BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers
Agenda • What is Bitcoin • Bitcoin Transactions • Transaction Malleability Vulnerability • What Happened in MT.Gox • Live Demo
WHAT IS BITCOIN?
What is Bitcoin? • Bitcoin is a payment system introduced as an open-source software in 2009 by a developer known as Satoshi Nakamoto • P 2P network – Trust is a result of data transparency • Decentralization – No institution is controlling your money/coins. • Anonymous Virtual currency.
What is a Block? • A container of Transactions • Can’t be changed or removed • Reference to the previous block
Block Chain • The network data history PreviousBlockHash • Block • Block • Transactions • Transactions • Block • Transactions PreviousBlockHash PreviousBlockHash
What is a Block? • All the peers share the Block-Chain • Transparency
Wh What at is a a Bl Block ck? • S tructure Field Description Size Magic No Value Always 0xD9B4BEF9 4 bytes Number of bytes following up Blocksize 4 bytes to end of block Blockheader Consists of 6 items 80 bytes Transaction counter Positive integer VI = VarInt 1 - 9 bytes Transactions The (non empty) list of <Transaction counter>-many transactions transactions
Bl Block ck Hea eader der Str truct cture ure Field Purpose Updated when... Size (Bytes) You upgrade the software and Version Block version number 4 it specifies a new version hashPre revB vBloc lock 256-bit hash of the previous A new block comes in 32 256-bit hash based on all of hashMerkleRoot the transactions in the block A transaction is accepted 32 Current timestamp as Time seconds since 1970-01- Every few seconds 4 01T00:00 UTC Current target in compact The difficulty is adjusted Bits 4 format Nonce e 32-bit number (starts at 0) A hash is tried 4
Wh What at Is Is Min inin ing?
What is Mining? Transaction Pending Transaction Pending Pending Transaction … … Memory Transaction
What is Mining?
What is Mining? $
What is Mining?
LET’S SIMULATE MINING RIGHT NOW!
0x02000
Additional Mining Goals Keep a steady Record all coin network data
Bitcoin – what we’ve learned so far … • Block – container of transactions • Block chain - record of all coin data from the beginning • Block “Solving” – a process used to keep the network steady and to generate blocks.
TRANSACTIONS
Transactions 100 BTC Broadcasted Alice Bob to network Confirmed Collected by miners (Block Solved)
Transactions 100 MYC Alice Bob Bob’s Wallet
Transactions 100 MYC Broadcasted Alice Bob to network
Transactions 100 MYC Broadcasted Alice Bob to network Collected by miners
Transactions 100 MYC Broadcasted Alice Bob to network Confirmed Collected by miners (Block Solved)
Transactions
Transactions Transactions are built from two main components • Source of coins Inputs (Ref to Txout in block chain) • Redeemer’s Bitcoin address Outputs • Amount
Transactions • Prove you have the coins (by including a reference) • Include the Bitcoin wallet address of the recipient • Sign the transaction
TRANSACTION MALLEABILITY
P2P Lottery MessageID (sha256) … Length Signature (DER) From: Lottery Prize: You won a Car! Life supply of Vegemite … Length To: “Rami”
P2P Lottery MessageID (sha256) … Length Signature (DER) From: Lottery Prize: You won a Car! … Length ID CAR SUPPLIED To: “Rami” ✓ f5d8ee... 5e67 s… ✓
P2P Lottery
P2P Lottery
Standard Transaction TxId (sha256*2) Source of Coins Input Signature ScriptSig ScriptSig Public Key Amount of Coins Output ScriptPubKey (Redeemer’s address)
Standard Transaction TxId (sha256*2) Length Source of Coins 1 Input Signature byt ScriptSig e Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemer’s address)
Standard Transaction TxId (sha256*2) Length Source of Coins 2 Input Signature byt ScriptSig e Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemer’s address)
Standard Transaction opcode TxId (sha256*2) (1 byte) Source of Coins Input 2 Signature pushdata2 byte ScriptSig Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemer’s address)
Standard Transaction TxId (sha256*2) Length Source of Coins Input 0x3 Signature 0 ScriptSig Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)
Standard Transaction TxId (sha256*2) pushdata2 Source of Coins Input 0x3 Signature 0x4D 0 ScriptSig Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)
Standard Transaction TxId (sha256*2) pushdata2 Source of Coins Input 0x3 Signature 0x4D 0x00 0 ScriptSig Public Key Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)
Standard Transaction TxId (sha256*2) pushdata2 Source of Coins Input Signature 0x4D 0x3000 ScriptSig Public Key Lit ittle e Endi dian: 0x003 0030 0 == == 0x0030 0030 Amount of Coins 0x3000 3000 0x30 30 Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)
Standard Transaction TxId (sha256*2) pushdata2 Source of Coins Input Signature 0x4D 0x3000 ScriptSig Public Key ✔ Amount of Coins Output Redeemer + Amount of Coins ScriptPubKey (Redeemers address)
Standard Vs Mutated TxId = Mutated TxId = c6cfe6e4f129a34671d10c1bbe158eff05197d388 dc34efd49ed738bf4500db367292164166989cb1577302 727e331951b0ec2637c194e 6e9e185b78292bbc89
Transaction Malleability • Two different transactions • Same amount of coins • Same destination and source • Mutated wins and gets in a Block RACE!
Rejected Transactions • Invalid transaction data • Already spent out-point • Identical transactions • Invalid signature
WHAT HAPPENED IN MT.GOX?
MT.Gox Announcement
P2P Bitcoin 30BTC -> Attacker’s Wallet B330 ….… 5088 Mt.Gox Attacker’s Wallet Attacker
B330 ….… 5088 P2P Bitcoin … 0x30 30BTC -> Attacker’s Wallet ScriptSig B330 ….… 5088 Mt.Gox Attacker’s Wallet … 30BTC 0x19 ScriptPubkey Attacker
P2P Bitcoin 30BTC -> Attacker’s Wallet B330 ….… 5088 Mt.Gox Attacker’s Wallet B330 ….… 5088 … 0x30 ScriptSig … 0x19 30BTC Attacker ScriptPubkey
P2P Bitcoin 30 30BTC -> > Attacker’s Wallet B330 330 ….… 5088 5088 Mt.Gox Attacker’s Wallet C3a8 ……. 03 03f8 8 B330 330 ….… 5088 5088 … … 0x30 0x30 Mut utated ed Transa nsacti ction on ScriptSig 30BT … 0x19 C Valid Signature Attacker ScriptPubkey
C3a8 ……. 03f8 P2P Bitcoin … 0x30 30BTC -> Attacker’s Wallet Mutated Transaction B330 ….… 5088 Mt.Gox Attacker’s Wallet Valid Signature Attacker
P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Attacker’s Wallet W Attacker
Unconfirmed Tx B330 ……. 5088 P2P Bitcoin … 0x30 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet ScriptSig C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox … 0x19 30BTC Attacker’s Wallet ScriptPubkey W Attacker
P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Unconfirmed Attacker’s Wallet Transaction (B330 ….… 5088) W Failed?!? Attacker
P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Unconfirmed Attacker’s Wallet Transaction (B330 ….… 5088) W Failed?!? Generate Another Transaction! Attacker
P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Unconfirmed Attacker’s Wallet Transaction (B330 ….… 5088) W Failed?!? Generate Another Transaction! Attacker
P2P Bitcoin 30BTC -> Attacker’s Wallet 30BTC -> Attacker’s Wallet C3a8 ……. 03f8 B330 ….… 5088 Mt.Gox Unconfirmed Attacker’s Wallet Transaction (B330 ….… 5088) W Failed?!? Generate Another Transaction! Attacker
DEMO
BLOCKCHAIN OPINION
PUSHDATA Mutated Transaction 1000 2000 3000 4000 5000 6000 0 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13 Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Transaction Malleable
PUSHDATA Mutated Transaction 3569 3569 1900 1900 Malleable Transaction 79 79 11 11 22 22 0 0 2 2 0 Mt.Go .Gox announ uncem cemen ent
Recommend
More recommend