Transaction ID malleability attack spreads to Bitcoin-wide DDoS attempt

bitcoin-question-markIt all started with such humble beginnings: when MtGox blamed the Bitcoin protocol for their own woes of poorly implemented code. Then someone decided to use what had been harassing MtGox network-wide and exchanges across the Bitcoin industry itself started checking their own code.

The attack takes advantage of a characteristic of the Bitcoin protocol that allows transaction IDs to change after a transaction happens but before it is forever enshrined in the Blockchain. Due to this malleability, it has been suggested that clients not use transaction IDs to verify that bitcoins have changed hands for over a year. However, it seems to be an industry-wide problem that some codebases that run bitcoin wallets might be susceptible.

Some enterprising hacker has decided to flood the Bitcoin network with a massive number of trick transactions that do exactly this in an attempt to fog and confuse poorly written clients.

Tx malleability is now used in active broad-based attack against bitcoin network. Funds NOT at risk, but Denial-of-Service in progress

— AndreasMAntonopoulos (@aantonop) February 11, 2014

Needless to say, industry experts such as CSO of Andreas Antonopoulos and Core dev Greg Maxwell have come out to say that this “transaction ID malleability attack” does not affect people’s bitcoin wallets or funds; but by flooding the network with these sort of transactions an attacker is causing some distress. It will slow down transactions, expand the Blockchain size, and add additional unnecessary bandwidth—it’s no killer for the Bitcoin protocol, but it’s certainly not healthy either.

Bitcoin community- and industry-wide reaction underway

Speaking to Coindesk, Antonopoulos cited the DDoS attempt as problematic but fixable:

“So as transactions are being created, malformed/parallel transactions are also being created so as to create a fog of confusion over the entire network, which then affects almost every single implementation out there,” he said.

We can expect some exchanges to suspend withdrawals while they double-check their own code and work with Bitcoin Core developers to provide a lasting solution to the problem. Since the attack doesn’t affect properly sequenced and verified transactions, it will have little lasting effect on bitcoin users, but the presence of such an attack certainly means that better standards are needed for exchanges to adhere to.

“It’s important to note no funds have been lost. Withdrawals have been halted to prevent funds from being lost or to prevent the balances from going out of sync,” he emphasized.

Bitstamp suspends BTC withdrawals for update

Following suit with MtGox Bitstamp is suspending BTC transactions temporarily to make sure their own code is up-to-par.

Bitstamp’s exchange software is extremely cautious concerning Bitcoin transactions. Currently it has suspended processing Bitcoin withdrawals due to inconsistent results reported by our bitcoind wallet, caused by a denial-of-service attack using transaction malleability to temporarily disrupt balance checking. As such, Bitcoin withdrawal processing will be suspended temporarily until a software fix is issued.

Antonopoulos appears confident that withdrawal freezes from major exchanges will be resolved in “24 to 72 hours.”