* [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy @ 2013-05-15 11:38 Peter Todd 2013-05-15 12:19 ` Peter Todd ` (2 more replies) 0 siblings, 3 replies; 5+ messages in thread From: Peter Todd @ 2013-05-15 11:38 UTC (permalink / raw) To: Bitcoin-Dev [-- Attachment #1: Type: text/plain, Size: 1696 bytes --] Now that I have the replace-by-fee reward, I might as well spread the wealth a bit. So for all this discussion about replace-by-fee and the supposed security of zero-conf transactions, no-one seems to think much about how in practice very few vendors have a setup to detect if conflicting transactions were broadcast on the network simultaneously - after all if that is the case which transaction gets mined is up to chance, so much of the time you'll get away with a double spend. We don't yet have a mechanism to propagate double-spend warnings, and funny enough, in the case of a single txin transaction the double-spend warning is also enough information to allow miners to implement replace-by-fee. So I'm offering 2BTC for anyone who comes up with a nice and easy to use command line tool that lets you automagically create one version of the transaction sending the coins to the desired recipient, and another version sending all the coins back to you, both with the same transaction inputs. In addition to creating the two versions, you need to find a way to broadcast them both simultaneously to different nodes on the network. One clever approach might be to use blockchain.info's raw transaction POST API, and your local Bitcoin node. If you happen to be at the conference, a cool demo would be to demonstrate the attack against my Android wallet. I'll buy Bitcoins off of you at Mt. Gox rates + %10, and you can see if you can rip me off. Yes, you can keep the loot. :) This should be videotaped so we can put an educational video on youtube after. -- 'peter'[:-1]@petertodd.org 00000000000000bafd0a55f013e058cc2a672ee0c66b9265a02390d80e4748f5 [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy 2013-05-15 11:38 [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy Peter Todd @ 2013-05-15 12:19 ` Peter Todd 2013-05-15 13:31 ` Alan Reiner 2013-05-15 12:41 ` Melvin Carvalho 2013-05-15 13:00 ` [Bitcoin-development] double-spend deletes (or converts to fees) (Re: reward for making probabalistic double-spending via conflicting transactions easy) Adam Back 2 siblings, 1 reply; 5+ messages in thread From: Peter Todd @ 2013-05-15 12:19 UTC (permalink / raw) To: Bitcoin-Dev [-- Attachment #1: Type: text/plain, Size: 990 bytes --] On Wed, May 15, 2013 at 07:38:27AM -0400, Peter Todd wrote: > So I'm offering 2BTC for anyone who comes up with a nice and easy to use > command line tool that lets you automagically create one version of the > transaction sending the coins to the desired recipient, and another > version sending all the coins back to you, both with the same > transaction inputs. In addition to creating the two versions, you need > to find a way to broadcast them both simultaneously to different nodes > on the network. One clever approach might be to use blockchain.info's > raw transaction POST API, and your local Bitcoin node. Oh, and while we're at it, a good starting point for your work would be Gavin's spendfrom utility in the contrib/spendfrom directory in the Bitcoin-QT respository. Also please do keep in mind that it's much better for the community if an attack is demonstrated first, followed by releasing the code some time later. -- 'peter'[:-1]@petertodd.org [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy 2013-05-15 12:19 ` Peter Todd @ 2013-05-15 13:31 ` Alan Reiner 0 siblings, 0 replies; 5+ messages in thread From: Alan Reiner @ 2013-05-15 13:31 UTC (permalink / raw) To: bitcoin-development [-- Attachment #1: Type: text/plain, Size: 4240 bytes --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can do this right now, with Armory. If you switch Armory to Expert usermode, you can combine coin-control with unsigned transactions to do exactly this. It's because Armory doesn't "lock" coins used in previous unsigned transactions, until they're actually broadcast and confirmed to be "out in the wild". This was done for simplicity to avoid people getting arbitrarily-locked coins, even though it means you end up accidentally double-spending if you try to create two different unsigned transactions from the same wallet without sign&broadcasting the first one. So here's what you do: (1) Switch to "Expert" usermode in Armory (2) Open any wallet (you don't need a watch-only wallet, full wallet is fine) (3) In the "Send Bitcoins" window, click coin-control (4) Create a transaction using one sufficiently large input (5) Click "Create Unsigned Transaction" and save it (6) Repeat 3-5 with the same coin, but sending to yourself, specify a larger fee (7) Go into "Offline Transactions" and "Sign and Broadcast Transactions" (8) Load tx1, sign & broadcast (9) Load tx2, sign & broadcast This only works if your Bitcoin-Qt/bitcoind client has the replace-by-fee patch, since Armory uses Bitcoin-Qt/bitcoind as a gateway to the network. Otherwise, the second tx will be DOA. But you don't have to mess with Armory other than switching it to Expert mode to get to the coin-control feature. - -Alan P.S. -- If you try this, Armory is likely to not show the second tx as having ever happened (Bitcoin-Qt will send it back to us and we ignore it because we already have a tx). But if your Bitcoin node has the modification, it /will/ reach the network On 05/15/2013 08:19 AM, Peter Todd wrote: > On Wed, May 15, 2013 at 07:38:27AM -0400, Peter Todd wrote: >> So I'm offering 2BTC for anyone who comes up with a nice and easy to use >> command line tool that lets you automagically create one version of the >> transaction sending the coins to the desired recipient, and another >> version sending all the coins back to you, both with the same >> transaction inputs. In addition to creating the two versions, you need >> to find a way to broadcast them both simultaneously to different nodes >> on the network. One clever approach might be to use blockchain.info's >> raw transaction POST API, and your local Bitcoin node. > > Oh, and while we're at it, a good starting point for your work would be > Gavin's spendfrom utility in the contrib/spendfrom directory in the > Bitcoin-QT respository. > > Also please do keep in mind that it's much better for the community if > an attack is demonstrated first, followed by releasing the code some > time later. > > > > ------------------------------------------------------------------------------ > AlienVault Unified Security Management (USM) platform delivers complete > security visibility with the essential security capabilities. Easily and > efficiently configure, manage, and operate all of your security controls > from a single console and one unified framework. Download a free trial. > http://p.sf.net/sfu/alienvault_d2d > > > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists•sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRk441AAoJEBHe6b77WWmFZNQP/02t6cQkhih/CcA1oSCM72np KMRW0Z+piHShORxLyhMX3cIpi3ICJ2lJ/Pm6GfDn74oSHq8wipIFoV88xhy810bL MnJtbPH900v8PHh/ji2nWMig9NibeUa1zV9/tp31rYjUT3mmMoC4yQlyxKII8GWK iignkAHV/UL5kQGmhmr1RKN127cthSMeIzAYWXfIWVObPNm85pvizVZdgqzSK73h vwdfeFOelNbVn8ZCNT19OsxWfAKZSaBMywAX95wQBs0BtY2ZgDRmeXa6MdQKpXGW KP3O2zjjJC2CKc4+L6elMfsoL1doEsk35w/GuI4HZK4MLAI8BChi6ZPnAYjdRvir eHeszyxkKDCEaJ9JPLA/AszqkYHIB+56wTtrpVb1duyTwuqgVT5dcpMPIH8bDqjq k3I8C9zCSeQ6JgyvOd8grKJchRtq0SOWYt2bB3ytePzwOs+W+6mRenb/WtMt2dQg ntDTEIG7pCsWHenipeTBzvJNqeSsAAoIXnkGY20iDxCB+uFkTzisoCQqpOIglArm vD+Cl2nv3OKU3NTVTUt2VinoFskezI7xvsxHD8xs2V/hrlpPbPRAo+l7ER6aTazj wrONfmllHSE2XCM7wb/bX3gBNmsM3zUIgSBmNSH/SQeTy8PvwvlkZ/RRYmtVSmHL rUTp7x4U63JiIDO1jj+T =JiPo -----END PGP SIGNATURE----- [-- Attachment #2: Type: text/html, Size: 5815 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy 2013-05-15 11:38 [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy Peter Todd 2013-05-15 12:19 ` Peter Todd @ 2013-05-15 12:41 ` Melvin Carvalho 2013-05-15 13:00 ` [Bitcoin-development] double-spend deletes (or converts to fees) (Re: reward for making probabalistic double-spending via conflicting transactions easy) Adam Back 2 siblings, 0 replies; 5+ messages in thread From: Melvin Carvalho @ 2013-05-15 12:41 UTC (permalink / raw) To: Peter Todd; +Cc: Bitcoin-Dev [-- Attachment #1: Type: text/plain, Size: 2727 bytes --] On 15 May 2013 13:38, Peter Todd <pete@petertodd•org> wrote: > Now that I have the replace-by-fee reward, I might as well spread the > wealth a bit. > > > So for all this discussion about replace-by-fee and the supposed > security of zero-conf transactions, no-one seems to think much about how > in practice very few vendors have a setup to detect if conflicting > transactions were broadcast on the network simultaneously - after all if > that is the case which transaction gets mined is up to chance, so much > of the time you'll get away with a double spend. We don't yet have a > mechanism to propagate double-spend warnings, and funny enough, in the > case of a single txin transaction the double-spend warning is also > enough information to allow miners to implement replace-by-fee. > > > So I'm offering 2BTC for anyone who comes up with a nice and easy to use > command line tool that lets you automagically create one version of the > transaction sending the coins to the desired recipient, and another > version sending all the coins back to you, both with the same > transaction inputs. In addition to creating the two versions, you need > to find a way to broadcast them both simultaneously to different nodes > on the network. One clever approach might be to use blockchain.info's > raw transaction POST API, and your local Bitcoin node. > > If you happen to be at the conference, a cool demo would be to > demonstrate the attack against my Android wallet. I'll buy Bitcoins off > of you at Mt. Gox rates + %10, and you can see if you can rip me off. > Yes, you can keep the loot. :) This should be videotaped so we can put > an educational video on youtube after. > Isnt it potentially inviting trouble by encouraging people to insert double spends into the block chain? Sure, zero conf isnt 100% safe, we all know that. But neither is the postal service. Doesnt mean we should be going around promoting the creation of tools to go into people's maiilboxes and open their letters! > > -- > 'peter'[:-1]@petertodd.org > 00000000000000bafd0a55f013e058cc2a672ee0c66b9265a02390d80e4748f5 > > > ------------------------------------------------------------------------------ > AlienVault Unified Security Management (USM) platform delivers complete > security visibility with the essential security capabilities. Easily and > efficiently configure, manage, and operate all of your security controls > from a single console and one unified framework. Download a free trial. > http://p.sf.net/sfu/alienvault_d2d > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists•sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > [-- Attachment #2: Type: text/html, Size: 3755 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bitcoin-development] double-spend deletes (or converts to fees) (Re: reward for making probabalistic double-spending via conflicting transactions easy) 2013-05-15 11:38 [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy Peter Todd 2013-05-15 12:19 ` Peter Todd 2013-05-15 12:41 ` Melvin Carvalho @ 2013-05-15 13:00 ` Adam Back 2 siblings, 0 replies; 5+ messages in thread From: Adam Back @ 2013-05-15 13:00 UTC (permalink / raw) To: Peter Todd; +Cc: Bitcoin-Dev On Wed, May 15, 2013 at 07:38:27AM -0400, Peter Todd wrote: >no-one seems to think much about how in practice very few vendors have a >setup to detect if conflicting transactions were broadcast on the network >simultaneously - after all if that is the case which transaction gets mined >is up to chance, so much of the time you'll get away with a double spend. >We don't yet have a mechanism to propagate double-spend warnings, and funny >enough, in the case of a single txin transaction the double-spend warning >is also enough information to allow miners to implement replace-by-fee. About double-spends it might be better if the double-spend results in no-one keeping the money ie it gets deleted by definition (except for the fees, or the whole payment gets converted into a 0BTC output so 100% fees). Ideally you'd want a way for known double spends to be circulated at priority in the p2p network, even routed directly to earlier recipients if known. However have to watch out for even the fees being double spent in other transactions. Maybe the fees could be demanded to be self-created (no trusted green-coin issuer) 6-confirmation spend-to-miner green-coins. (Note double spends are not-binary. An attacker can spend a 25BTC coin via 50x 1BTC transactions. Which 25 are valid? Currently it is the first 25 from the network perspective of the miner that succeeds on the current block. (And that view overrides, even if other miners had differing views, unless the block later becomes an orphan). Its surely easy for a double spender to accumulate fast connections to known powerful miners to get the spends that benefit him to them first.) In that way (with double-spend deletes) the would be double-spender can not gain within the bitcoin protocol by double spending. He can gain outside of the protocol eg by persuading merchants to give him non-revocable resellable non-physical goods (or physical but anonymous goods). But that is harder work, and people selling goods with no recourse will be defensive about confirmations. ps I still dont think replace-by-fee is a good idea, at least the way it was implemented with changeable outputs, but I think that discussion seemed closed, so I wont rehash it. Adam ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-05-15 13:31 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2013-05-15 11:38 [Bitcoin-development] 2BTC reward for making probabalistic double-spending via conflicting transactions easy Peter Todd 2013-05-15 12:19 ` Peter Todd 2013-05-15 13:31 ` Alan Reiner 2013-05-15 12:41 ` Melvin Carvalho 2013-05-15 13:00 ` [Bitcoin-development] double-spend deletes (or converts to fees) (Re: reward for making probabalistic double-spending via conflicting transactions easy) Adam Back
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox