Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday July 05 2015, @06:20AM   Printer-friendly
from the double-double-toil-and-trouble;-fire-burn-and-caldron-bubble dept.

Summary

Your bitcoins are safe if you received them in transactions confirmed before 2015-07-04 15:00 UTC.

However, there has been a problem with a planned upgrade. For bitcoins received later than the time above, confirmation scores are significantly less reliable then they usually are for users of certain software:

  • Lightweight (SPV) wallet users should wait an additional 30 confirmations more than you would normally wait.
  • Bitcoin Core 0.9.4 or earlier users should wait an additional 30 confirmations more than you would normally wait or upgrade to Bitcoin Core 0.10.2.
  • Web wallet users should wait an additional 30 confirmations more than you would normally wait, unless you know for sure that your wallet is secured by Bitcoin Core 0.9.5 or later.
  • Bitcoin Core 0.9.5 or later users are unaffected. (Note: upgrade to 0.10.2 is recommended due to denial-of-service vulnerabilities unrelated to this alert.)

[More after the break.]

The incident status page describes the cause of the problem:

For several months, an increasing amount of mining hash rate has been signaling its intent to begin enforcing BIP66 strict DER signatures. As part of the BIP66 rules, once 950 of the last 1,000 blocks were version 3 (v3) blocks, all upgraded miners would reject version 2 (v2) blocks.

Early morning UTC on 4 July 2015, the 950/1000 (95%) threshold was reached. Shortly thereafter, a small miner (part of the non-upgraded 5%) mined an invalid block--as was an expected occurrence. Unfortunately, it turned out that roughly half the network hash rate was mining without fully validating blocks (called SPV mining), and built new blocks on top of that invalid block.

It further describes the impact of this on Bitcoin users:

All software that assumes blocks are valid (because invalid blocks cost miners money) is at risk of showing transactions as confirmed when they really aren't. This particularly affects lightweight (SPV) wallets and software such as old versions of Bitcoin Core which have been downgraded to SPV-level security by the new BIP66 consensus rules

There has already been lost revenue as a result of this incident, with the status page stating "several large miners have lost over $50,000 dollars worth of mining income so far." The status page will be updated as this situation unfolds. There is currently a big red warning message at the top of their status page that prominently states: "many wallets currently vulnerable to double-spending of confirmed transactions."

[Update: corrected links to 0.10.2 - Ed.]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by martyb on Sunday July 05 2015, @10:28AM

    by martyb (76) Subscriber Badge on Sunday July 05 2015, @10:28AM (#205247) Journal

    Thanks for pointing that out; I've updated the story and you should see the correction appear shortly.

    I'm curious how that could have happened, though. I went to the linked status page, highlighted the text you see here, did a 'view source', copied their source HTML, and pasted it into the story here! It seemed to be the fastest way to get the text AND the links brought over to the story.

    Aha! Their page used an absolute link address, but omitted the domain name from the url. That *is* a valid construct (we use it often here on this site) but I'd not thought of it when I copied things over. Mea culpa -- I'll keep my eyes peeled for this kind of issue in the future.

    Details. Their page links were of the form:

    <b>Bitcoin Core 0.9.4 or earlier users</b> should wait an
      additional 30 confirmations more than you would normally
      wait or upgrade to <a href="/en/download">Bitcoin Core 0.10.2</a>.

    and for the link to work here, it needed to be changed to:

    <b>Bitcoin Core 0.9.4 or earlier users</b> should wait an
      additional 30 confirmations more than you would normally
      wait or upgrade to <a href="https://bitcoin.org/en/download">Bitcoin Core 0.10.2</a>.

    Thanks again for kindly pointing out the mistake.

    --
    Wit is intellect, dancing.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3