BITCOIN TRANSACTION MALLEABILITY THEORY IN …...Additional Mining Goals Bitcoin – what we’ve...

BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers

• What is Bitcoin • Bitcoin Transactions • Transaction Malleability Vulnerability • What Happened in MT.Gox • Live Demo

Agenda

WHAT IS BITCOIN?

What is Bitcoin?

• Bitcoin is a payment system introduced as an open-source software in 2009 by a developer known as Satoshi Nakamoto • P2P network – Trust is a result of data transparency

• Decentralization – No institution is controlling your money/coins. • Anonymous Virtual currency.

What is a Block?

• A container of Transactions

• Can’t be changed or removed

• Reference to the previous block

z

Block Chain

• The network data history

• Block

• Transactions

PreviousBlockHash

• Block

• Transactions

PreviousBlockHash

• Block

• Transactions

PreviousBlockHash

What is a Block?

• All the peers share the Block-Chain

• Transparency

What is a Block?

• Structure

Field Description Size

Blocksize Number of bytes following up to end of block

4 bytes

Transaction counter Positive integer VI = VarInt 1 - 9 bytes

Blockheader Consists of 6 items 80 bytes

Transactions The (non empty) list of <Transaction counter>-many

transactions transactions

Magic No Value Always 0xD9B4BEF9 4 bytes

Block Header Structure

Field Purpose Updated when... Size (Bytes)

Version Block version number You upgrade the software and it specifies a new version

4

hashMerkleRoot 256-bit hash based on all of the transactions in the block

A transaction is accepted 32

Time Current timestamp as seconds since 1970-01- 01T00:00 UTC

Every few seconds 4

Bits Current target in compact format

The difficulty is adjusted

4

Nonce 32-bit number (starts at 0) A hash is tried 4

hashPrevBlock 256-bit hash of the previous A new block comes in 32

What Is Mining?

What is Mining?

Memory

Pending

Pending

Pending

Transaction

Transaction

Transaction

…

…

Transaction

What is Mining?

What is Mining?

$

What is Mining?

LET’S SIMULATE MINING RIGHT NOW!

0x02000

Keep a steady network

Record all coin data

Additional Mining Goals

Bitcoin – what we’ve learned so far …

• Block – container of transactions • Block chain - record of all coin data from the beginning • Block “Solving” – a process used to keep the network steady and to generate blocks.

TRANSACTIONS

Transactions

Alice Bob Broadcasted to network

Collected by miners

Confirmed

(Block Solved)

100 BTC

Alice Bob

Bob’s Wallet

100 MYC

Transactions

Broadcasted to network

Alice Bob

100 MYC

Transactions

Collected by miners

Broadcasted to network

Alice Bob

100 MYC

Transactions

Confirmed

(Block Solved) Collected by

miners

100 MYC Broadcasted to network

Alice Bob

Transactions

Transactions

Transactions are built from two main components

• Source of coins (Ref to Txout in block chain) Inputs

• Redeemer’s Bitcoin address

• Amount Outputs

Transactions

• Prove you have the coins (by including a reference) • Include the Bitcoin wallet address of the recipient • Sign the transaction

Transactions

TRANSACTION MALLEABILITY

P2P Lottery

MessageID (sha256)

From: Lottery Prize: You won a Car!

To: “Rami”

Length …

Sig

na

ture

(D

ER

)

Length …

Life supply of

Vegemite

P2P Lottery

MessageID (sha256)

From: Lottery Prize: You won a Car!

To: “Rami”

Length …

Sig

na

ture

(D

ER

)

… ID CAR SUPPLIED

f5d8ee... ✓

Length

5e67s… ✓

P2P Lottery

P2P Lottery

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

ScriptSig

TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemer’s address)

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

Redeemer + Amount of Coins

1

byt

e

Length TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemer’s address)

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

Redeemer + Amount of Coins

2

byt

e

Length TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemer’s address)

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

Redeemer + Amount of Coins

2

byte pushdata2

opcode

(1 byte) TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemer’s address)

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

Redeemer + Amount of Coins

0x3

0

Length TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemers address)

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

Redeemer + Amount of Coins

0x3

0

pushdata2 TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemers address)

0x4D

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

Redeemer + Amount of Coins

0x3

0

pushdata2 TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemers address)

0x4D 0x00

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

Redeemer + Amount of Coins

pushdata2 TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemers address)

0x4D 0x3000

Little Endian:

0x3000 0x0030

0x0030 ==

0x30

Standard Transaction

ScriptSig

Inp

ut

Signature

Public Key

Ou

tpu

t

Source of Coins

Redeemer + Amount of Coins

pushdata2 TxId (sha256*2)

Amount of Coins

ScriptPubKey (Redeemers address)

0x4D 0x3000

✔

Standard Vs Mutated

Mutated TxId = dc34efd49ed738bf4500db367292164166989cb1577302

6e9e185b78292bbc89

TxId = c6cfe6e4f129a34671d10c1bbe158eff05197d388

727e331951b0ec2637c194e

Transaction Malleability

• Two different transactions • Same amount of coins • Same destination and source

• Mutated wins and gets in a Block RACE!

Rejected Transactions

• Invalid transaction data

• Already spent out-point

• Identical transactions

• Invalid signature

WHAT HAPPENED IN MT.GOX?

MT.Gox Announcement

P2P Bitcoin

Mt.Gox

30BTC -> Attacker’s Wallet

B330….…5088

Attacker

Attacker’s Wallet

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

ScriptSig

ScriptPubkey

B330….…5088

0x19

0x30 …

30BTC …

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

ScriptSig

ScriptPubkey

B330….…5088

0x19

0x30 …

30BTC …

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

ScriptSig

ScriptPubkey

B330….…5088

0x19

0x30 …

30BT

C …

Mutated Transaction

Valid Signature

0x30 …

C3a8…….03f8

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

Mutated Transaction

Valid Signature

0x30 …

C3a8…….03f8

30BTC -> Attacker’s Wallet

C3a8…….03f8

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

W

30BTC -> Attacker’s Wallet

C3a8…….03f8

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

W

ScriptSig

ScriptPubkey

B330…….5088

0x19

0x30 …

30BTC …

Unconfirmed Tx

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

W Transaction (B330….…5088) Failed?!?

Unconfirmed

30BTC -> Attacker’s Wallet

C3a8…….03f8

30BTC -> Attacker’s Wallet

C3a8…….03f8

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

W Transaction (B330….…5088) Failed?!?

Generate Another Transaction!

Unconfirmed

30BTC -> Attacker’s Wallet

C3a8…….03f8

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

W Transaction (B330….…5088) Failed?!?

Unconfirmed

Generate Another Transaction!

30BTC -> Attacker’s Wallet

C3a8…….03f8

30BTC -> Attacker’s Wallet

B330….…5088

P2P Bitcoin

Mt.Gox

Attacker

Attacker’s Wallet

W Transaction (B330….…5088) Failed?!?

Unconfirmed

Generate Another Transaction!

DEMO

BLOCKCHAIN OPINION

PUSHDATA Mutated Transaction

0

1000

2000

3000

4000

5000

6000

De

c-1

2

Jan

-13

Fe

b-1

3

Ma

r-1

3

Ap

r-1

3

Ma

y-1

3

Jun

-13

Jul-1

3

Au

g-1

3

Se

p-1

3

Oct-

13

No

v-1

3

De

c-1

3

Jan

-14

Fe

b-1

4

Ma

r-1

4

Ap

r-1

4

Ma

y-1

4

Jun

-14

Jul-1

4

Au

g-1

4

Malleable

Transaction

PUSHDATA Mutated Transaction

0 0 79

1900

3569

2 2 11 0 22

Malleable

Transaction

Mt.Gox announcement

Who was The Target?!

• Bitcoins betting

• Trading websites

• Testing

• Wrong usage of the attack

MALLEABILITY FIX

Transaction Malleability Fix

Transaction Malleability Fix

Daniel Chechik – daniel.chechik@gmail.com (@danielchechik)

Rami Kogan – ramikogan@yahoo.com

Ben Hayak – ben.hayak@gmail.com (@benhayak)

Thank You!

BTC: 12qPtFhw9UPL8HvfSsSjvqxeFXp4hRiWym

References

Github - https://github.com/sipa/bitcoin/commit/87fe71e1fc810ee120a10063fdd26c3245686d54 Spiderlabs – http://www.spiderlabs.com Bitcoin official document - https://bitcoin.org/bitcoin.pdf Bitcoin Wiki - https://en.bitcoin.it/wiki Bitcoin Transaction Malleability Wiki - https://en.bitcoin.it/wiki/Transaction_Malleability Ken Shirriff - http://www.righto.com/2014/02/bitcoin-transaction-malleability.html