[Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy

[Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy

[Peter Todd]

[-- Attachment #1: Type: text/plain, Size: 1696 bytes --]

Now that I have the replace-by-fee reward, I might as well spread the
wealth a bit.


So for all this discussion about replace-by-fee and the supposed
security of zero-conf transactions, no-one seems to think much about how
in practice very few vendors have a setup to detect if conflicting
transactions were broadcast on the network simultaneously - after all if
that is the case which transaction gets mined is up to chance, so much
of the time you'll get away with a double spend. We don't yet have a
mechanism to propagate double-spend warnings, and funny enough, in the
case of a single txin transaction the double-spend warning is also
enough information to allow miners to implement replace-by-fee.


So I'm offering 2BTC for anyone who comes up with a nice and easy to use
command line tool that lets you automagically create one version of the
transaction sending the coins to the desired recipient, and another
version sending all the coins back to you, both with the same
transaction inputs. In addition to creating the two versions, you need
to find a way to broadcast them both simultaneously to different nodes
on the network. One clever approach might be to use blockchain.info's
raw transaction POST API, and your local Bitcoin node.

If you happen to be at the conference, a cool demo would be to
demonstrate the attack against my Android wallet. I'll buy Bitcoins off
of you at Mt. Gox rates + %10, and you can see if you can rip me off.
Yes, you can keep the loot. :) This should be videotaped so we can put
an educational video on youtube after.

-- 
'peter'[:-1]@petertodd.org
00000000000000bafd0a55f013e058cc2a672ee0c66b9265a02390d80e4748f5

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy

[Peter Todd]

[-- Attachment #1: Type: text/plain, Size: 990 bytes --]

On Wed, May 15, 2013 at 07:38:27AM -0400, Peter Todd wrote:
> So I'm offering 2BTC for anyone who comes up with a nice and easy to use
> command line tool that lets you automagically create one version of the
> transaction sending the coins to the desired recipient, and another
> version sending all the coins back to you, both with the same
> transaction inputs. In addition to creating the two versions, you need
> to find a way to broadcast them both simultaneously to different nodes
> on the network. One clever approach might be to use blockchain.info's
> raw transaction POST API, and your local Bitcoin node.

Oh, and while we're at it, a good starting point for your work would be
Gavin's spendfrom utility in the contrib/spendfrom directory in the
Bitcoin-QT respository.

Also please do keep in mind that it's much better for the community if
an attack is demonstrated first, followed by releasing the code some
time later.

-- 
'peter'[:-1]@petertodd.org


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy

[Alan Reiner]

[-- Attachment #1: Type: text/plain, Size: 4240 bytes --]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can do this right now, with Armory.   If you switch Armory to Expert
usermode, you can combine coin-control with unsigned transactions to do
exactly this.  It's because Armory doesn't "lock" coins used in previous
unsigned transactions, until they're actually broadcast and confirmed to
be "out in the wild".  This was done for simplicity to avoid people
getting arbitrarily-locked coins, even though it means you end up
accidentally double-spending if you try to create two different unsigned
transactions from the same wallet without sign&broadcasting the first one.

So here's what you do:
(1) Switch to "Expert" usermode in Armory
(2) Open any wallet (you don't need a watch-only wallet, full wallet is
fine)
(3) In the "Send Bitcoins" window, click coin-control
(4) Create a transaction using one sufficiently large input
(5) Click "Create Unsigned Transaction" and save it
(6) Repeat 3-5 with the same coin, but sending to yourself, specify a
larger fee
(7) Go into "Offline Transactions" and "Sign and Broadcast Transactions"
(8) Load tx1, sign & broadcast
(9) Load tx2, sign & broadcast

This only works if your Bitcoin-Qt/bitcoind client has the
replace-by-fee patch, since Armory uses Bitcoin-Qt/bitcoind as a gateway
to the network. Otherwise, the second tx will be DOA.  But you don't
have to mess with Armory other than switching it to Expert mode to get
to the coin-control feature.

- -Alan

P.S. -- If you try this, Armory is likely to not show the second tx as
having ever happened (Bitcoin-Qt will send it back to us and we ignore
it because we already have a tx).  But if your Bitcoin node has the
modification, it /will/ reach the network


On 05/15/2013 08:19 AM, Peter Todd wrote:
> On Wed, May 15, 2013 at 07:38:27AM -0400, Peter Todd wrote:
>> So I'm offering 2BTC for anyone who comes up with a nice and easy to use
>> command line tool that lets you automagically create one version of the
>> transaction sending the coins to the desired recipient, and another
>> version sending all the coins back to you, both with the same
>> transaction inputs. In addition to creating the two versions, you need
>> to find a way to broadcast them both simultaneously to different nodes
>> on the network. One clever approach might be to use blockchain.info's
>> raw transaction POST API, and your local Bitcoin node.
>
> Oh, and while we're at it, a good starting point for your work would be
> Gavin's spendfrom utility in the contrib/spendfrom directory in the
> Bitcoin-QT respository.
>
> Also please do keep in mind that it's much better for the community if
> an attack is demonstrated first, followed by releasing the code some
> time later.
>
>
>
>
------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRk441AAoJEBHe6b77WWmFZNQP/02t6cQkhih/CcA1oSCM72np
KMRW0Z+piHShORxLyhMX3cIpi3ICJ2lJ/Pm6GfDn74oSHq8wipIFoV88xhy810bL
MnJtbPH900v8PHh/ji2nWMig9NibeUa1zV9/tp31rYjUT3mmMoC4yQlyxKII8GWK
iignkAHV/UL5kQGmhmr1RKN127cthSMeIzAYWXfIWVObPNm85pvizVZdgqzSK73h
vwdfeFOelNbVn8ZCNT19OsxWfAKZSaBMywAX95wQBs0BtY2ZgDRmeXa6MdQKpXGW
KP3O2zjjJC2CKc4+L6elMfsoL1doEsk35w/GuI4HZK4MLAI8BChi6ZPnAYjdRvir
eHeszyxkKDCEaJ9JPLA/AszqkYHIB+56wTtrpVb1duyTwuqgVT5dcpMPIH8bDqjq
k3I8C9zCSeQ6JgyvOd8grKJchRtq0SOWYt2bB3ytePzwOs+W+6mRenb/WtMt2dQg
ntDTEIG7pCsWHenipeTBzvJNqeSsAAoIXnkGY20iDxCB+uFkTzisoCQqpOIglArm
vD+Cl2nv3OKU3NTVTUt2VinoFskezI7xvsxHD8xs2V/hrlpPbPRAo+l7ER6aTazj
wrONfmllHSE2XCM7wb/bX3gBNmsM3zUIgSBmNSH/SQeTy8PvwvlkZ/RRYmtVSmHL
rUTp7x4U63JiIDO1jj+T
=JiPo
-----END PGP SIGNATURE-----


[-- Attachment #2: Type: text/html, Size: 5815 bytes --]

Re: [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy

[Melvin Carvalho]

[-- Attachment #1: Type: text/plain, Size: 2727 bytes --]

On 15 May 2013 13:38, Peter Todd <pete@petertodd.org> wrote:

> Now that I have the replace-by-fee reward, I might as well spread the
> wealth a bit.
>
>
> So for all this discussion about replace-by-fee and the supposed
> security of zero-conf transactions, no-one seems to think much about how
> in practice very few vendors have a setup to detect if conflicting
> transactions were broadcast on the network simultaneously - after all if
> that is the case which transaction gets mined is up to chance, so much
> of the time you'll get away with a double spend. We don't yet have a
> mechanism to propagate double-spend warnings, and funny enough, in the
> case of a single txin transaction the double-spend warning is also
> enough information to allow miners to implement replace-by-fee.
>
>
> So I'm offering 2BTC for anyone who comes up with a nice and easy to use
> command line tool that lets you automagically create one version of the
> transaction sending the coins to the desired recipient, and another
> version sending all the coins back to you, both with the same
> transaction inputs. In addition to creating the two versions, you need
> to find a way to broadcast them both simultaneously to different nodes
> on the network. One clever approach might be to use blockchain.info's
> raw transaction POST API, and your local Bitcoin node.
>
> If you happen to be at the conference, a cool demo would be to
> demonstrate the attack against my Android wallet. I'll buy Bitcoins off
> of you at Mt. Gox rates + %10, and you can see if you can rip me off.
> Yes, you can keep the loot. :) This should be videotaped so we can put
> an educational video on youtube after.
>

Isnt it potentially inviting trouble by encouraging people to insert double
spends into the block chain?

Sure, zero conf isnt 100% safe, we all know that.

But neither is the postal service.  Doesnt mean we should be going around
promoting the creation of tools to go into people's maiilboxes and open
their letters!


>
> --
> 'peter'[:-1]@petertodd.org
> 00000000000000bafd0a55f013e058cc2a672ee0c66b9265a02390d80e4748f5
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

[-- Attachment #2: Type: text/html, Size: 3755 bytes --]

[Bitcoin-development] double-spend deletes (or converts to fees) (Re: reward for making probabalistic double-spending via conflicting transactions easy)

[Adam Back]

On Wed, May 15, 2013 at 07:38:27AM -0400, Peter Todd wrote:
>no-one seems to think much about how in practice very few vendors have a
>setup to detect if conflicting transactions were broadcast on the network
>simultaneously - after all if that is the case which transaction gets mined
>is up to chance, so much of the time you'll get away with a double spend. 
>We don't yet have a mechanism to propagate double-spend warnings, and funny
>enough, in the case of a single txin transaction the double-spend warning
>is also enough information to allow miners to implement replace-by-fee.

About double-spends it might be better if the double-spend results in no-one
keeping the money ie it gets deleted by definition (except for the fees, or
the whole payment gets converted into a 0BTC output so 100% fees).  Ideally
you'd want a way for known double spends to be circulated at priority in the
p2p network, even routed directly to earlier recipients if known.  However
have to watch out for even the fees being double spent in other
transactions.  Maybe the fees could be demanded to be self-created (no
trusted green-coin issuer) 6-confirmation spend-to-miner green-coins.

(Note double spends are not-binary.  An attacker can spend a 25BTC coin via
50x 1BTC transactions.  Which 25 are valid?  Currently it is the first 25
from the network perspective of the miner that succeeds on the current
block.  (And that view overrides, even if other miners had differing views,
unless the block later becomes an orphan).  Its surely easy for a double
spender to accumulate fast connections to known powerful miners to get the
spends that benefit him to them first.)

In that way (with double-spend deletes) the would be double-spender can not
gain within the bitcoin protocol by double spending.  He can gain outside of
the protocol eg by persuading merchants to give him non-revocable resellable
non-physical goods (or physical but anonymous goods).  But that is harder
work, and people selling goods with no recourse will be defensive about
confirmations.

ps I still dont think replace-by-fee is a good idea, at least the way it was
implemented with changeable outputs, but I think that discussion seemed
closed, so I wont rehash it.

Adam