A recently discovered issue with the client-side SDK of Bitcoin software provider BitGo allows anyone to track all incoming and outgoing transactions taking place on the Bitcoin exchange BitStamp. It was discovered by Bitcoin security firm BlockTrail over the weekend.
BlockTrail CTO Ruben De Vries first encountered the issue while conducting analysis on the blockchain, “for our own internal purposes.” He found a group of addresses had the same output, allowing them to be tracked. De Vries identified it as the change address, that is the address created to send any remaining bitcoin leftover from a transaction.
“If one is able to correlate trends in deposits and withdraws to the price movement (for example, maybe a high velocity of BTC deposits might indicate upcoming sell pressure, uncovering big sellers, etc), then so long as this data was not in common knowledge, it could be greatly valuable to traders. But just like looking for a good domain name, you often enough find that someone smart was there before you – and so I am left wondering not if such information is already being used by traders with informational advantages, but rather to what extent,” wrote BlockTrail CEO Boaz Becher in a company blog post.
The Change Bug
According to Becher, the company was able to get an “interesting picture” of the BitStamp’s activity, including deposits, withdrawals and volume, by exploiting this issue. The company submitted a proposed fix to BitGo’s API implementation over the weekend but the fix still had not been implemented by BitGo as of Tuesday morning.
According to a comment posted online by BitGo CTO Ben Davenport, the Bitcoin API provider has been aware of this issue for a while and has not changed it yet because they “don’t consider it a huge deal.”
“I wouldn’t call this a bug, per se, but it’s a known issue that we plan to fix,” Davenport said. “The BitGo API is agnostic where the change output(s) are placed – this is just an issue with the client-side SDK.
“The primary reason we haven’t changed it sooner is that BitGoD (which Bitstamp uses), currently relies on the change output being last to determine which output of a transaction is change when listing transactions,” he continued. “This was needed due to missing functionality in our back-end transaction indexer which has been remedied in the last few weeks.”
The other reason this issue is not a bigger deal is because it is already easy to identify the exchange’s change address. BitGo makes the exchange’s wallets multi-sig and makes the output end with a “3.” Since adoption of multi-sig is still low, it is already fairly easy to identify the exchange’s addresses.
This is the second bug found in BitGo’s API in the past week. Over the weekend, a Reddit user going by the user name, rstn, claimed to have lost 85 bitcoin when transferring 116 bitcoin with BitGo’s Legacy Wallet Recovery Tool. The erroneous tool made the transaction’s miner fee 85 bitcoin instead of the usual fractions of a bitcoin according to the user.
BitGo acted quickly and contacted AntPool, the mining pool that processed the transaction and had the bitcoin returned to the user in full. As part of the company’s ongoing bug bounty program, the BitGo has since fixed the bug and rewarded the user 25 extra bitcoin for bringing it to their attention.
The security of BitGo’s API remains intact, and its clients are insured by the A-rated XL Group for $250,000 of losses in the case of a hack or theft.
Photo by Marko Ahtisaari / CC BY 2.0