Where have all the Bitcoins gone?

Filed Under: Cryptography, Featured, Law & order

In the past, when we've covered anything that sounded even remotely like "Bitcoin trouble," we've ended up with well-meaning Bitcoin fans on our case.

That's because many of, though not all, the Bitcoin troubles we have written about have really been troubles at the interface between Bitcoins and traditional currency.

That interface is made up of the exchanges that let you trade regular money into and out of Bitcoinage.

Examples include:

June 2011. Stolen passwords were used for fraudulent trades at Mt Gox, dumping the price from $15 to $0.01 (one US cent) in about an hour.

May 2012. An exchange called Bitcoinica allegedly had $225,000 stolen, followed by another $90,000 later the same year.

September 2012. $250,000 was stolen from boutique exchange Bitfloor after an encryption lapse during a server upgrade.

March 2013. A 25% value drop was precipitated by incompatibility between successive Bitcoin software versions, causing legitimate transactions to be rejected.

May 2013. Online gaming company ESEA illegally snuck Bitcoin mining code into its software - ironically in its anti-cheating module.

August 2013. A flaw in the Java pseudorandom number generator allegedly led to Bitcoin thefts from improperly-secured digital wallets on the Android platform.

November 2013. Small exchanges in Australia, China and Denmark "vanished along with the money" after claiming they'd heen hacked.

As we remarked in November last year:

[M]any Bitcoiners seem to be big on risk, entrusting their precious Bitcoin assets to a wide range of online wallet services, where they are firmly in the sights of cybercrooks...

Remember, you don't have to keep your Bitcoins online with someone else: you can store your Bitcoins yourself, encrypted and offline.

There was life before cloud storage, and there will be life after it.

How prescient those words seem now!

It's been tricky enough for old-school retailers to keep things shipshape recently, with massive in-store breaches at companies like Target and Neiman Marcus.

These breaches occurred, at least in part, because most if not all of the companies' cash registers fell under the remote control of malware-wielding cybercrooks.

Now add an unregulated currency like Bitcoin into the mix - one that has no physical form and doesn't officially exist, yet has been deemed to be worth more than $1000 per "coin" at times in the past year - and things get trickier still.

As an anonymous correspondent wryly, if somewhat imprecisely, put it in an email I received recently, "...Because something uses funky cryptography and has become a techie daahling doesn't mean that the ecosystem it spawns is imbued with the same Magic CryptoDust..."

We've had a blast of reminders of the truth of this throwaway remark lately, from the small, medium and extremely large parts of the Bitcoin world:

• Curiously-named Poloniex lost $50,000 due to a coding error (known as a race condition) in its Bitcoin withdrawal database.

If seems that you posted lots of withdrawals at the same time, and each one on its own would not have put you into the red, then the system would queue them all up and process the lot.

Only when the dust settled would Poloniex realise it had paid out your last few dollars over and over again.

• Flexcoin closed down earlier this week after hackers processed a fraudulent transfer of $600,000.

Reports suggest that's everything that Flexcoin had on deposit, gone in one go.

• Mt Gox, once the biggest Bitcoin exchange, closed up, filed for bankruptcy and declared that it was missing Bitcoins worth some $500,000,000.

You read that correctly: about half-a-billion dollars.

To be fair to Bitcoin fans, many of these problems have had little to do with the Bitcoin cryptographic infrastructure.

Bitcoin's design didn't cause Poloniex's race condition, nor Bitfloor's security lapse, nor Flexcoin's suddenly-vanishing $600,000 of online currency.

Nevertheless, Bitcoin's cryptography isn't perfect.

Transactions, which have a one-off ID, are cryptographically hashed to mark them uniquely, but this hash is improperly computed.

Hash collisions, where two different IDs end up hashing the same, can't be manufactured, but what you might call "anti-collisions" can.

The same ID can end up with two different hashes - one transaction being real, and the other being fake.

The Bitcoin community, in a rather splendid euphemism, calls this transaction malleability, but you can call it a cryptographic flaw.

Crooked transactors can use a deliberately created duplicate-yet-different transaction to trick naive exchanges into thinking that something has gone wrong, and demand a refund. (Smart exchanges use additional checks to help repudiate bogus transaction repudiations.)

And "anti-collisions" can be used to create Denial-of-Service (DoS) delays by peppering exchanges with bogus transactions that eat up time to cross-check and reject.

With all of this going on, will Bitcoin survive?

Recent trading values suggest it will, though you can expect traditional financial regulators and anti-money-laundering investigators to have some very keen questions right now.

Such as, "Where is that $500,000,000 Bitcoin stash from Mt Gox?"

, , , , , , ,

You might like

28 Responses to Where have all the Bitcoins gone?

  1. I agree with most of the article, but question this one part.

    "Crooked transactors can use an apparently duplicate-yet-different transaction to trick naive exchanges into thinking that something has gone wrong, and demand a refund."

    If I send you a cryptographically secure email, and then send it again, the message will be the same, but the email headers could be different because of timestamp, routing and such. As long as the fields protected by the hash are clearly described, which they are, it is a wallet or exchange bug or poor decision.

    A history of the bugs and fixes in bitcoin are much more subtle, like conflicts between the X.690 standard and the Elliptic Curve Digital Signature Algorithm (ECDSA) around negative s and k values which I am sure would bore the crap out of your audience.

    And the one big bug is that secure transaction confirmation with bitcoin takes too long, so companies come up with shortcuts and lose. There is a reason banks put a hold on checks.

    • Paul Ducklin · 578 days ago

      I think that sentence is OK.

      I'll argue that the fields protected by the hash could be more clearly defined in this case...my understanding is that the "anti-collisions" are really a result of liberal (incorrect?) parsing by OpenSSL, but show up in the Bitcoin reference implementation and thus should be considered to be a cryptographic flaw.

      I did say "a naive exchange" and point out that this problem can be circumvented by maintaining transaction data that will let you repudiate false repudiation claims.

      And I did suggest that Bitcoin will survive :-) Even though it depends (at least for now) upon companies to offer exchange services, and at least some of those companies, as you say, seem to have come up with shortcuts and lost, which affects the entire ecosystem. Regardless of the Magic CryptoDust in Bitcoin itself.

      • Foxpup · 577 days ago

        The liberal parsing by OpenSSL is not, strictly speaking, incorrect. It simply allows signatures in multiple formats, where only one is expected. The signature itself, and the data to be signed, cannot be altered, but by representing semantically identical data in a different format, the hash can be changed. It's not true to say that the altered hash is "fake" or "crooked", as both versions of the transaction are completely valid (though only one can be confirmed on the blockchain). This is not a flaw in the underlying cryptography, but an unintended (but foreseeable and indeed well-known) property of its application.

        Mt. Gox's handling of the issue was exacerbated by the fact that they used a non-canonical signature format for their transactions, and the latest version of Bitcoin automatically "corrects" such transactions, ironically to help prevent exactly this issue (if the signature is converted to the canonical format before calculating the hash, transaction malleability is averted in simple cases). But Gox didn't recognise the corrected transactions as its own, with disastrous results. Gox also failed to notice before it was too late that these "failed" transactions were causing it to lose bitcoins as though they had succeeded, but that's somewhat harder to explain.

        • Paul Ducklin · 577 days ago

          In the article, I used the word "crooked" explicitly to describe someone who deliberately exploits this flaw, er, malleability, ahhh, unintended property, to generate fake evidence that their original transaction went wrong.

          I see your point that it is not strictly a flaw in the underlying crypto algorithm (in contrast to the hole in WEP, for instance, caused by the inherent non-randomness of the cipher itself). Perhaps "imperfection" might be a better choice or word :-)

  2. Anonymous · 578 days ago

    Bitcoins have nothing backing them except for the faith of the people who hold and want them. If everyone loses faith in them, their value will go to zero. Recent events haven't done much to help that. While I can say I wish I had bought a lot of bitcoins in 2012, I'm not buying any now.

    • Anonymous · 578 days ago

      Soooo, have you also stopped using the US Dollar? That's got the same amount of 'backing'.

      • Paul Ducklin · 578 days ago

        Well, I have never lived in the US, so I have never actually started using the US dollar, making it tricky for me to stop doing so :-)

        Importantly, the US dollar has completely different backing - in a legal and regulatory sense - inasmuch as there is no hard upper limit on the quantity of US currency in circulation, there is only one organisation authorised to "mine" it, and that there is a central record of what banknotes have been "mined" so far.

      • Anonymous · 577 days ago

        Riiiight... aside from Paul's points, the US Federal Reserve is also sitting on a huge pile of gold bullion (~4500 metric tons currently, according to Wikipedia) to backup their currency. Also, a huge and time-tested regulatory and legal system to prosecute larceny, counterfeiting etc. I forget, does Bitcoin have any of that?

        • Daveratters · 577 days ago

          It also has a huge army/navy/airforce to back it up. Plus manufacturing, administration and even a bunch of no-good politicians (just like everywhere else!)

        • The US dollar is not backed by gold and hasn't been since the 1960s.

        • Hearth · 577 days ago

          For that matter, gold has no intrinsic value beyond what people place on it. Oh, yes, it has value in the "market" but that is completely arbitrary. The entire concept of money is just a representation of an arbitrary value. The fact that representation is stored as encrypted bits (which is what your bank does as well) or printed on paper makes no difference.

          • Andy · 577 days ago

            Not like gold is used in manufacturing or anything like that.

      • Kutyahazi Balamber · 577 days ago

        The US dollar is backed by the insanely large military capability of the USA. Some 11 nuclear powered aircraft carriers, over 100 nuclear submarines, hundreds of stealth fighter jets and bombers, thousands of Abrams battle tanks and such helicopters that killed UBL. Those who doubt the value of US dollar, are soon visited by Uncle Sam, riding with Colt in hand. There is also a place called Fort Knox. That is what backs the value of USD, UKP, CAD, New Shekel, etc. All in all, much more impressive then the Bitcoin posse, who can, at best, throw cypherpunk sci-fi books at the skeptics...

      • Mike Rogers · 575 days ago

        The US government and Federal Reserve can do a lot to damage and crater the value of the Dollar, but it won't go to zero unless the printing becomes infinite.

        It is not the gold in the vault (very little there), not the military force (being destroyed by poor policy), but the vastness of the underlying economy, in which people around the world are willing to invest, especially if the government cuts back on taxes or regulations.

        In other words, the country of America (USA) has an economy with real value denominated in dollars, while the country of 'BitCoina' has nothing but faith holding it up.

        Let's say I've got an old fashioned factory with some metalworking machinery, a stock of raw material, office furniture, IT gear, maybe some company trucks, and the land it stands on. If demand for my finished product vanishes, some value remains to be recovered in liquidation.

        Now lets say I have a whizbang software company in a rented building, with leased furniture and computers, and the fanciest social media system since faceplant or tweeter. My stock price is held aloft by the slim (but growing) advertising revenue, and the faith that my user base will soon outpace those other fuddy-duddies.
        Then one day, I have a major security incident, the users flee in droves, the advertisers have no reason to stay, and the business runs out of cash as the stock price is cratering. There's nothing to liquidate, nothing for another investor to buy out, and nothing stopping those stock certificates from becoming toilet paper.

        Bitcoin most closely resembles the latter scenario, because, regardless of its inherent non-inflationary nature, it has no underlying value except for its desirability as a medium of exchange - cause doubt in its reliability, and the users will flee in droves, the miners will take their computing power elsewhere, and the blockchain will lose first its speed and then its integrity.

        In other words, and I believe the malleability issue can be first worked around (extra checks) and then cured, BitCoin may be a great payments system, but it is not a commodity, not a business investment. Might as well be exchanging virtual tulip bouquets!

  3. Andy · 578 days ago

    So who has been the most threatened by bitcoin's growth? Who stands to lose the most from wider adoption of bitcoin? Who stands to gain the most from a bitcoin collapse? You know, a year ago, most of us would have blasted anyone who claimed the NSA was recording all telephone calls and collecting GPS data from mobile phones. Then one day everything changed. Of course, my thoughts peg the bitcoin attacks on nationstates that don't want to lose the monopoly they have on fiat currency and control.

    • Anonymous · 578 days ago

      If I stored £500 cash in an old shed at the bottom of my garden, and somebody broke in and stole it, would you be more likely attribute that to shady government forces out to undermine the principle of cash, or to a common thief who saw an opportunity to nick a load of money?

      Likewise,if an online wallet/exchange is poorly built, it's relatively easy to do the equivalent of climbing over the garden wall and making off with the loot. It doesn't require the resources of a nation state or any motive beyond wanting the money.

      • Paul Ducklin · 577 days ago

        Now store £500,000 in your shed (with that money, you could probably afford a new one), and make it so that people can break in from the other side of the world. Oh, also advertise that your shed (new shed!) contains said money.

      • Andy · 577 days ago

        So where did the missing bitcoins go? That's the question? What better way to kill bitcoin than you cause users to lose faith in its value and security. I don't think the gov't would be worried about you hording £500 worth of governement currency. But bitcoin is something that bypasses the gov't control and regulations. You can transfer it with little to no record, subject to no regulations, and beyond the prying eyes of the gov't backed banking system. The Russians saw it as a clear threat, as do the Chinese, and the U.S.

        • Anonymous · 577 days ago

          Where did the bitcoins go? They were probably nicked, simple as that. Somebody saw a whopping great pile of money in an inadequately secured online shed, broke in, swiped the loot and scarpered.

          It doesn't diminish the inherent security of the bitcoin system: it just highlights the folly of leaving your money in a rickety and possibly combustible shed, belonging to somebody you don't know, whose security you can't accurately assess.

          • Paul Ducklin · 577 days ago

            As infamous 1930s US bank robber Willie Sutton is supposed to have said (though apparently never did) when asked why he robbed banks, "Because that's where the money is."

  4. Ka · 578 days ago

    almost as unreliable as physical banks :/

  5. PhiCrappaDon · 577 days ago

    It's natural deflation in bitcoin.. my btc are getting more valuable! This had to be done by design.

  6. A hash is not a unique identifier or a primary key and should not be used as one. The fact that an "attacker" can rush a functionally identical transaction into the network that has a different hash would only be a real issue if the network let both transactions through. It does not.

    If you build a system that *automatically* resends a new transaction just because the hash it's expecting doesn't show up in the blockchain, *without* attempting to void the first transaction by respending the original inputs AND then can automatically access "cold" storage and drain that after the main wallet is drained, *without* alarm bells ringing or anyone noticing thousands of dollars going missing every day for years, then I don't think you can stand up and point to a minor transaction quirk as the cause of your problems.

    It's like someone who's speeding, drunk and with no seat belt on blaming the car manufacturer when the airbags don't deploy.

    • Paul Ducklin · 577 days ago

      That's an unfortunate analogy - the airbags should deploy as a side-effect of any crash, independently of the sobriety or the seat-beltedness of the driver. The crash might be entirely the driver's fault, but the failure of the airbags would still be a failure.

      I'm not arguing that the existence of the "anti-collision" flaw exonerates exchanges that get caught out by it.

      But I am arguing that calling it "a minor transaction quirk" is disingenuous - and unnecessary. It's a bit like saying that a vertical cliff "isn't actually steep" because anyone who's careful shouldn't and wouldn't fall over the edge.

  7. Mike Rose · 577 days ago

    Apart from the obvious anti-bitcoin bias you seem to exhibit (I didn't even know this could be a bias!), I more or less agree with the objective comments you make.

    I do have issue with this part however: "The Bitcoin community, in a rather splendid euphemism, calls this transaction malleability, but you can call it a cryptographic flaw."

    Firstly, malleability is not a euphemism, it's actually a very well known cryptographic property/concept of dating back to at least the 1980s.

    Secondly, it appears you're blaming this on the bitcoin specification. A more accurate term for this would be 'accounting failure' or 'implementation flaw' on the part of MtGox. MtGox made an implicit assumption in their implementation that transaction IDs were constants, whereas there is no basis upon which to make that assumption. The specification certainly makes no mention of using transaction IDs in the blockchain as verification of bitcoin transfers.

    Borrowing from two previous imperfect analogies, calling this a flaw of the specification is like saying that my car is flawed because it can be driven off a cliff. When you get behind the wheel of a car, you're expected to understand enough about the dangers of driving to reduce the risk to an acceptable level. If you ignore the huge cliff warning signs and/or are not familiar with the area and you drive off the cliff, well you have no one to blame but yourself. When it's a truck full of $500bn of other people's cash going over the edge however, it seems people are jumping out of the woodwork to blame the truck manufacturer.

    The rules for implementers are clear: don't roll your own unless you know what you're doing. Don't make assumptions, particularly if you don't understand the limitations of the specification. A simple way to avoid this would be to use the reference implementation, which unfortunately MtGox thought they we're above.

    • Paul Ducklin · 577 days ago

      I think you are stretching things to say I show "an anti-bitcoin bias" at all, let alone that it is "obvious." (The article deals almost entirely with the ecosystem that has sprung up around Bitcoin, and the extent to which it has acquired trust - to the tune of millions of dollars' worth of investments - that it probably didn't deserve.)

      As for "the limits of the specification" - my understanding is that the transaction hash is *supposed* to be unique but that, even in the reference implementation, it turned out you could exploit a vulnerability in a commonly-used crypto library to create the, errr, malleability.

  8. nielsentech · 577 days ago

    Comparing Bitcoins to dollars is funny. Try printing your own US dollars and see where it gets you! It's possible to "mine" bitcoins which is really making something out of nothing. That's been my problem with the system right from the start. If it had been funded by investors from the start then it would be more credible. But the greed of having computers print (mine) you free money is something many could not resist.

    I think it's state of the art in Ponzi schemes. You don't even have to find money to get it started, you invent a way for it to be self-funding. Later, when real money shows up to invest, you grab as much of that as possible and then move to someplace that can't extradite you.

    I've been waiting for people to counter my posts with some proof that bitcoin is not just another kind of Ponzi scheme, but I think that is like waiting for the "inventor" to show him or herself. Why should they? Like trying to trace a virus author, they can reap the benefits and not risk any blame.

    At least when the Tulip market** crashed, you could still have an attractive garden. When Bitcoin crashes, you will just have a lot of pissed-off people hunting down all those who made money from it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog