Bitcoin devs fix wallet bug behind 'mutated' transaction attacks

Summary:An update to the Bitcoin client has introduced invoicing, privacy-enhancing features, and a fix for a transaction bug behind disruptions at several exchanges.

Bitcoin developers have released an update for the cryptocurrency's main wallet, bringing fixes for a bug recently used in a denial of service attack on Bitcoin users.

The fix comes in version 0.9.0 of Bitcoin Core, the new name for the reference implementation wallet or full Bitcoin client. Users can install it or a number of other wallets that are based on it, including the hosted wallet from the recently shuttered exchange MtGox .

As a new milestone release, the update brings a host of new features and, according to its release notes, fixes for "transaction malleability-related" issues that have plagued a number of exchanges.

Bitcoin developers had been aware that a bug in the Bitcoin client could allow users to send mutated versions of the identifiers used in transactions between wallets.

The bugs hadn't caused any major problems until February when someone decided to exploit it en masse , causing several exchanges including MtGox and Bitstamp to suspend withdrawals. MtGox blamed the bug and other security issues for its woes when it filed for bankruptcy protection last month.  

For Bitstamp, the attacks disrupted balance checking and caused its Bitcoin wallets to produce inconsistent results. The impact on Bitcoin wallet users hit by the attack was that their Bitcoin could be suspended in an unconfirmed transaction, as opposed to the users having their funds stolen. Nonetheless, the attacks caused problems for users of the cryptocurrency.

According to the release notes, the fixes for transaction malleability include:

  • -nospendzeroconfchange command-line option, to avoid spending zero-confirmation change
  • IsStandard() transaction rules tightened to prevent relaying and mining of mutated transactions
  • Additional information in listtransactions/gettransaction output to report wallet transactions that conflict with each other because they spend the same outputs.
  • Bug fixes to the getbalance/listaccounts RPC commands, which would report incorrect balances for double-spent (or mutated) transactions.
  • -zapwallettxes to rebuild the wallet's transaction information

Besides fixes, the 0.9.0 introduces a number of additional features, including payment requests, or Bitcoin invoices, which includes a refund address for payments to merchants accepting the currency, as well as cryptographically signed payment requests to ensure payments go to the intended recipient.

The name Bitcoin Core also comes as part of the update in an effort by The Bitcoin Foundation to draw a line between the Bitcoin network and the software.

"The name 'Core' highlights the purpose of the software to run the core infrastructure of the Bitcoin network. It also describes the near-future direction of the project to encompass the core functionality instead of trying to be everything for everyone. Over the next releases, non-core functionality (such as the wallet) will be split off to different projects to allow independent collaboration and release cycles,"  Bitcoin Core dev team member Wladimir van der Laan said.

The update also changes the receive payment tab for improved invoicing, and introduces a privacy enhancing feature called "coin control", which allows the user to select which coins are used together.

"Exercising manual control over coin selection allows for a degree of privacy by controlling which coins are used together, and thus what a third party looking at the block chain will see," van der Laan said.

Read more on Bitcoin

Topics: Security, Banking, E-Commerce

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.