bitcoin transaction malleability theory in …...additional mining goals bitcoin – what we’ve...
TRANSCRIPT
BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers
• What is Bitcoin • Bitcoin Transactions • Transaction Malleability Vulnerability • What Happened in MT.Gox • Live Demo
Agenda
WHAT IS BITCOIN?
What is Bitcoin?
• Bitcoin is a payment system introduced as an open-source software in 2009 by a developer known as Satoshi Nakamoto • P2P network – Trust is a result of data transparency
• Decentralization – No institution is controlling your money/coins. • Anonymous Virtual currency.
What is a Block?
• A container of Transactions
• Can’t be changed or removed
• Reference to the previous block
z
Block Chain
• The network data history
• Block
• Transactions
PreviousBlockHash
• Block
• Transactions
PreviousBlockHash
• Block
• Transactions
PreviousBlockHash
What is a Block?
• All the peers share the Block-Chain
• Transparency
What is a Block?
• Structure
Field Description Size
Blocksize Number of bytes following up to end of block
4 bytes
Transaction counter Positive integer VI = VarInt 1 - 9 bytes
Blockheader Consists of 6 items 80 bytes
Transactions The (non empty) list of <Transaction counter>-many
transactions transactions
Magic No Value Always 0xD9B4BEF9 4 bytes
Block Header Structure
Field Purpose Updated when... Size (Bytes)
Version Block version number You upgrade the software and it specifies a new version
4
hashMerkleRoot 256-bit hash based on all of the transactions in the block
A transaction is accepted 32
Time Current timestamp as seconds since 1970-01- 01T00:00 UTC
Every few seconds 4
Bits Current target in compact format
The difficulty is adjusted
4
Nonce 32-bit number (starts at 0) A hash is tried 4
hashPrevBlock 256-bit hash of the previous A new block comes in 32
What Is Mining?
What is Mining?
Memory
Pending
Pending
Pending
Transaction
Transaction
Transaction
…
…
Transaction
What is Mining?
What is Mining?
$
What is Mining?
LET’S SIMULATE MINING RIGHT NOW!
0x02000
Keep a steady network
Record all coin data
Additional Mining Goals
Bitcoin – what we’ve learned so far …
• Block – container of transactions • Block chain - record of all coin data from the beginning • Block “Solving” – a process used to keep the network steady and to generate blocks.
TRANSACTIONS
Transactions
Alice Bob Broadcasted to network
Collected by miners
Confirmed
(Block Solved)
100 BTC
Alice Bob
Bob’s Wallet
100 MYC
Transactions
Broadcasted to network
Alice Bob
100 MYC
Transactions
Collected by miners
Broadcasted to network
Alice Bob
100 MYC
Transactions
Confirmed
(Block Solved) Collected by
miners
100 MYC Broadcasted to network
Alice Bob
Transactions
Transactions
Transactions are built from two main components
• Source of coins (Ref to Txout in block chain) Inputs
• Redeemer’s Bitcoin address
• Amount Outputs
Transactions
• Prove you have the coins (by including a reference) • Include the Bitcoin wallet address of the recipient • Sign the transaction
Transactions
TRANSACTION MALLEABILITY
P2P Lottery
MessageID (sha256)
From: Lottery Prize: You won a Car!
To: “Rami”
Length …
Sig
na
ture
(D
ER
)
Length …
Life supply of
Vegemite
P2P Lottery
MessageID (sha256)
From: Lottery Prize: You won a Car!
To: “Rami”
Length …
Sig
na
ture
(D
ER
)
… ID CAR SUPPLIED
f5d8ee... ✓
Length
5e67s… ✓
P2P Lottery
P2P Lottery
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
ScriptSig
TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemer’s address)
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
Redeemer + Amount of Coins
1
byt
e
Length TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemer’s address)
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
Redeemer + Amount of Coins
2
byt
e
Length TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemer’s address)
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
Redeemer + Amount of Coins
2
byte pushdata2
opcode
(1 byte) TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemer’s address)
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
Redeemer + Amount of Coins
0x3
0
Length TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
Redeemer + Amount of Coins
0x3
0
pushdata2 TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
0x4D
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
Redeemer + Amount of Coins
0x3
0
pushdata2 TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
0x4D 0x00
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
Redeemer + Amount of Coins
pushdata2 TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
0x4D 0x3000
Little Endian:
0x3000 0x0030
0x0030 ==
0x30
Standard Transaction
ScriptSig
Inp
ut
Signature
Public Key
Ou
tpu
t
Source of Coins
Redeemer + Amount of Coins
pushdata2 TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
0x4D 0x3000
✔
Standard Vs Mutated
Mutated TxId = dc34efd49ed738bf4500db367292164166989cb1577302
6e9e185b78292bbc89
TxId = c6cfe6e4f129a34671d10c1bbe158eff05197d388
727e331951b0ec2637c194e
Transaction Malleability
• Two different transactions • Same amount of coins • Same destination and source
• Mutated wins and gets in a Block RACE!
Rejected Transactions
• Invalid transaction data
• Already spent out-point
• Identical transactions
• Invalid signature
WHAT HAPPENED IN MT.GOX?
MT.Gox Announcement
P2P Bitcoin
Mt.Gox
30BTC -> Attacker’s Wallet
B330….…5088
Attacker
Attacker’s Wallet
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
ScriptSig
ScriptPubkey
B330….…5088
0x19
0x30 …
30BTC …
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
ScriptSig
ScriptPubkey
B330….…5088
0x19
0x30 …
30BTC …
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
ScriptSig
ScriptPubkey
B330….…5088
0x19
0x30 …
30BT
C …
Mutated Transaction
Valid Signature
0x30 …
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
Mutated Transaction
Valid Signature
0x30 …
C3a8…….03f8
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
W
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
W
ScriptSig
ScriptPubkey
B330…….5088
0x19
0x30 …
30BTC …
Unconfirmed Tx
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
W Transaction (B330….…5088) Failed?!?
Unconfirmed
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
W Transaction (B330….…5088) Failed?!?
Generate Another Transaction!
Unconfirmed
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
W Transaction (B330….…5088) Failed?!?
Unconfirmed
Generate Another Transaction!
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin
Mt.Gox
Attacker
Attacker’s Wallet
W Transaction (B330….…5088) Failed?!?
Unconfirmed
Generate Another Transaction!
DEMO
BLOCKCHAIN OPINION
PUSHDATA Mutated Transaction
0
1000
2000
3000
4000
5000
6000
De
c-1
2
Jan
-13
Fe
b-1
3
Ma
r-1
3
Ap
r-1
3
Ma
y-1
3
Jun
-13
Jul-1
3
Au
g-1
3
Se
p-1
3
Oct-
13
No
v-1
3
De
c-1
3
Jan
-14
Fe
b-1
4
Ma
r-1
4
Ap
r-1
4
Ma
y-1
4
Jun
-14
Jul-1
4
Au
g-1
4
Malleable
Transaction
PUSHDATA Mutated Transaction
0 0 79
1900
3569
2 2 11 0 22
Malleable
Transaction
Mt.Gox announcement
Who was The Target?!
• Bitcoins betting
• Trading websites
• Testing
• Wrong usage of the attack
MALLEABILITY FIX
Transaction Malleability Fix
Transaction Malleability Fix
Daniel Chechik – [email protected] (@danielchechik)
Rami Kogan – [email protected]
Ben Hayak – [email protected] (@benhayak)
Thank You!
BTC: 12qPtFhw9UPL8HvfSsSjvqxeFXp4hRiWym
References
Github - https://github.com/sipa/bitcoin/commit/87fe71e1fc810ee120a10063fdd26c3245686d54 Spiderlabs – http://www.spiderlabs.com Bitcoin official document - https://bitcoin.org/bitcoin.pdf Bitcoin Wiki - https://en.bitcoin.it/wiki Bitcoin Transaction Malleability Wiki - https://en.bitcoin.it/wiki/Transaction_Malleability Ken Shirriff - http://www.righto.com/2014/02/bitcoin-transaction-malleability.html