【论文翻译】Bitcoin Transaction Malleability and MtGox

Abstract

In Bitcoin, transaction malleability describes the fact that the signatures that prove the ownership of bitcoins being transferred in a transaction do not provide any integrity guarantee for the signatures themselves. This allows an attacker to mount a malleability attack in which it intercepts, modifies, and rebroadcasts a transaction, causing the transaction issuer to believe that the original transaction was not confirmed. In February 2014 MtGox, once the largest Bitcoin exchange, closed and filed for bankruptcy claiming that attackers used malleability attacks to drain its accounts. In this work we use traces of the Bitcoin network for over a year preceding the filing to show that, while the problem is real, there was no widespread use of malleability attacks before the closure of MtGox.

在比特币中，交易可延展性描述了这样的事实：证明在交易中转移的比特币的所有权的签名不为签名本身提供任何完整性保证。这允许攻击者发起可延展性攻击，其中拦截，修改和重新广播事务，导致交易发行者认为原始交易未被确认。 2014年2月，曾经是最大的比特币交易所的MtGox关闭并申请破产，声称攻击者使用延展性攻击来消耗账户。在这项工作中，我们使用比特币网络的痕迹在提交之前一年多来表明，虽然问题是真实的，但在MtGox关闭之前没有广泛使用延展性攻击。

1 Introduction

In recent years Bitcoin [11] has gone from a little experiment by tech enthusiasts to a global phenomenon. The cryptocurrency is seeing a rapid increase in adoption as well as in value. Bitcoin is inching closer to the stated goal of creating a truly decentralized global currency that facilitates international trade.

近年来，比特币[11]已经从技术爱好者的一个小实验变成了一个全球现象。加密货币的采用率和价值都在快速增长。比特币正在接近制定真正分散的全球货币以促进国际贸易的既定目标。

A major contribution of the success that Bitcoin is having today has to be attributed to the emergence of Bitcoin exchanges. A Bitcoin exchange is a platform that facilitates buying and selling bitcoins for fiat money like US dollars. This enables a larger public to come in contact with bitcoins, increasing their value as a means to pay for goods and services. Exchanges also provide the ground truth for the value of bitcoins by publishing their trade book and allowing market dynamics to find a price for the traded bitcoins. Finally, much of the media attention focuses on the rapid gain in value that these services have enabled.

比特币今天取得成功的一个主要贡献必须归功于比特币交易所的出现。比特币交易所是一个平台，可以促进像美元一样买入和卖出法定货币的比特币。这使得更大的公众能够与比特币接触，从而增加其作为支付商品和服务的手段的价值。交易所还通过发布交易账户并允许市场动态为交易比特币找到价格，为比特币的价值提供了基本事实。最后，媒体的大部分注意力都集中在这些服务所带来的价值快速增长上。

However, centralized exchanges are also potential points of failure, in a system that is otherwise completely decentralized. Several high value thefts from these services have made the headlines, never failing to predict the impending doom of Bitcoin as a whole. Additionally a small and mostly sentiment driven market, combined with a quick and easy way to buy and sell bitcoins, facilitates flash crashes and rapid rallies for no apparent reason.

然而，在一个完全分散的系统中，集中式交换也是潜在的失败点。来自这些服务的几项高价值盗窃成为头条新闻，从未无法预测整个比特币即将到来的厄运。此外，一个小而且主要是情绪驱动的市场，加上买卖比特币的快捷方式，有助于闪电崩溃和快速反弹，没有明显的原因。

The first, and for a long time largest, Bitcoin exchange was MtGox. Founded in 2010 it was a first stop for many early adopters. With the creation of other exchanges its monopoly slowly faded, but in February 2014 it still accounted for close to 70% of all bitcoins ever traded. In February 2014 MtGox had to file for bankruptcy and suspend operations following the loss of over 500 million USD worth of bitcoins owned by its customers.

第一个，也是长期以来最大的比特币交易所是MtGox。成立于2010年，它是许多早期采用者的第一站。随着其他交易所的创建，其垄断逐渐消退，但在2014年2月，它仍然占有史以来所有比特币的近70％。 2014年2月，在客户拥有超过5亿美元的比特币损失后，MtGox不得不申请破产并暂停运营。

As the principal cause for the loss, MtGox cited a problem in the Bitcoin protocol: transaction malleability. A user could request a withdrawal from MtGox to a Bitcoin address. The exchange would then create a corresponding transaction and publish it to the Bitcoin network. Due to the way MtGox tracked confirmation of these transactions it could be tricked, exploiting transaction malleability, into believing the transaction to have failed even though it was later confirmed by the network. MtGox would then credit the amount back to the user’s account. Effectively the user would have doubled the withdrawn bitcoins, once from the withdrawal and once on its account on MtGox

作为损失的主要原因，MtGox引用了比特币协议中的一个问题：交易延展性。用户可以请求从MtGox撤回比特币地址。然后，交易所将创建相应的交易并将其发布到比特币网络。由于MtGox跟踪这些交易的确认方式，它可能被欺骗，利用交易可塑性，相信交易失败，即使它后来被网络确认。然后，MtGox会将金额记入用户的帐户。实际上，用户可以将提取的比特币加倍，一次是从提款中加倍，一次是在MtGox账户上加倍

In this work we investigate two fundamental questions: Is transaction malleability being exploited? And is the claim that it has been used to bring down MtGox plausible?

在这项工作中，我们调查了两个基本问题：交易可塑性是否被利用？是否有人声称它已被用来降低MtGox的合理性？

2 Transaction Malleability

The Bitcoin network is a distributed network of computer nodes controlled by a multitude of owners. They collectively implement a replicated ledger that tracks the address balances of all users. Each user may create an arbitrary number of addresses that can be used to send and receive bitcoins. An address is derived from an ECDSA key pair that is later used to prove ownership of the bitcoins associated with that address.

比特币网络是由众多所有者控制的计算机节点的分布式网络。它们共同实施了一个跟踪所有用户地址余额的复制分类帐。每个用户可以创建可用于发送和接收比特币的任意数量的地址。地址从ECDSA密钥对派生，该密钥对稍后用于证明与该地址相关联的比特币的所有权。

The only operation allowed to modify address balances are transactions. A transaction is a signed data structure that on the one hand claims some bitcoins associated with a sending address and on the other hand reassigns them to receiving addresses. Transactions are identified by the SHA256 hash of their serialized representation. A transaction consists of one or more inputs and an ordered list of one or more outputs. An input is used to specify which bitcoins will be transferred, while an output specifies the address that should be credited with the bitcoins being transferred. Formally, an output is a tuple comprising the value that is to be transferred and a claiming condition, expressed in a simple scripting language. An input includes the hash of a previous transaction, an index, and a claiming script. The hash and index form a reference that uniquely identifies the output to be claimed and the claiming script proves that the user creating the transaction is indeed the owner of the bitcoins being claimed.

允许修改地址余额的唯一操作是事务。事务是一种签名数据结构，一方面声称与发送地址相关联的一些比特币，另一方面将它们重新分配给接收地址。事务由其序列化表示的SHA256哈希标识。事务由一个或多个输入和一个或多个输出的有序列表组成。输入用于指定将传输哪些比特币，而输出则指定应该传输比特币的地址。形式上，输出是包含要传输的值和声明条件的元组，以简单的脚本语言表示。输入包括先前事务的哈希，索引和声明脚本。散列和索引形成唯一标识要声明的输出的引用，并且声明的脚本证明创建事务的用户确实是要声明的比特币的所有者。

2.1 Bitcoin Scripts

The scripting language is a, purposefully non-Turing complete, stack-based language that uses single byte opcodes. The use of the scripting language to set up both the claiming conditions and the claiming scripts allows the creation of complex scenarios for the transfer of bitcoins. For example, it is possible to create multi-signature addresses that require m-of-n signatures to spend the associated bitcoins for arbitration purposes. However, the vast majority of transactions use standard scripts that set up a claiming condition requiring the claiming script to provide a public key matching the address and a valid signature of the current transaction matching the public key. For this reason the standard claiming script is generally referred to as scriptSig (a script encoding a signature), whereas the standard claiming condition is referred to as scriptPubKey (a script requiring a public key and a signature). Figure 1 shows the structure of the standard claiming condition (scriptPubKey) as well as the standard claiming script (scriptSig).

脚本语言是一种有目的的非图灵完整的基于堆栈的语言，它使用单字节操作码。使用脚本语言来设置声明条件和声明脚本允许创建用于比特币传输的复杂场景。例如，可以创建需要m-of-n签名的多签名地址，以将相关的比特币用于仲裁目的。但是，绝大多数事务使用标准脚本来设置声明条件，要求声明脚本提供与地址匹配的公钥以及与公钥匹配的当前事务的有效签名。因此，标准声明脚本通常称为scriptSig（编码签名的脚本），而标准声明条件称为scriptPubKey（需要公钥和签名的脚本）。图1显示了标准声明条件（scriptPubKey）的结构以及标准声明脚本（scriptSig）。

Of particular interest in this work are the OP_PUSHDATA operations which specify a number of following bytes to be pushed as a string on the stack. Depending on the length of the string one of several possible flavors may be used. The simplest is a single byte with value between 0x00 and 0x4b, also called OP_0 which simply encodes the length of the string in itself. Additionally, three other operations allow pushing data on the stack, namely OP_PUSHDATA1, OP_PUSHDATA2 and OP_PUSHDATA4, each followed by 1, 2 or 4 bytes, respectively, encoding a little endian number of bytes to be read and pushed on the stack.

在这项工作中特别感兴趣的是OP_PUSHDATA操作，它指定在堆栈上作为字符串推送的后续字节数。根据绳的长度，可以使用几种可能的味道中的一种。最简单的是单个字节，其值在0x00和0x4b之间，也称为OP_0，它简单地编码字符串本身的长度。另外，三个其他操作允许在堆栈上推送数据，即OP_PUSHDATA1，OP_PUSHDATA2和OP_PUSHDATA4，每个数据分别跟随1,2或4个字节，编码要在堆栈上读取和推送的小端字节数。

In order to verify the validity of a transaction t1 claiming an output of a previous transaction t0 the scriptSig of t1 and the scriptPubKey specified in t0 are executed back to back, without clearing the stack in between. The scriptSig of t1 pushes the signature and the public key on the stack. The scriptPubKey of t0 then duplicates the public key (OP_DUP) and replaces the first copy with its RIPEMD160 hash (OP_HASH160), this 20 byte derivative of the public key is also encoded in the address. The address from the scriptPubKey is then pushed on the stack and the two top elements are then tested for equality (OP_EQUALVERIFY). If the hash of the public key and the expected hash match, the script continues, otherwise execution is aborted. Finally, the two elements remaining on the stack, i.e., the signature and the public key, are used to verify that the signature signs t1 (OP_CHECKSIG).

为了验证声明前一事务t0的输出的事务t1的有效性，t1的scriptSig和t0中指定的scriptPubKey被背靠背地执行，而不清除它们之间的堆栈。 t1的scriptSig将签名和公钥压入堆栈。然后，t0的scriptPubKey复制公钥（OP_DUP）并用其RIPEMD160哈希（OP_HASH160）替换第一个副本，公钥的这个20字节派生也在地址中编码。然后将scriptPubKey中的地址压入堆栈，然后测试两个顶部元素的相等性（OP_EQUALVERIFY）。如果公钥的哈希与预期的哈希匹配，则脚本继续，否则执行中止。最后，堆栈上剩余的两个元素，即签名和公钥，用于验证签名符号t1（OP_CHECKSIG）。

Notice that, although the scriptSigs are attached to the inputs of the transaction, they are not yet known at the time the signature is created. In fact a signature may not sign any data structure containing itself as this would create a circular dependency. For this reason all the claiming scripts are set to a script consisting only of a single OP_0 that pushes an empty string on the stack. The user signing the transaction then iterates through the inputs, temporarily replaces the scriptSig field with the corresponding scriptPubKey1 from the referenced output, and creates a signature for the resulting serialized transaction. The signatures are then collected and inserted at their respective positions before broadcasting the transaction to the network.

请注意，尽管scriptSig附加到事务的输入，但在创建签名时尚不知道它们。事实上，签名可能不会签署任何包含自身的数据结构，因为这会创建循环依赖。因此，所有声明脚本都设置为一个脚本，该脚本仅包含一个OP_0，该OP_0会在堆栈上推送空字符串。签名事务的用户然后遍历输入，临时用引用的输出中的相应scriptPubKey1替换scriptSig字段，并为生成的序列化事务创建签名。然后在将交易广播到网络之前收集签名并将其插入它们各自的位置。

The fact that the integrity of the scriptSig cannot be verified by the signature is the source for transaction malleability: the claiming script may be encoded in several different ways that do not directly invalidate the signature itself. A simple example replaces the OP_0 that pushes the public key on the stack with OP_PUSHDATA2 followed by the original length. The claiming script is changed from 0x4841 to 0x4D48004D4100. The encoded signature is valid in both cases but the hash identifying the transaction is different

无法通过签名验证scriptSig的完整性这一事实是事务可延展性的来源：声明脚本可以以几种不同的方式编码，这些方式不会直接使签名本身无效。一个简单的示例替换OP_0，该OP_0用OP_PUSHDATA2后跟原始长度推送堆栈上的公钥。声明脚本从0x4841更改为0x4D48004D4100。编码签名在两种情况下都有效，但标识事务的哈希是不同的

Besides these changes in the way pushes are encoded, there are numerous sources of malleability in the claiming script. A Bitcoin Improvement Proposal (BIP) by Wuille [13] identifies the following possible ways to modify the signature and therefore exploit malleability:

1. ECDSA signature malleability: signatures describe points on an elliptic curve. Starting from a signature it is trivial to mathematically derive a second set of parameters encoding the same point on the elliptic curve;

2. Non-DER encoded ECDSA signatures: the cryptographic library used by the Bitcoin Core client, OpenSSL, accepts a multitude of formats besides the standardized DER (Distinguished Encoding Rules) encoding;

3. Extra data pushes: a scriptPubKey may push additional data at the beginning of the script. These are not consumed by the corresponding claiming condition and are left on the stack after script termination;

4. The signature and public key may result from a more complex script that does not directly push them on the stack, but calculates them on the fly, e.g., concatenating two halves of a public key that have been pushed individually;

5. Non-minimal encoding of push operations: as mentioned before there are several options to specify identical pushes of data on the stack;

6. Zero-padded number pushes: excessive padding of strings that are interpreted as numbers;

7. Data ignored by scripts: if data pushed on the stack is ignored by the scriptPubKey, e.g., if the scriptPubKey contains an OP_DROP, the corresponding push in the scriptSig is ignored;

8. Sighash flags can be used to ignore certain parts of a script when signing;

9. Any user with access to the private key may generate an arbitrary number of valid signatures as the ECDSA signing process uses a random number generator to create signatures;

除了推送编码方式的这些变化之外，在声明脚本中还有许多可塑性来源。 Wuille [13]的比特币改进提案（BIP）确定了以下可能的方法来修改签名，从而利用可塑性：

1.ECDSA签名延展性：签名描述椭圆曲线上的点。从签名开始，在数学上导出编码椭圆曲线上相同点的第二组参数是微不足道的;

2.非DER编码的ECDSA签名：比特币核心客户端OpenSSL使用的加密库除了标准化的DER（可分辨编码规则）编码外，还接受多种格式;

3.额外数据推送：scriptPubKey可以在脚本开头推送其他数据。这些不会被相应的声明条件消耗掉，并在脚本终止后留在堆栈中;

4.签名和公钥可能来自更复杂的脚本，该脚本不直接将它们压入堆栈，而是动态计算它们，例如，连接已被单独推送的公钥的两半;

5.推送操作的非最小编码：如前所述，有几个选项可以指定堆栈上相同的数据推送;

6.零填充数字推送：过多的字符串填充被解释为数字;

7.脚本忽略的数据：如果scriptPubKey忽略了在堆栈上推送的数据，例如，如果scriptPubKey包含OP_DROP，则忽略scriptSig中的相应推送;

8.Sighash标志可用于在签名时忽略脚本的某些部分;

9.任何有权访问私钥的用户都可以生成任意数量的有效签名，因为ECDSA签名过程使用随机数生成器来创建签名;

2.2 Malleability attacks

One of the problems that Bitcoin sets out to solve is the problem of double spending. If an output is claimed by two or more transactions, these transactions are said to conflict, since only one of them may be valid. A double spending attack is the intentional creation of two conflicting transactions that attempt to spend the same funds in order to defraud a third party.

比特币要解决的问题之一是双重支出问题。如果输出由两个或多个事务声明，则这些事务被认为是冲突的，因为它们中只有一个可能是有效的。双重支出攻击是故意创建两个相互冲突的交易，这些交易试图花费相同的资金来欺骗第三方。

Research so far has concentrated on a classical version of the double spending attack. An attacker would create two transactions: (1) a transaction that transfers some of its funds once to a vendor accepting bitcoins and (2) a transaction that transfers those same funds back to itself. The goal would then be to convince the vendor that it received the funds, triggering a transfer of goods or services from the vendor to the attacker, and ensuring that the transaction returning the funds to the attacker is later confirmed. This would defraud the vendor as the transfer to the vendor would not be confirmed, yet the attacker received the goods or services.

迄今为止的研究主要集中在双重支出攻击的经典版本上。攻击者会创建两个交易：（1）将一些资金转移到接受比特币的供应商的交易和（2）将这些资金转移回自身的交易。然后，目标是说服供应商收到资金，触发从供应商向攻击者转移货物或服务，并确保稍后确认将资金返还给攻击者的交易。这将欺骗供应商，因为无法确认向供应商的转移，但攻击者收到了货物或服务。

A malleability attack, while a variant of the double spending attack, is different from the above. The attacker no longer is the party issuing the transaction, instead it is the receiving party. The attacker would cause the victim to create a transaction that transfers some funds to an address controlled by the attacker. The attacker then waits for the transaction to be broadcast in the network. Once the attacker has received a copy of the transaction, the transaction is then modified using one of the above ways to alter the signature without invalidating it. The modification results in a different transaction identification hash. The modified transaction is then also broadcast in the network. Either of the two transactions may later be confirmed.

可塑性攻击虽然是双重花费攻击的变体，但与上述不同。攻击者不再是发布交易的一方，而是接收方。攻击者会使受害者创建一个将一些资金转移到攻击者控制的地址的交易。然后攻击者等待交易在网络中广播。一旦攻击者收到了该事务的副本，则使用上述方法之一修改该事务以更改签名而不使其失效。修改导致不同的事务标识散列。然后，修改的交易也在网络中广播。以后可以确认这两笔交易中的任何一笔。

A malleability attack is said to be successful if the modified version of the transaction is later confirmed. The mechanics of how transactions are confirmed are complex and are out of scope for this work. For our purposes it suffices to say that the probability of a malleability attack to be successful depends on the distribution of nodes in the Bitcoin network first seeing either of the transactions (cf. [4, 5, 6]). So far the attack has not caused any damage to the victim. To be exploitable the victim also has to rely solely on the transaction identity hash to track and verify its account balance. Should a malleability attack be successful the victim will only see that the transaction it issued has not been confirmed, crediting the amount to the attacker or attempting to send another transaction at a later time. The attacker would have effectively doubled the bitcoins the victim sent it.

如果稍后确认交易的修改版本，则称可塑性攻击是成功的。如何确认交易的机制很复杂，并且超出了这项工作的范围。对于我们的目的，足以说延展性攻击成功的概率取决于比特币网络中的节点分布首先看到任一事务（参见[4,5,6]）。到目前为止，袭击并没有对受害者造成任何伤害。为了可利用，受害者还必须完全依赖交易身份哈希来跟踪和验证其账户余额。如果可塑性攻击成功，受害者将只看到它发出的交易尚未确认，将该金额记入攻击者或稍后尝试发送另一笔交易。攻击者可以有效地将受害者发送的比特币加倍。

It is worth noting that the reference client (Bitcoin Core) is not susceptible to this attack as it tracks the unspent transaction output set by applying all confirmed transactions to it, rather than inferring only from transactions it issued.

值得注意的是，参考客户端（比特币核心）不容易受到这种攻击，因为它通过将所有已确认的交易应用于其来跟踪未花费的交易输出集，而不是仅仅从它发布的交易中推断。

3 MtGox Incident Timeline

In this section we briefly describe the timeline of the incident that eventually led to the filing for bankruptcy of MtGox. The timeline is reconstructed from a series of press release by MtGox as well as the official filings and legal documents following the closure.

在本节中，我们简要描述事件的时间表，最终导致MtGox申请破产。时间表由MtGox的一系列新闻稿以及关闭后的官方文件和法律文件重建。

Following several months of problems with Bitcoin withdrawals from users, MtGox announced [10] on February 7 that it would suspend bitcoin withdrawals altogether. The main problem with withdrawals was that the associated Bitcoin transactions would not be confirmed. After this press release it was still possible to trade bitcoins on MtGox, but it was not possible to withdraw any bitcoins from the exchange. Specifically [10] does not mention transaction malleability.

在几个月来比特币从用户撤回的问题出现后，MtGox在2月7日宣布它将完全暂停比特币提款。提款的主要问题是相关的比特币交易无法确认。在这个新闻发布后，仍有可能在MtGox上交易比特币，但是不可能从交易所撤回任何比特币。具体而言[10]未提及交易延展性。

In order to trade on MtGox, users had transferred bitcoins and US dollars to accounts owned by MtGox. Each user would have a virtual account that is credited with the transferred amounts at MtGox. The withdrawal stop therefore denied users access to their own bitcoins. While fiat currency was still withdrawable, such a withdrawal involved a long process that would sometimes fail altogether.

为了在MtGox上进行交易，用户已将比特币和美元转移到MtGox拥有的账户。每个用户都有一个虚拟账户，该账户在MtGox中记入转账金额。因此，撤销停止拒绝用户访问他们自己的比特币。虽然法定货币仍然可以撤回，但这种撤回涉及一个有时会完全失败的漫长过程。

The first press release was followed by a second press release [9] on February 10, 2014. This press release claims that the problem for the non-confirming withdrawal transactions has been identified and names transaction malleability as the sole cause:

“Addressing Transaction Malleability: MtGox has detected unusual activity on its Bitcoin wallets and performed investigations during the past weeks. This confirmed the presence of transactions which need to be examined more closely.

Non-technical Explanation: A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be resent. MtGox is working with the Bitcoin core development team and others to mitigate this issue.”

第一次新闻发布之后是2014年2月10日的第二次新闻发布[9]。本新闻稿声称已经确定了未确认提款交易的问题，并将交易延展性定为唯一原因：

“解决交易可销售问题：MtGox在其比特币钱包中发现了异常活动，并在过去几周内进行了调查。这证实了需要更密切审查的交易的存在。

非技术性说明：比特币软件中的一个错误使得有人可以使用比特币网络来改变交易细节，使得看起来像比特币钱包发送到比特币钱包时实际上并没有发生。由于事务看起来好像没有正确进行，因此可以重新发送比特币。 MtGox正在与比特币核心开发团队和其他人合作，以缓解这一问题。“

Allegedly a user of MtGox would request a withdrawal and listen for the resulting transaction. The transaction would then be intercepted and replaced by a modified version that would then race with the original transaction to be confirmed. Should the original transaction be confirmed, the user would receive its balance only once, but not lose any bitcoins by doing so. Should the modified transaction be confirmed, then the user would receive the bitcoins twice: once via the modified withdrawal transaction and a second time when MtGox realized that the original withdrawal transaction would not confirm and credit the users account. Implicitly in this press release MtGox admits to using a custom client that tracks transaction validity only via its hash, hence being vulnerable to the transaction malleability attack.

据称，MtGox的用户会请求提款并听取由此产生的交易。然后该交易将被截获并由修改后的版本替换，该修改后的版本将与要确认的原始交易竞争。如果原始交易得到确认，用户只能收到一次余额，但不会丢失任何比特币。如果修改后的交易得到确认，那么用户将收到比特币两次：一次通过修改后的提款交易，第二次是MtGox意识到原始提款交易不会确认并记入用户账户。在本新闻稿中隐含着MtGox承认使用仅通过其哈希来跟踪交易有效性的自定义客户端，因此容易受到交易延展性攻击。

Two more press releases followed on February 17 and February 20, both claiming that the withdrawals would resume shortly and that a solution had been found that would eliminate the vulnerability to malleability attacks. On February 23 the website of MtGox returned only a blank page, without any further explanation, resulting in a trading halt and the complete disappearance of MtGox. Finally on February 28 MtGox announced during a press conference that it would be filing for bankruptcy in Japan and in the USA [7, 8].

在2月17日和2月20日之后又发布了两个新闻稿，两者都声称撤回将很快恢复，并且已找到一种解决方案可以消除可塑性攻击的漏洞。 2月23日，MtGox的网站只返回一页空白，没有任何进一步的解释，导致交易暂停和MtGox完全消失。终于在2月28日，MtGox在新闻发布会上宣布将在日本和美国申请破产[7,8]。

4 Measurements

Due to the nature of double spending attacks, they may only be detected while participating in the network. As soon as one of the two conflicting transactions is considered to be confirmed the nodes will drop all other conflicting transactions, losing all information about the double spending attack. Malleability attacks being a subset of double spending attacks suffer from the same limitation.

由于双重花费攻击的性质，它们可能仅在参与网络时被检测到。一旦认为两个冲突的事务中的一个被确认，节点将丢弃所有其他冲突的事务，丢失关于双重支出攻击的所有信息。可承受性攻击是双重支出攻击的一个子集，受到同样的限制。

We created specialized nodes that would trace and dump all transactions and blocks from the Bitcoin network. These include all double spending attacks that have been forwarded to any of the peers our nodes connected to. Our collection of transactions started in January 2013. As such we are unable to reproduce any attacks before January 2013. The following observations therefore do not consider attacks that may have happened before our collection started.

我们创建了专门的节点，用于跟踪和转储比特币网络中的所有事务和块。这些包括已转发给我们节点所连接的任何对等端的所有双重花费攻击。我们的交易集合始于2013年1月。因此，我们无法在2013年1月之前重现任何攻击。因此，以下观察结果不考虑我们收集开始之前可能发生的攻击。

Our nodes were instructed to keep connection pools of 1,000 connections open to peers in the Bitcoin network. On average we connected to 992 peers, which at the time of writing is approximately 20% of the reachable nodes. According to Bamert et al. [4] the probability of detecting a double spending attack quickly converges to 1 as the number of sampled peers increases. We therefore feel justified in assuming that the transactions collected during the measurements faithfully reflect the double spending attacks in the network during the same period.

我们的节点被指示在比特币网络中保持对1,000个连接的连接池开放。平均而言，我们连接到992个对等体，在写入时大约是可达节点的20％。根据Bamert等人的说法。 [4]随着采样对等体数量的增加，检测到双重花费攻击的概率会迅速收敛到1。因此，我们认为在测量期间收集的交易忠实地反映同一时期网络中的双重支出攻击是合理的。

Given the set of all transactions, the first task is to extract all potential double spend attacks. In general double spending attacks can be identified by associating a transaction with each output that it claims. Should there be more than one transaction associated with the same output the transactions conflict. The malleability attack being a specialized case of the double spend attack could also be identified by this generic procedure, however we opted for a simpler process. Removing the signature script from a transaction results in the signed part of the transaction, forcing all malleability attacks to produce the same unique key. The unique key is then used to group transactions together into conflict sets.

给定所有事务的集合，第一个任务是提取所有潜在的双重花费攻击。通常，可以通过将事务与其声明的每个输出相关联来识别双重花费攻击。如果有多个事务与同一输出关联，则事务会发生冲突。可伸缩性攻击是双重花费攻击的一个特例，也可以通过这个通用程序来识别，但是我们选择了一个更简单的过程。从事务中删除签名脚本会导致事务的签名部分，从而强制所有可塑性攻击产生相同的唯一密钥。然后使用唯一键将事务一起分组到冲突集中。

During the measurement period a total of 35,202 conflict sets were identified, each evidence of a malleability attack. Out of these conflict sets 29,139 contained a transaction that would later be confirmed by a block. The remaining 6,063 transactions were either invalid because they claimed non-existing outputs, had incorrect signatures, or they were part of a further double spending.

在测量期间，共确定了35,202个冲突集，每个冲突集都有可塑性攻击。在这些冲突集合中，29,139包含一个事务，该事务稍后将被块确认。其余6,063笔交易无效，因为他们声称不存在产出，签名错误，或者他们是进一步双重支出的一部分。

The conflict set value is defined as the number of bitcoins transferred by any one transaction in the conflict set. The outputs of the transactions in a conflict set are identical, since any change to them would require a new signature. In particular the value of outputs may not be changed. Each transaction in a conflict set therefore transfers an identical amount of bitcoins. Summing the value of all conflict sets results in a total of 302,700 bitcoins that were involved in malleability attacks.

冲突设置值定义为冲突集中任何一个事务传输的比特币数。冲突集中的事务输出是相同的，因为对它们的任何更改都需要新的签名。特别是输出值可能不会改变。因此，冲突集中的每个事务都传输相同数量的比特币。总结所有冲突集的价值导致涉及延展性攻击的总计302,700比特币。

As mentioned in Footnote 1, there are a multitude of ways to use the malleability in the signature encoding to mount a malleability attack. The most prominent type of modification was replacing the single byte OP_0 with OP_PUSHDATA2 which then encodes the length of the data to push on the stack with 2 bytes. The resulting signature script would be 4 bytes longer, because two strings are usually pushed on the stack, but would still encode the same DER encoded signature and the same public key, hence still be valid. A total of 28,595 out of the 29,139 confirmed attacks had this type of modifications. For the remaining 544 conflict sets we were unable to identify the original transactions. All transactions in these conflict sets had genuine signatures with the correct opcodes and did not encode the same signature. We therefore believe these transactions to be the result of users signing raw transactions multiple times, e.g., for development purposes.

如脚注1中所述，有许多方法可以在签名编码中使用延展性来进行延展性攻击。最突出的修改类型是用OP_PUSHDATA2替换单字节OP_0，然后OP_PUSHDATA2编码要在2个字节的堆栈上推送的数据长度。生成的签名脚本将长4个字节，因为两个字符串通常被压入堆栈，但仍然会编码相同的DER编码签名和相同的公钥，因此仍然有效。在29,139次确认的攻击中，共有28,595次进行了此类修改。对于剩余的544个冲突集，我们无法确定原始交易。这些冲突集中的所有事务都具有带有正确操作码的真实签名，并且不对相同的签名进行编码。因此，我们认为这些交易是用户多次签署原始交易的结果，例如用于开发目的。

In order for a malleability attack to be exploitable two conditions have to be fulfilled: (a) the modified transaction has to be later confirmed and (b) the system issuing the transaction must rely solely on the transaction’s original hash to track its confirmation. The first condition can be easily reconstructed from the network trace and the Bitcoin blockchain since only one of the transactions will be included in the blockchain. The second condition is not detectable in our traces since it depends on the implementation of the issuing system. In particular, it is not possible to determine whether two payments with the same value to the same address were intended as two separate payments or whether an automated system issued the second one believing the first to be invalid.

为了使可塑性攻击可被利用，必须满足两个条件：（a）必须稍后确认修改的事务;（b）发布事务的系统必须仅依赖事务的原始哈希来跟踪其确认。第一个条件可以很容易地从网络跟踪和比特币区块链重建，因为只有一个交易将包含在区块链中。第二个条件在我们的跟踪中是不可检测的，因为它取决于发布系统的实现。特别是，不可能确定对同一地址具有相同价值的两笔付款是作为两个单独的付款，还是自动系统是否发出第二个支付相信第一个是无效的。

We call a malleability attack successful if it resulted in the modified transaction to be later confirmed in a block, i.e., when condition (a) holds. From the data derived from the attack classification we can measure the rate of successful malleability attacks. Out of the 28,595 malleability attacks that used an OP_PUSHDATA2 instead of the default OP_0 only 5,670 were successful, i.e., 19.46% of modified transactions were later confirmed. Considering the value in malleable transactions the success rate is comparable with 21.36%. This reduces the total profit of the successful attacks from 302,700 to 64,564. The strong bias towards the original transaction is explained by the fact that the probability of being confirmed depends on the distribution of the transaction in the network [4]. During a malleability attack the attacker listens for an incoming transaction that match its address, modifies it and redistributes it. In the meantime however the original transaction has been further forwarded in the network and the modified transaction is not forwarded by nodes seeing the original transaction. The attacker must connect to a large sample of nodes in the network for two reasons: (a) intercept the original transaction as soon as possible and (b) compensate the head start that the original transaction has compared to the modified transaction.

如果导致修改的事务稍后在块中被确认，即当条件（a）成立时，我们称可塑性攻击成功。根据攻击分类得出的数据，我们可以衡量成功延展性攻击的速度。在使用OP_PUSHDATA2而不是默认OP_0的28,595个延展性攻击中，只有5,670个成功，即后来确认了19.46％的修改交易。考虑到可塑性交易的价值，成功率与21.36％相当。这将成功攻击的总利润从302,700减少到64,564。对原始交易的强烈偏见可以通过以下事实来解释：确认的概率取决于网络中交易的分布[4]。在可塑性攻击期间，攻击者侦听与其地址匹配的传入事务，修改它并重新分配它。然而，同时原始事务已在网络中进一步转发，并且修改的事务不由看到原始事务的节点转发。攻击者必须连接到网络中的大量节点样本，原因有两个：（a）尽快拦截原始事务;（b）补偿原始事务与修改后的事务相比的头部启动。

4.1 The MtGox Incident  MtGox事件

Returning to the specific case of the MtGox incident of February 2014, that eventually lead to the closure and the bankruptcy filing later that same month. In the press release of February 10, the transaction malleability bug was explicitly named as the root cause of the loss. The loss is later detailed as amounting to over 850,000 bitcoins, of which 750,000 bitcoins were customer owned bitcoins that were managed by MtGox. At the time of the first press release bitcoins were trading at 827 US Dollars per bitcoin,2 resulting in a total value of lost bitcoins of 620 million US Dollars.

回到2014年2月MtGox事件的具体案例，最终导致同一个月晚些时候关闭和破产申请。在2月10日的新闻稿中，交易延展性错误被明确命名为损失的根本原因。损失后来详细说明为超过850,000比特币，其中750,000比特币是由MtGox管理的客户拥有的比特币。在第一次发布新闻时，比特币的每比特币交易价格为827美元，其中2比特币的总价值为6.2亿美元。

Assuming transaction malleability has indeed been used to defraud MtGox, then we should be able to verify the claim by finding the transactions used for the attack in our dataset. The above mentioned total amount of 302,700 bitcoins involved in malleability attacks already disproves the existence of such a large scale attack. However, it could well be that malleability attacks contributed considerably in the declared losses.

假设确实已经使用交易延展性来欺骗MtGox，那么我们应该能够通过在我们的数据集中找到用于攻击的交易来验证索赔。上面提到的涉及延展性攻击的302,700比特币的总量已经证明存在如此大规模的攻击。然而，很可能延性攻

Reconstructing the timeline of the attacks from the announcements made by MtGox we identify 3 time periods:

• Period 1 (January 2013 — February 7, 2014): over a year of measurements until the closure of withdrawals from MtGox;

• Period 2 (February 8 — February 9, 2014): withdrawals are stopped but no details about the attack known to the public;

• Period 3 (February 10 — February 28): time following the press release blaming transaction malleability as the root cause of the missing bitcoins until MtGox filed for bankruptcy.

通过MtGox发布的公告重建攻击的时间表，我们确定了3个时间段：

•第1期（2013年1月 -  2014年2月7日）：超过一年的测量，直至MtGox退出结束;

•第2期（2014年2月8日至2月9日）：停止提款，但公众不知道有关攻击的详细信息;

•第3期（2月10日 -  2月28日）：新闻发布之后的时间，将交易可塑性归咎于丢失比特币的根本原因，直到MtGox申请破产。

Malleability attacks in period 2 and 3 could not contribute to the losses declared by MtGox since they happened after withdrawals have been stopped. Figure 2 visualizes both the number of bitcoins involved in malleability attacks as well as the number of attacks during period 1. During this period a total of 421 conflict sets were identified for a total value of 1,811.58 bitcoins involved in these attacks. In combination with the above mentioned success rate of malleability attacks we conclude that overall malleability attacks did not have any substantial influence in the loss of bitcoins incurred by MtGox.

第2期和第3期的可销售性攻击无法对MtGox宣布的损失做出贡献，因为它们是在撤回撤销后发生的。图2显示了延性攻击中涉及的比特币数量以及第1阶段期间的攻击次数。在此期间，总共识别出421个冲突集，其中涉及这些攻击的总价值为1,811.58比特币。结合上述可塑性攻击的成功率，我们得出结论，整体延展性攻击对MtGox引起的比特币损失没有任何实质性影响。

During period 2, we gathered 1,062 conflict sets, totalling 5,470 bitcoins. A noticeable increase of attacks at 17:00 UTC on February 9, from 0.15 attacks per hour to 132 attacks per hour. While we do not have any information about the time the second press release has been published, the measured increase in attacks at 17:00 UTC and the date on the press release, hints at a time between 0:00 and 2:00 JST. The sudden increase suggests that immediately following the press release other attackers started imitating the attack, attempting to exploit the same weakness that had allegedly been used against MtGox.

在第2期，我们收集了1,062个冲突集，共计5,470个比特币。 2月9日17:00 UTC的攻击明显增加，从每小时0.15次攻击到每小时132次攻击。虽然我们没有关于第二次新闻稿发布时间的任何信息，但在17:00 UTC和新闻发布日期的攻击测量增加，暗示在JST 0:00和2:00之间的时间。突然增加表明，在新闻发布后，其他攻击者立即开始模仿攻击，试图利用据称用于对抗MtGox的同样弱点。

After the second press release, in period 3, there is a sudden spike in activity. Between February 10 and 11 we identified 25,752 individual attacks totalling 286,076 bitcoins, two orders of magnitude larger than all attacks from period 1 combined. A second, smaller, wave of attacks starts after February 15, with a total of 9,193 bitcoins. The attacks have since calmed, returning to levels comparable to those observed in period 1, before the press releases. Figure 3 summarizes the situation by plotting the cumulative value and number of malleability attacks in February 2014, i.e., from the end of period 1 to period 3.

在第二次新闻发布后，在第3期，活动突然飙升。在2月10日至11日期间，我们确定了25,752次单独攻击，共计286,076个比特币，比第1期合并的所有攻击大两个数量级。在2月15日之后，第二次较小的攻击波开始，共计9,193比特币。此后的袭击已经平静下来，在新闻发布之前恢复到与第1期观察到的水平相当的水平。图3通过绘制2014年2月（即从第1期末到第3期）的累积价值和可塑性攻击数量来总结情况。

The strong correlation between the press releases and the ensuing attacks attempting to exploit the same weakness is a strong indicator that the attacks were indeed triggered by the press releases.

新闻稿与试图利用同样弱点的随后袭击之间的强烈关联强烈表明这些袭击确实是由新闻稿引发的。

Assuming MtGox had disabled withdrawals like they stated in the first press release, these attacks can not have been aimed at MtGox. The attacks therefore where either attempts to investigate transaction malleability or they were aimed at other businesses attempting to imitate the purveyed attack for personal gain. The sheer amount of bitcoins involved in malleability attacks would suggest that the latter motive was prevalent.

假设MtGox像他们在第一篇新闻稿中所说的那样禁用了提款，这些攻击不可能针对MtGox。因此，这些攻击要么试图调查交易延展性，要么针对其他企业试图模仿所传播的攻击以获取个人利益。涉及延展性攻击的大量比特币表明后者的动机很普遍。

It remains questionable whether other services have been informed by MtGox in time to brace for the sudden increase in malleability attacks. Should this not be the case then the press release may have harmed other businesses by triggering imitators to attack them.

毫无疑问，MtGox是否及时通知了其他服务以支持延展性突然增加的可塑性攻击。如果情况不是这样，那么新闻稿可能会通过触发模仿者攻击他们来伤害其他企业。

5 Related Work

Transaction malleability has been known about since at least 2010, when it was first documented. It has however received very little attention so far as it was categorized as a low priority issue.

至少自2010年首次记录以来，已知交易延展性。然而，由于它被归类为低优先级问题，因此很少受到关注。

Andrychowicz et al. [1, 2] mention transaction malleability as a potential problem in contracts and two party computations based on Bitcoin transactions. These schemes can be used for example to implement a fair coin toss [3], auctions or decentralized voting. Their method to eliminate transaction malleability in their protocols resembles our construction of conflict sets, i.e., eliminating malleable parts of the transaction in the hash calculation. However, they limit their observations to advanced schemes for encoding contracts and two party computations.

Andrychowicz等。 [1,2]提到交易可塑性是合同中的潜在问题和基于比特币交易的双方计算。这些方案可用于例如实施公平的抛硬币[3]，拍卖或分散投票。他们在协议中消除交易延展性的方法类似于我们的冲突集的构造，即在哈希计算中消除交易的可延展部分。但是，他们将观察限制在编码合同和双方计算的高级方案中。

A related class of doublespending attacks, which we shall refer to as classical doublespending, has received far more attention. In this class of attacks the transaction issuer creates two transactions to defraud the receiving party. Karame et al. [6] first studied the problem of arising from fast transactions, i.e., accepting non-confirmed transactions. Rosenfeld [12] showed that the success probability of a doublespending attack can be further increased if coupled with computational resources. Bamert et al. [4] later improved the security of accepting fast payments by observing how transactions are propagated in the network.

一类相关的双打攻击，我们称之为经典的双打，受到了更多的关注。在这类攻击中，交易发行者创建两个交易来欺骗接收方。 Karame等。 [6]首先研究了快速交易产生的问题，即接受未确认的交易。罗森菲尔德[12]表明，如果再加上计算资源，可以进一步提高双重支持攻击的成功概率。 Bamert等人。 [4]后来通过观察交易在网络中的传播方式，提高了接受快速支付的安全性。

To the best of our knowledge this paper is the first publication describing transaction malleability and the resulting malleability attack in detail.

据我们所知，本文是第一本详细描述交易延展性和由此产生的延展性攻击的出版物。

6 Conclusion

The transaction malleability problem is real and should be considered when implementing Bitcoin clients. However, while MtGox claimed to have lost 850,000 bitcoins due to malleability attacks, we merely observed a total of 302,000 bitcoins ever being involved in malleability attacks. Of these, only 1,811 bitcoins were in attacks before MtGox stopped users from withdrawing bitcoins. Even more, 78.64% of these attacks were ineffective. As such, barely 386 bitcoins could have been stolen using malleability attacks from MtGox or from other businesses. Even if all of these attacks were targeted against MtGox, MtGox needs to explain the whereabouts of 849,600 bitcoins.

交易延展性问题是真实的，在实施比特币客户时应予以考虑。然而，虽然MtGox声称由于可塑性攻击而损失了850,000比特币，但我们仅观察到共有302,000比特币参与了延展性攻击。其中，在MtGox阻止用户撤回比特币之前，只有1,811个比特币受到攻击。更重要的是，78.64％的攻击是无效的。因此，使用MtGox或其他企业的延展性攻击，可能只有386个比特币被盗。即使所有这些攻击都针对MtGox，MtGox也需要解释849,600比特币的下落。

References

[1] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Łukasz Mazurek. Fair two-party computations via the bitcoin deposits. Technical report, Cryptology ePrint Archive, 2013.
[2] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Łukasz Mazurek. How to deal with malleability of bitcoin transactions. arXiv preprint arXiv:1312.3230, 2013.
[3] Adam Back and Iddo Bentov. Note on fair coin toss via bitcoin. arXiv preprint arXiv:1402.3698, 2014.
[4] Tobias Bamert, Christian Decker, Lennart Elsen, Samuel Welten, and Roger Wattenhofer. Have a snack, pay with bitcoin. In IEEE Internation Conference on Peer-to-Peer Computing (P2P), Trento, Italy, 2013.
[5] Christian Decker and Roger Wattenhofer. Information propagation in the bitcoin network. In IEEE International Conference on Peer-to-Peer Computing (P2P), Trento, Italy, September 2013.
[6] G.O. Karame, E. Androulaki, and S. Capkun. Two Bitcoins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin. In Proc. of Conference on Computer and Communication Security, 2012.
 [7] MtGox. Announcement regarding an application for commencement of a prodedure of civil rehabilitation. https://www.mtgox.com/img/pdf/ 20140228-announcement_eng.pdf. [Online; accessed March 19th].
[8] MtGox. Announcement regarding the applicability of us bankruptcy code chapter 15. https://www.mtgox.com/img/pdf/20140314-announcement_ chapter15.pdf. [Online; accessed March 19th].
[9] MtGox. Mtgox press release about transaction malleability. https:// www.mtgox.com/press_release_20140210.html, 2014. [Online; accessed February 10th, 2014].
[10] MtGox. Mtgox press release announcing the stop of withdrawals. https:// www.mtgox.com/press_release_20140210.html, 2014. [Online; accessed February 10th, 2014].
[11] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. https: //bitcoin.org/bitcoin.pdf. [Online; accessed March 26, 2014].
[12] Meni Rosenfeld. Analysis of hashrate-based double spending. https:// bitcoil.co.il/Doublespend.pdf, 2012. [Online; accessed February 17th, 2014].
 [13] Pieter Wuille. BIP 0062: Dealing with Malleability. https://github.com/ bitcoin/bips, 2014. [Online; accessed March 10th, 2014].

论文相关信息
2014-03-26 Bitcoin Tr ansaction Malleability and MtGox P13 R13#security malleability attack, MtGox
下载连接： https://arxiv.org/abs/1403.6676v1