Bitcoin developers are working on a fix for an issue that's behind suspended withdrawals at two of the biggest exchanges, but are promising that Bitcoin wallets and funds are safe as long as users don't accept unconfirmed Bitcoin.
According to Bitcoin Foundation, attackers are using "transaction malleability" — apparently a known issue among Bitcoin developers — to undermine the process used to confirm transactions. The attack amounts to a denial of service rather than an attempt to steal funds, according to the foundation.
"Somebody (or several somebodies) is taking advantage of the transaction malleability issue and relaying mutated versions of transactions," Bitcoin Foundation chief scientist Gavin Andresen wrote on the organisation's blog.
The update from the Bitcoin Foundation followed confusion amongs Bitcoin traders as two of the largest exchanges, Mt Gox and Bitstamp, suspended withdrawals over the issue, which has affected their respective versions of Bitcoin wallets.
In the case of Bitstamp, the DoS has disrupted the ability to check Bitcoin balances and therefore withdrawals have been suspended.
As noted in the Bitcoin wiki entry for 'transaction malleability', it's possible for an attacker on the network to mess with the identifier — or hash — of a transaction, which is used by wallets to confirm a transaction between them. Once confirmed, the hashes form part of the Bitcoin 'blockchain' ledger of historical transactions.
An altered hash doesn't affect the underlying value or the destination of the funds, but until the transaction is confirmed, the funds involved are not safe to accept, as the hashes depend on those of previous transactions and can still be changed up to the point they are confirmed.
In any case, a fix for the problem is on the way, but may take time come through.
"We (core dev team, developers at the exchanges, and even big mining pools) are creating workarounds and fixes right now," Andresen said.
"Users of the reference implementation who are bitten by this bug may see their bitcoins 'tied up' in unconfirmed transactions; we need to update the software to fix that bug, so when they upgrade those coins are returned to the wallet and are available to spend again. Only users who make multiple transactions in a short period of time will be affected."