Blockchain’s Statement to Mt. Gox “Transaction Malleability” Issues

 

Earlier this month the popular bitcoin exchange‚ Mt. Gox‚ has had known battle with pressing issues‚ specifically‚ delays in bitcoin withdrawal that eventually been put to a temporary halt due to “transaction malleability.”

 

“A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction appears as if it has not proceeded correctly‚ the bitcoins may be resent. MtGox is working with the Bitcoin core development team and others to mitigate this issue.” – mt.gox

 

Blockchain issued a response in response to issue stated above. Please read below.

 


Dear Blockchain Users:

Posted on February 10, 2014

Recent problems at the Mt.Gox bitcoin exchange appear to be the result of an implementation flaw related to a known bitcoin technical issue. The issue is that of “Transaction Malleability”, a problem in certain implementations that allows an attacker to modify a transaction in such a way as to make the same transaction  appear under a different transaction ID (Tx Hash), without changing any of the internal information (sender, recipient, value etc). This issue first became known in 2011 and it does not affect correctly implemented bitcoin clients, such as the reference client (bitcoind/bitcoin-qt).

The well-known and documented issue of “Transaction Malleability” makes it dangerous for bitcoin wallets and bitcoin exchanges to rely on the transaction hash as an authoritative proof, or “receipt” for a transaction. Instead, best practices dictate that implementations of bitcoin verify transactions by checking whether their inputs have been spent by any transactions included in a mined block, rather than relying on the presence (or absence) of the transaction hash in the blockchain.

Blockchain.info’s implementation follows best practices in this respect and does not rely on the transaction hash as verification of spent funds. Instead, if multiple conflicting versions of a transaction against spent inputs are seen on the network, both transactions are highlighted whenever they appear as a “double-spend”, until one of the transactions is confirmed, making the second disappear.

In Blockchain’s wallet implementation, each user of our service controls their own private keys and we don’t maintain internal “account balances” making it impossible to corrupt our internal accounting system in the same way that has affected Mt.Gox. Blockchain wallet users are unaffected by this known implementation issue.

Bitcoin users should not rely on the presence or absence of a transaction hash (aka ID) as confirmation of payment. Before re-sending a transaction that appears unsuccessful, they should check the wallet balance to ensure that the transaction was not submitted under a different ID. The definitive proof of success or failure of a transaction is the address balance (unspent outputs) as calculated after several confirmations. In other words, trust your balance as confirmed by the blockchain consensus, not the transaction ID.

Contrary to many news headlines that describe Transaction Malleability as a “bug” affecting bitcoin and other crypto-currencies, it is not. It is an example of the need to implement transaction verification in the industry-standard way rather than with implementation shortcuts that rely on known-unsafe methodologies.Again, Blockchain.info wallet users are unaffected.

Andreas M. Antonopoulos
Chief Security Officer
Blockchain

Advertisements

One thought on “Blockchain’s Statement to Mt. Gox “Transaction Malleability” Issues

  1. Pingback: The Bitcoin "Crisis" Explained and 5 Reasons it Can't be Killed (Sorry Haters). | A WordPress Site

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s