Malleability Attack a Nuisance but Bitcoin Not Broken, Pundits Say

by Leon Pick
  • The Bitcoin network was inconvenienced but faces no mortal danger, experts say, following the latest attacks.
Malleability Attack a Nuisance but Bitcoin Not Broken, Pundits Say
Photo: Baran Ivo
Join our Crypto Telegram channel

The Bitcoin network was inconvenienced but faces no mortal danger, experts say, following the latest attacks.

Unlike the so-called spam attacks or stress tests which were common over the summer, the recent "malleability attack" was relatively easy to carry out and cost its perpetrator(s) next to nothing.

The attack involves the and modification and rebroadcasting of legitimate pending Bitcoin transactions that have yet to be confirmed into the next block by the mining network. The mass attempt of respending the bitcoins, while obviously illegitimate to an observer, clogs the transaction queue. The network must decide which transactions are authentic and discard those that are bogus, thereby delaying the confirmation process.

Several Bitcoin businesses and wallet services warned users that confirmation times would be over an hour instead of the typical average of several minutes. Users were warned not to rely on "zero-confirmation" transactions during the period. At one point, as many as 80% of the pending transactions were bogus. While it is common for business owners to rely on zero-confirmation transactions during peaceful times, they were warned not to during the attacks.

Accepted vs Rejected

Multiple episodes of malleability attack yielded abnormally high proportions of rejected transactions. Chart source: statoshi.info

space

The malleability attack can be carried out with a script consisting of only "100 or so lines of code", at no cost, according to one claiming to have perpetrated the attacks, speaking to Motherboard.

In contrast, the summer stress tests cost thousands of dollars in transaction fees due to the excessively large data sizes. These transactions were legitimate and confirmed by the network; their sole purpose was to clog the transaction queue with artificially high priority transactions, which miners will process first because of the higher transaction fees. These attacks/tests were ostensibly carried out to demonstrate the unsustainability of Bitcoin under its current block size limitations.

"Breaking Bitcoin"

Someone claiming to have carried out the malleability attacks, working under the alias 'Alister Maclin', seemingly verified his claims when the network clogged and cleared at the prescribed times he predicted.

He said that he "broke Bitcoin", which can mean different things to different people. Some, taking exception to the claim and Medium's post, have passionately pointed out that no fraudulent transactions were processed and that the network returns to normal once the attacks subside. While it is confusing and concerning to view multiple conflicting transactions, especially to novice users, all those that are legitimate are eventually confirmed.

The attacks can definitely cause inconvenience, and can be perpetrated by anyone capable and in the right mood. Maclin indicated several grievances with the way Bitcoin is managed, and said that he may strike again.

The events also demonstrate the network's susceptibility to bad actors and capacity constraints, challenging the notion of its suitability for mainstream use as a worldwide currency or as a backbone for securities trading and fiat currency transfers. In addition to the malleability issue, Bitcoin's architecture is susceptible to block size limitations, and theoretically, 51% attacks and double spending.

Developers have been working on a BIP62 (Bitcoin improvement proposal #62) that would address the malleability issue, although "complexities" have been reported in the implementation.

The Bitcoin network was inconvenienced but faces no mortal danger, experts say, following the latest attacks.

Unlike the so-called spam attacks or stress tests which were common over the summer, the recent "malleability attack" was relatively easy to carry out and cost its perpetrator(s) next to nothing.

The attack involves the and modification and rebroadcasting of legitimate pending Bitcoin transactions that have yet to be confirmed into the next block by the mining network. The mass attempt of respending the bitcoins, while obviously illegitimate to an observer, clogs the transaction queue. The network must decide which transactions are authentic and discard those that are bogus, thereby delaying the confirmation process.

Several Bitcoin businesses and wallet services warned users that confirmation times would be over an hour instead of the typical average of several minutes. Users were warned not to rely on "zero-confirmation" transactions during the period. At one point, as many as 80% of the pending transactions were bogus. While it is common for business owners to rely on zero-confirmation transactions during peaceful times, they were warned not to during the attacks.

Accepted vs Rejected

Multiple episodes of malleability attack yielded abnormally high proportions of rejected transactions. Chart source: statoshi.info

space

The malleability attack can be carried out with a script consisting of only "100 or so lines of code", at no cost, according to one claiming to have perpetrated the attacks, speaking to Motherboard.

In contrast, the summer stress tests cost thousands of dollars in transaction fees due to the excessively large data sizes. These transactions were legitimate and confirmed by the network; their sole purpose was to clog the transaction queue with artificially high priority transactions, which miners will process first because of the higher transaction fees. These attacks/tests were ostensibly carried out to demonstrate the unsustainability of Bitcoin under its current block size limitations.

"Breaking Bitcoin"

Someone claiming to have carried out the malleability attacks, working under the alias 'Alister Maclin', seemingly verified his claims when the network clogged and cleared at the prescribed times he predicted.

He said that he "broke Bitcoin", which can mean different things to different people. Some, taking exception to the claim and Medium's post, have passionately pointed out that no fraudulent transactions were processed and that the network returns to normal once the attacks subside. While it is confusing and concerning to view multiple conflicting transactions, especially to novice users, all those that are legitimate are eventually confirmed.

The attacks can definitely cause inconvenience, and can be perpetrated by anyone capable and in the right mood. Maclin indicated several grievances with the way Bitcoin is managed, and said that he may strike again.

The events also demonstrate the network's susceptibility to bad actors and capacity constraints, challenging the notion of its suitability for mainstream use as a worldwide currency or as a backbone for securities trading and fiat currency transfers. In addition to the malleability issue, Bitcoin's architecture is susceptible to block size limitations, and theoretically, 51% attacks and double spending.

Developers have been working on a BIP62 (Bitcoin improvement proposal #62) that would address the malleability issue, although "complexities" have been reported in the implementation.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}