallets might be susceptible.

Some enterprising hacker has decided to flood the Bitcoin network with a massive number of trick transactions that do exactly this in an attempt to fog and confuse poorly written clients.

Tx malleability is now used in active broad-based attack against bitcoin network. Funds NOT at risk, but Denial-of-Service in progress

— AndreasMAntonopoulos (@aantonop) February 11, 2014

Needless to say, industry experts such as CSO of Andreas Antonopoulos and Core dev Greg Maxwell have come out to say that this “transaction ID malleability attack” does not affect people’s bitcoin wallets or funds; but by flooding the network with these sort of transactions an attacker is causing some distress. It will slow down transactions, expand the Blockchain size, and add additional unnecessary bandwidth—it’s no killer for the Bitcoin protocol, but it’s certainly not healthy either.

Bitcoin community- and industry-wide reaction underway

Speaking to Coindesk, Antonopoulos cited the DDoS attempt as problematic but fixable:

“So as transactions are being created, malformed/parallel transactions are also being created so as to create a fog of confusion over the entire network, which then affects almost every single implementation out there,” he said.

We can expect some exchanges to suspend withdrawals while they double-check their own code and work with Bitcoin Core developers to provide a lasting solution to the problem. Since the attack doesn’t affect properly sequenced and verified transactions, it will have little lasting effect on bitcoin users, but the presence of such an attack certainly means that better standards are needed for exchanges to adhere to.

“It’s important to note no funds have been lost. Withdrawals have been halted to prevent funds from being lost or to prevent the balances from going out of sync,” he emphasized.

Bitstamp suspends BTC withdrawals for update

Following suit with MtGox Bitstamp is suspending BTC transactions temporarily to make sure their own code is up-to-par.

Bitstamp’s exchange software is extremely cautious concerning Bitcoin transactions. Currently it has suspended processing Bitcoin withdrawals due to inconsistent results reported by our bitcoind wallet, caused by a denial-of-service attack using transaction malleability to temporarily disrupt balance checking. As such, Bitcoin withdrawal processing will be suspended temporarily until a software fix is issued.

Antonopoulos appears confident that withdrawal freezes from major exchanges will be resolved in “24 to 72 hours.”

About Kyt Dotson

Technology and civilization walk hand in hand and civilization is nothing without the skin of society, brushing up against itself, speaking strange nothings across dimly lit avenues and computer screens. If we're going to understand ourselves in this digital era, it will be through watching the adoption of technology by people to express themselves as people. I am an anthropologist and an author of science fiction and fantasy--and with my technology, I hope to open up new and exciting worlds that will not just enlighten the humanity of my friends and fans but also educate and enhance the expression of their own personhood. Find more of my work on Google+; send tips to @kytsune.