Announcing a Return to our Roots: The All-New Bitcoin Magazine

BitStamp Exchange Activity Trackable due to Multisig Wallet Implementation

by

         BitStamp Exchange Activity Trackable due to Multisig Wallet Implementation

A recently discovered issue with the client-side SDK of Bitcoin software provider BitGo allows anyone to track all incoming and outgoing transactions taking place on the Bitcoin exchange BitStamp. It was discovered by Bitcoin security firm BlockTrail over the weekend.

BlockTrail CTO Ruben De Vries first encountered the issue while conducting analysis on the blockchain, “for our own internal purposes.” He found a group of addresses had the same output, allowing them to be tracked. De Vries identified it as the change address, that is the address created to send any remaining bitcoin leftover from a transaction.

“If one is able to correlate trends in deposits and withdraws to the price movement (for example, maybe a high velocity of BTC deposits might indicate upcoming sell pressure, uncovering big sellers, etc), then so long as this data was not in common knowledge, it could be greatly valuable to traders. But just like looking for a good domain name, you often enough find that someone smart was there before you – and so I am left wondering not if such information is already being used by traders with informational advantages, but rather to what extent,” wrote BlockTrail CEO Boaz Becher in a company blog post.

The Change Bug

According to Becher, the company was able to get an “interesting picture” of the BitStamp’s activity, including deposits, withdrawals and volume, by exploiting this issue. The company submitted a proposed fix to BitGo’s API implementation over the weekend but the fix still had not been implemented by BitGo as of Tuesday morning.

According to a comment posted online by BitGo CTO Ben Davenport, the Bitcoin API provider has been aware of this issue for a while and has not changed it yet because they “don’t consider it a huge deal.”

“I wouldn’t call this a bug, per se, but it’s a known issue that we plan to fix,” Davenport said. “The BitGo API is agnostic where the change output(s) are placed – this is just an issue with the client-side SDK.

“The primary reason we haven’t changed it sooner is that BitGoD (which Bitstamp uses), currently relies on the change output being last to determine which output of a transaction is change when listing transactions,” he continued. “This was needed due to missing functionality in our back-end transaction indexer which has been remedied in the last few weeks.”

The other reason this issue is not a bigger deal is because it is already easy to identify the exchange’s change address. BitGo makes the exchange’s wallets multi-sig and makes the output end with a “3.” Since adoption of multi-sig is still low, it is already fairly easy to identify the exchange’s addresses.

BitGo Security

This is the second bug found in BitGo’s API in the past week. Over the weekend, a Reddit user going by the user name, rstn, claimed to have lost 85 bitcoin when transferring 116 bitcoin with BitGo’s Legacy Wallet Recovery Tool. The erroneous tool made the transaction’s miner fee 85 bitcoin instead of the usual fractions of a bitcoin according to the user.

BitGo acted quickly and contacted AntPool, the mining pool that processed the transaction and had the bitcoin returned to the user in full. As part of the company’s ongoing bug bounty program, the BitGo has since fixed the bug and rewarded the user 25 extra bitcoin for bringing it to their attention.

The security of BitGo’s API remains intact, and its clients are insured by the A-rated XL Group for $250,000 of losses in the case of a hack or theft.

Photo by Marko Ahtisaari / CC BY 2.0

Recommended

Ten Years Later, a Reflection on Bitcoin’s Genesis and Satoshi’s Timing

Rather than focusing simply on what the genesis block is, today is a day to reflect on what the genesis block represents.

Colin Harper

Op Ed: From Gray To Black and White: Traditional Regulations Come to Crypto

For the crypto industry, recent developments — at both the federal and international levels — signal that the time for plausible deniability or unregulated freedom is coming to an end and more traditional regulations are moving to the forefront.

Courtney Rogers Perrin and Joshua Lewis

Bitcoin Price Analysis: Blowing Through Support Levels on the Way to $3,000

Bitcoin continues to tumble lower and lower as it struggles to claim any footing in the market. It’s down almost 50% in three weeks and it’s showing very little sign of stopping. It’s currently clutching onto the $3,500 values but it doesn’t look like it can hold on much longer.

Bitcoin Schmitcoin

Op Ed: SEC’s Latest Declaration Creates Legal Minefield for Digital Assets

This broad, authoritative declaration is not unexpected, as, to date, the SEC has stated that all digital assets — regardless of whether they function as alt coins or utility tokens — are securities at least initially and, thus, subject to its jurisdiction.

Huhnsik Chung and Nicholas Secara