A massive DDoS attack targeting bitcoin exchanges means Mt. Gox only kinda called wolf

By Michael Carney , written on February 12, 2014

From The News Desk

The global bitcoin network is being put to the test thanks to a “massive and concerted [distributed denial of service] attack” targeting multiple exchanges, according to chief security officer Andreas Antonopoulos.

According to a statement released by the Bitcoin Foundation:

Somebody (or several somebodies) is taking advantage of the transaction malleability issue and relaying mutated versions of transactions. This is exposing bugs in both the reference implementation and some exchange’s software.

Put another way, cyber-attackers are flooding the bitcoin network with millions of bad transaction records. Thanks to the transaction malleability flaw, these attackers are able to create duplicates of legitimate transaction records (hashes) and as a result overwhelm some exchanges that aren't properly coded to effectively distinguish the good transactions from the bad.

Transaction malleability is the same issue raised by Mt. Gox earlier this week when former top exchange halted BTC withdrawals indefinitely due to difficulties reconciling mutated transactions under its customized bitcoin client. At the time, the bitcoin core development team called the issue “an unfortunate interaction between Mt. Gox’s implementation of their highly customized wallet software, their customer support procedures, and their unpreparedness for transaction malleability.”

In a subsequent statement following the network-wide DDoS attack, Jeff Garzik admitted on behalf of the Bitcoin Foundation: “This is exposing bugs in both the reference implementation and some exchange’s software. We (core dev team, developers at the exchanges, and even big mining pools) are creating workarounds and fixes right now.” The statement adds that the group will likely release an update to address two edge cases highlighted by this attack.

Bitcoin’s core blockchain consensus mechanism continues to work and payments are being processed normally according to the Foundation. Both Antonopoulos and Garzik state explicitly that the current attack is not resulting in stolen coins and that no funds are at risk. Rather, the DDoS is merely delaying the exchanges’ ability to rapidly confirm withdrawal requests.

“I would expect to see withdrawals flowing again within 24 and 72 hours, and in the meantime, any withdrawals that were cancelled will reappear in customer account balances,” Antonopoulos says.

The ongoing attack has led Bitstamp, the world’s largest bitcoin exchange by volume, to temporarily halt bitcoin withdrawals and number two exchange BTC-e to warn of possible transaction delays via Twitter.

Coincidental timing aside – can you say conspiracy? – the impacts of this transaction malleability attack would seem to vindicate Mt. Gox’s claims that the issue is pressing enough to demand a rush fix. But it may not be that simple.

While other exchanges have temporarily delayed withdrawals in an attempt to avoid accidentally processing fraudulent transactions, the consensus is that Mt. Gox made no such efforts at confirmation in recent weeks or months and likely processed invalid requests as a result before finally realizing what was going on.

As Antonopoulos and Garzik explained in a series of Tweets today, not all exchanges are vulnerable. It’s only exchanges that rely on unconfirmed-Tx-hashes, or what Antonopoulos calls a “known-unreliable identifier,” to confirm transactions that are falling victim to this attack. It means that Mt. Gox was right to call out the issue, but that the blame and the ultimate fix may require changes in both the core bitcoin client and Mt. Gox’s custom implementation.

Garzik summed up the position, tweeting, “I consider it an education bug, at a minimum, when a bunch of people make the same mistake.”

Unsurprisingly, the global price of bitcoin has taken a hit in the wake of this latest attack, but perhaps not as much as many would expect. The Coindesk Bitcoin Price Index peaked at $710.04 in early trading Tuesday, before falling as low as $635.36 by 10:00pm GMT. The Index has been bouncing between $650 and $675 since, suggesting that there is support at that level and panic selling has been contained. The Index is still down overall from last week’s high of $840 preceding the Mt. Gox revelations, and down from the November high of more than $1,240.

It’s easy to write off events like today’s as growing pains within bitcoin’s continued maturation, and to a certain extend that’s what they are. But the ambitions of the bitcoin community for the future of this crypto-currency are sufficiently grand that the emergence of systemic vulnerabilities should have people substantially concerned. Real or imagined, the transaction malleability is sending the wrong message to wouldbe bitcoin adopters.

Antonopoulos does not seem fazed, however, telling Coindesk in an interview today:

I expect things will go back to normal and the honey badger of money can continue showing its resilience. The death of bitcoin has been prematurely announced so many times already that the obvious conclusion is that bitcoin is far more resilient than its critics would like to think. I am confident that in a few days, those who predicted the death of bitcoin will once again be proven wrong.

[Image via zcopely, Flickr]