Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Databases Bitcoin

Surrogate Database Key, Not Bitcoin Protocol Flaw, To Blame For Mt Gox Problems 81

An anonymous reader writes "Bitcoin values dropped sharply over the weekend after the largest trading exchange, MtGox, revealed that an investigation into unusual trading activity turned up a flaw in the underlying Bitcoin software that allowed an attacker to double withdrawal a transaction" Not so fast according to database experts: the real problem is that Mt Gox (and other exchanges) are using a surrogate transaction id rather than a natural key in their databases: "The flaw isn't so much in Bitcoin as it is in exchange-systems. Many exchanges use the tx-id to uniquely identify transactions, but as it turns out, an attacker can change the tx-id without changing the actual transaction, rebroadcast the changed transaction (effectively creating a double-spend) and if his altered transaction gets accepted into a block instead of the legit transaction, the attacker receives his coins and can complain with the exchange that he didn't. The exchange will then check their db, fetch the tx-id from it, look it up in the blockchain and not find it. So they could conclude that the transaction indeed failed and credit the account with the coins. ... A simple workaround is to not use the tx-id to identify transactions on the exchange side, but the (amount, address, timestamp) instead."
This discussion has been archived. No new comments can be posted.

Surrogate Database Key, Not Bitcoin Protocol Flaw, To Blame For Mt Gox Problems

Comments Filter:
  • by JcMorin ( 930466 ) on Monday February 10, 2014 @08:46PM (#46214055)
    Many pro bitcoin will hate me for saying that, but the transaction ID should not be change and once published it's value should be considered safe to check if a transaction is part of the blockchain or not. All the crap related to 3rd party modifying Sign script is pretty idiot compare the power for having a single ID to track a transaction. That said, this give no excuse for Mt Gox to not release the funds, the problem is not new, not even to them, and probably hide a much bigger financial problem.
  • by oscrivellodds ( 1124383 ) on Monday February 10, 2014 @08:48PM (#46214063)

    Bitcoin with other people's money and not mine!

  • by Anonymous Coward on Monday February 10, 2014 @09:10PM (#46214199)

    Funny how the currency is only as good as the institutions supporting it. (In this case the exchanges)

    Lets not kid around. Bitcoin was created with the intention of getting around existing laws and regulations regarding currency. The philosophy behind this idea suggests that these things are unnecessary and represent others stealing your money.

    Not saying the banks and money regulations are completely without flaws, but they do have some damn good reasons for being there.

  • Time to buy (Score:2, Insightful)

    by Billly Gates ( 198444 ) on Monday February 10, 2014 @09:11PM (#46214201) Journal

    When they go back up tomorrow I can make a weeks worth of money in 1 day :-)

  • The Dollar (Score:2, Insightful)

    by Anonymous Coward on Monday February 10, 2014 @10:14PM (#46214541)

    Then please don't read how the dollar works. You won't be able to sleep at night.

  • unbelievable (Score:3, Insightful)

    by slashmydots ( 2189826 ) on Monday February 10, 2014 @10:51PM (#46214683)
    I can't believe whoever wrote the original code didn't catch this. It seems pretty database 101 class to me. Even the non-programmers had to take that class at my college and it always taught that you don't base a primary key in a table (or use as a unique ID in code) a value which isn't necessarily unique or can change. It's almost the same thing as not using as the primary data table key a compound key of last name, first name, and middle initial. First of all, it can change. Secondly, it can be repeated. That's basics, people. This isn't too far from that.

Interchangeable parts won't.