Note: The quotes in this article are from the public Bitcoin IRC channel.
The Bitcoin Core Developers have been working around the clock to implement fixes for a new version of the Bitcoin software that will address those aspects of the protocol that had made the recent Distributed Denial of Service (DDoS) attack possible. It must be stressed at the outset that the vulnerabilities being targeted by Tuesday’s DDoS were not inherent to the Bitcoin protocol software itself but, instead, are vulnerabilities resulting from flawed wallet implementations developed by the affected exchanges. The Bitcoin developers are seeking ways to enhance the Bitcoin software, thereby adding resilience to the protocol to help the exchanges function whilst fixing their in-house software.
CCN has been in communication with the core developers to track their progress in dealing with security issues resulting from what can only be described as a deceptive public announcement made by Mt.Gox on Monday 10 February. In their statement, Mt.Gox had alleged that “flaws” in the Bitcoin protocol were to blame for months of transaction failures at the exchange. According to public discussions between developers on Github and private conversations with CryptoCoinsNews, the developers explained that they had, within hours following the statement, provided code for the normalized transaction hash implementation requested by Mt.Gox – with no response from the exchange until today – and then only after being publicly called out.
“We’ve been changing things to address the denial of service attacks.” – Greg Maxwell (core developer)
Much of the developers’ subsequent effort had been focused on dealing with fixes related to Tuesday’s DDoS attack. Several members of the team have been available, around the clock, to answer questions from exchanges and mining pools whilst discussing possible DDoS fixes and improvements to help businesses deal with the issue of transaction malleability and its implications for transaction checking. The sessions have been constructive and up-beat, and patches to the imminent 0.8.x version upgrade are being finalized.
“The Transaction Malleability problem is ‘solved’ by getting your transaction confirmed.” – J Garzik (core developer)
Both the core developers, as well as the Bitcoin Foundation, have stressed that the well-known Transaction Malleability (TM) issue does not present a security vulnerability unless paired with an improper wallet implementation. Ironically, it was the Mt.Gox announcement that discussed the particular vulnerabilities of faulty exchange wallets that opened the flood gates of a massive and sustained DDoS attack based on the very same information that had been revealed by Mt.Gox. A few hours into the attack it became clear that both Bitstamp and BTC-e had not taken TM issues into consideration when designed their wallet transaction verification methods and, as Mt.Gox before them, they had to halt Bitcoin withdrawals indefinitely.
Now that the developers have had the opportunity to harden the Bitcoin software against the recent bout of DDoS, as well as have bilateral talks with stake-holders, we will see this particular saga drawing to a close. Any remaining confusion about TM and the specific vulnerabilities in exchange software that were being targeted by the DDoS attack should be patched, and we can expect normal resumption of exchange BTC transactions and upgraded Bitcoin code allowing the protocol to step to higher ground.
Last modified (UTC): February 13, 2014 18:39