"Transaction malleability," which worried Mt. Gox and Bitstamp, strikes again.
Not only are Bitcoin trading sites like Bitstamp and Mt. Gox susceptible to the recent accleration of the "transaction malleability" problem, but apparently the Silk Road—or at least its newest incarnation—is too.
Is this the end for Bitcoin as we know it?
Remember that wave of fraudulent attacks sweeping the Bitcoin exchanges? It’s still going on, and this time the attackers pilfered an estimated $2.6 million worth of bitcoins from Silk Road 2, the second incarnation of the venerable online drugs-and-hitmen marketplace.
In a “I am sweating as I write this” message to the platform’s denizens, Silk Road admin Defcon conceded that everyone’s cash was gone. “I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported,” he sweated. So much for escrow.
On Thursday "Defcon," one of the anonymous administrators of the Silk Road, declared ominously: "We have been hacked." (The message was later reposted in full to reddit.)
According to rough estimates by Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, California, the exploit has resulted in the site losing approximately 4,400 bitcoins, presently worth around $2.6 million, that were taken from Silk Road’s escrow account.
Weaver told Ars that he came up with that figure by writing a script that looked at all the published Bitcoin wallet addresses and transaction IDs (TXID) that Defcon published, and added up the total value.
As Defcon wrote:
Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.
Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as "transaction malleability" to repeatedly withdraw coins from our system until it was completely empty.
Despite our hardening and pen-testing procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.
A feature and a bug?
While this vulnerability has been long known since 2011, it has only recently become a notable threat to Bitcoin exchanges and sites like Silk Road that have large shared pools of transactions.
"I think that it’s not a vulnerability in Bitcoin, it’s an interaction between a mal feature in Bitcoin and how people have implemented withdrawal systems in Bitcoin," Nicholas Weaver told the Ars.
"They have a model where when you do a withdrawal it monitors the blockchain and if it doesn’t go through after a certain time it tries again. Rather than looking for the contents of the transaction it looks for the transaction ID. What the person does is they see the transaction posted and modified it slightly so the ID is different, and they broadcast that widely. They’re not fake transactions. It’s broadcasting a version of the same transactions but with a different transaction ID number. Otherwise they are identical."
"It’s the accounting system that effectively has a bug in it. Part of the reason that the transaction ID is not protected by the signature is so I could say pay 100 bitcoins to this address, and other people can add in. That’s the reason why transaction ID are not cryptographically protected. It is a feature, not necessarily a bug. I have no idea [why it’s accelerated now], apart from attacker imagination," Weaver added. "A week ago nobody thought, 'The accounting IDs may be busted, I should try changing transaction IDs and seeing if it works.' [The way to fix this is] to have automated accounting systems look to transactions not the transactions ID, then you can prevent this problem."