SLIDE 1
BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE
Daniel Chechik, Rami Kogan Security Researchers
- What is Bitcoin
- Bitcoin Transactions
- Transaction Malleability Vulnerability
- What Happened in MT.Gox
- Live Demo
Agenda
THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers - - PowerPoint PPT Presentation
THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers - - PowerPoint PPT Presentation
BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers Agenda What is Bitcoin Bitcoin Transactions Transaction Malleability Vulnerability What Happened in MT.Gox Live Demo WHAT IS
SLIDE 2
SLIDE 3
WHAT IS BITCOIN?
SLIDE 4
SLIDE 5
SLIDE 6
SLIDE 7
SLIDE 8
SLIDE 9
SLIDE 10
What is Bitcoin?
- Bitcoin is a payment system introduced as an open-source
software in 2009 by a developer known as Satoshi Nakamoto
- P2P network – Trust is a result of data transparency
- Decentralization – No institution is controlling your
money/coins.
- Anonymous Virtual currency.
SLIDE 11
What is a Block?
- A container of Transactions
- Can’t be changed or removed
- Reference to the previous block
SLIDE 12
Block Chain
- The network data history
- Block
- Transactions
PreviousBlockHash
- Block
- Transactions
PreviousBlockHash
- Block
- Transactions
PreviousBlockHash
SLIDE 13
What is a Block?
- All the peers share the Block-Chain
- Transparency
SLIDE 14
Wh What at is a a Bl Block ck?
- Structure
Field Description Size
Blocksize Number of bytes following up to end of block 4 bytes Transaction counter Positive integer VI = VarInt 1 - 9 bytes Blockheader Consists of 6 items 80 bytes Transactions The (non empty) list of <Transaction counter>-many transactions transactions Magic No Value Always 0xD9B4BEF9 4 bytes
SLIDE 15
Bl Block ck Hea eader der Str truct cture ure
Field Purpose Updated when... Size (Bytes) Version Block version number You upgrade the software and it specifies a new version 4 hashMerkleRoot 256-bit hash based on all of the transactions in the block A transaction is accepted 32 Time Current timestamp as seconds since 1970-01- 01T00:00 UTC Every few seconds 4 Bits Current target in compact format The difficulty is adjusted 4 Nonce e 32-bit number (starts at 0) A hash is tried 4 hashPre revB vBloc lock 256-bit hash of the previous A new block comes in 32
SLIDE 16
Wh What at Is Is Min inin ing?
SLIDE 17
What is Mining?
Memory
Pending Pending Pending
Transaction Transaction Transaction … … Transaction
SLIDE 18
What is Mining?
SLIDE 19
What is Mining?
$
SLIDE 20
What is Mining?
SLIDE 21
LET’S SIMULATE MINING RIGHT NOW!
SLIDE 22
0x02000
SLIDE 23
Keep a steady network Record all coin data
Additional Mining Goals
SLIDE 24
Bitcoin – what we’ve learned so far …
- Block – container of transactions
- Block chain - record of all coin data from the beginning
- Block “Solving” – a process used to keep the network
steady and to generate blocks.
SLIDE 25
TRANSACTIONS
SLIDE 26
Transactions
Alice Bob
Broadcasted to network Collected by miners Confirmed (Block Solved)
100 BTC
SLIDE 27
Alice Bob
Bob’s Wallet 100 MYC
Transactions
SLIDE 28
Broadcasted to network
Alice Bob
100 MYC
Transactions
SLIDE 29
Collected by miners Broadcasted to network
Alice Bob
100 MYC
Transactions
SLIDE 30
Confirmed (Block Solved) Collected by miners
100 MYC
Broadcasted to network
Alice Bob
Transactions
SLIDE 31
Transactions
SLIDE 32
Transactions are built from two main components
- Source of coins
(Ref to Txout in block chain)
Inputs
- Redeemer’s Bitcoin address
- Amount
Outputs
Transactions
SLIDE 33
- Prove you have the coins (by including a reference)
- Include the Bitcoin wallet address of the recipient
- Sign the transaction
Transactions
SLIDE 34
TRANSACTION MALLEABILITY
SLIDE 35
P2P Lottery
MessageID (sha256) From: Lottery Prize: You won a Car! To: “Rami” Length … Signature (DER) Length …
Life supply of
Vegemite
SLIDE 36
P2P Lottery
MessageID (sha256) From: Lottery Prize: You won a Car! To: “Rami” Length … Signature (DER) …
ID CAR SUPPLIED f5d8ee...
✓
Length
5e67s… ✓
SLIDE 37
P2P Lottery
SLIDE 38
P2P Lottery
SLIDE 39
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
ScriptSig
TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemer’s address)
SLIDE 40
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
Redeemer + Amount of Coins
1 byt e
Length
TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemer’s address)
SLIDE 41
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
Redeemer + Amount of Coins
2 byt e
Length
TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemer’s address)
SLIDE 42
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
Redeemer + Amount of Coins
2 byte pushdata2
- pcode
(1 byte)
TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemer’s address)
SLIDE 43
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
Redeemer + Amount of Coins
0x3
Length
TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
SLIDE 44
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
Redeemer + Amount of Coins
0x3
pushdata2 TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
0x4D
SLIDE 45
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
Redeemer + Amount of Coins
0x3
pushdata2 TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
0x4D 0x00
SLIDE 46
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
Redeemer + Amount of Coins
pushdata2 TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
0x4D 0x3000
Lit ittle e Endi dian: 0x3000 3000 0x0030 0030 0x003 0030 0 == == 0x30 30
SLIDE 47
Standard Transaction
ScriptSig Input
Signature Public Key
Output
Source of Coins
Redeemer + Amount of Coins
pushdata2 TxId (sha256*2)
Amount of Coins
ScriptPubKey (Redeemers address)
0x4D 0x3000
✔
SLIDE 48
Standard Vs Mutated
Mutated TxId = dc34efd49ed738bf4500db367292164166989cb1577302 6e9e185b78292bbc89 TxId = c6cfe6e4f129a34671d10c1bbe158eff05197d388 727e331951b0ec2637c194e
SLIDE 49
Transaction Malleability
- Two different transactions
- Same amount of coins
- Same destination and source
- Mutated wins and gets in a Block
RACE!
SLIDE 50
Rejected Transactions
- Invalid transaction data
- Already spent out-point
- Identical transactions
- Invalid signature
SLIDE 51
WHAT HAPPENED IN MT.GOX?
SLIDE 52
MT.Gox Announcement
SLIDE 53
P2P Bitcoin Mt.Gox
30BTC -> Attacker’s Wallet
B330….…5088
Attacker Attacker’s Wallet
SLIDE 54
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet
ScriptSig ScriptPubkey
B330….…5088
0x19 0x30 …
30BTC
…
SLIDE 55
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet
ScriptSig ScriptPubkey
B330….…5088
0x19 0x30 …
30BTC
…
SLIDE 56
30 30BTC -> > Attacker’s Wallet
B330 330….…5088 5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet
ScriptSig ScriptPubkey
B330 330….…5088 5088
0x19 0x30 …
30BT C
…
Mut utated ed Transa nsacti ction
- n
Valid Signature
0x30
…
C3a8…….03 03f8 8
SLIDE 57
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet
Mutated Transaction
Valid Signature
0x30
…
C3a8…….03f8
SLIDE 58
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet W
SLIDE 59
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet W
ScriptSig ScriptPubkey B330…….5088
0x19 0x30 …
30BTC
…
Unconfirmed Tx
SLIDE 60
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet W
Transaction (B330….…5088) Failed?!?
Unconfirmed
30BTC -> Attacker’s Wallet
C3a8…….03f8
SLIDE 61
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet W
Transaction (B330….…5088) Failed?!?
Generate Another Transaction!
Unconfirmed
SLIDE 62
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet W
Transaction (B330….…5088) Failed?!?
Unconfirmed
Generate Another Transaction!
SLIDE 63
30BTC -> Attacker’s Wallet
C3a8…….03f8
30BTC -> Attacker’s Wallet
B330….…5088
P2P Bitcoin Mt.Gox Attacker Attacker’s Wallet W
Transaction (B330….…5088) Failed?!?
Unconfirmed
Generate Another Transaction!
SLIDE 64
DEMO
SLIDE 65
BLOCKCHAIN OPINION
SLIDE 66
PUSHDATA Mutated Transaction
1000 2000 3000 4000 5000 6000 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13 Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Malleable Transaction
SLIDE 67
PUSHDATA Mutated Transaction
79 79 1900 1900 3569 3569 2 2 11 11 22 22 Malleable Transaction
Mt.Go .Gox announ uncem cemen ent
SLIDE 68
Who was The Target?!
- Bitcoins betting
- Trading websites
- Testing
- Wrong usage of the attack
SLIDE 69
MALLEABILITY FIX
SLIDE 70
Transaction Malleability Fix
SLIDE 71
Transaction Malleability Fix
SLIDE 72
Daniel Chechik – daniel.chechik@gmail.com (@danielchechik) Rami Kogan – ramikogan@yahoo.com Ben Hayak – ben.hayak@gmail.com (@benhayak)
Thank You!
BTC: 12qPtFhw9UPL8HvfSsSjvqxeFXp4hRiWym
SLIDE 73
References
Github - https://github.com/sipa/bitcoin/commit/87fe71e1fc810ee120a10063fdd26c3245686d54 Spiderlabs – http://www.spiderlabs.com Bitcoin official document - https://bitcoin.org/bitcoin.pdf Bitcoin Wiki - https://en.bitcoin.it/wiki Bitcoin Transaction Malleability Wiki - https://en.bitcoin.it/wiki/Transaction_Malleability Ken Shirriff - http://www.righto.com/2014/02/bitcoin-transaction-malleability.html