He mentions the timing of the MtGox announcement being odd. What happened at MtGox was somewhat different. MtGox was submitting transactions that were being rejected due to being malformed according to the latest Bitcoin client software. What some users discovered is that they could correct the malformation issues in the MtGox transactions causing them to go through, but they could also change the hash transaction id, so that meant that not only could they make the transfer go through, but they could do so while making MtGox's software believe that it in fact had not gone through since MtGox was using the transaction id hash to verify a transaction.
When a transaction was rejected by the Bitcoin network that MtGox sent, the MtGox software would detect the rejection and immediately re-credit your account for the attempted transfer amount. MtGox also had an api that allowed you to see the exact contents of the transactions that they sent to the Bitcoin network. This meant that what someone could do is just grab the rejected transaction, fix the malformed portion, modify the transaction id hash and resend the transaction, causing it to go through, but MtGox was unaware of the successful transfer and would re-credit the account. The user could then rinse and repeat over and over.
The interesting twist of this is that it means MtGox knows which user accounts were used to steal coins from them since the malformed transaction could be modified to change the transaction id hash, but the receiving bitcoin address could not be modified without invalidating the transaction.
Probably not much it depends on if it's a hacked account or not and then if they do in fact know the identity of the hacker then it becomes a legal thing. They can't do anything to revert the theft. It would be an interesting court battle over bitcoins.
transactions, which move bitcoins from one address to another, must be signed by the sending address.
however, not all parts of a transaction are signed. modifying those parts allows one to create a valid transaction with the same bitcoin transferring effect, but with a different overall hash.
the hash of the entire transaction is used as a transaction id.
so a modified transaction would have a different id.
some bitcoin management software (a wallet) loses track of transfers, because those transfers don't occur under the transaction-id it expected.
the implication is that some bitcoin services could get confused about who they've successfully sent bitcoins to.
an attacker could socially engineer a "robbery" by transmitting a mutation of an official withdrawal transaction, then appealing to the helpdesk of that service that their withdrawal never went through. it did go through - just under a different transaction id.
checking transaction hashes for acceptance into the blockchain was a stupid idea to begin with. clearly the data in a transaction is malleable without affecting the signature. given that mtgox already were using non-canonical transactions, they should have been aware of this.
a transaction only becomes immutable once it has been included in the blockchain. after this point, searching for a tx by hash is ok.
calling this a bug of the bitcoin protocol is akin to saying that array decay in C is a bug in the language spec. it is known, and and has been talked about for a long time. in both cases.
More seriously, if the software was set up to retransmit bitcoin after a "failed" transfer, then that service could be exploited automatically. Mostly, this wasn't a social attack. The seriousness was that many services were set up to retransmit automatically, and did lose a lot of money automatically.
scriptSig (the second part of the script) contains the signature - it can't sign itself, but you can add other opcodes to it and that allows malleability.
Yes, the modified Bitcoin transaction performs exactly the same transfer between the same addresses. There is no double-spend as far as the Bitcoin system is concerned since only one of the transactions will get confirmed by miners.
Linguistic arguments are kind of pointless, but it's still an attack even if they are just trying to disrupt the system and not steal anything. e.g. a denial-of-service attack.
Bitcoin the protocol? Bitcoin the idea? Bitcoin the network? Bitcoin the whole ecosystem?
I would argue it was an attack on Bitcoin the ecosystem, due to an _oddity_ of Bitcoin the protocol. Bitcoin the idea is still fully alive. The attack worked from within Bitcoin, the network.
There's an attack on credit cards because Target had a breach!
See, I can say ridiculous things too. Someone using bitcoins didn't follow protocol and as such as scammed out of money. This isn't a bitcoins-protocol issue, this is a people issue.
Note that the other exchanges are up now, very quickly after everyone stopped to check themselves.
This causes another problem. Even if you have a lot of coins from a former transaction, when you spent a little the remainder coins (change) have to be blocked for 1 hour (6 blocks) until the transaction is "confirmed".
The standard client just assumes that the transaction is legit and you can use the remaining coins immediately. But to use these coins the program has to know the ID of the transaction.
But due to the malleability, it's possible that the ID that is generated in your client is not the same ID that is finally added to the blockchain. If you use the original ID and it is changued, then the next transactions will be invalid. So you must wait to see the final ID and use it to create the next transactions.
Well pointing out that large implementations thought they had a transaction ID, and that the transaction ID can just change later -- that's some decent technical-level "FUD".
This is not an attack. If anything, it serves to make the bitcoin ecosystem stronger. A course of anti-bionics if you like, forcing the network to build up safeguards against the lack of understanding of this characteristic of the protocol.
When a transaction was rejected by the Bitcoin network that MtGox sent, the MtGox software would detect the rejection and immediately re-credit your account for the attempted transfer amount. MtGox also had an api that allowed you to see the exact contents of the transactions that they sent to the Bitcoin network. This meant that what someone could do is just grab the rejected transaction, fix the malformed portion, modify the transaction id hash and resend the transaction, causing it to go through, but MtGox was unaware of the successful transfer and would re-credit the account. The user could then rinse and repeat over and over.
The interesting twist of this is that it means MtGox knows which user accounts were used to steal coins from them since the malformed transaction could be modified to change the transaction id hash, but the receiving bitcoin address could not be modified without invalidating the transaction.