macbook-air



Offline



Activity: 324

Merit: 250







Sr. MemberActivity: 324Merit: 250 A successful DOUBLE SPEND US$10000 against OKPAY this morning. March 12, 2013, 06:22:02 PM #1 All time UTC+08:00:



08:08  Well before I knew what later have happened, I deposited $10000-worth Bitcoins to BTC-e over OKPAY's Bitcoin payment, I paid OKPAY address 12z2n8YCJw1BEsJhhQPLCTuLqwH341nKnE 211.9093 BTC and 0.0005 BTC as transaction fee.

09:30  The transaction was included in version 0.8's fork, block 225446

10:08  Deposit completed, $9800 credited to my BTC-e account

12:53  After some study, I recognized, the transaction, though included in version 0.8's fork, was never confirmed by the pre-0.8 fork, so I decided to make two double spend transactions on two of the vins of the OKPAY transaction, and broadcasted them with the raw transaction API, 0.001 BTC transaction fee included in each transaction.

13:01  The double spend transaction was included in pre-0.8 fork block 225446



You should know what happens next...



I bet merchants would think twice before they decide to accept Bitcoins after the incident. F2Pool: Mining pool for Bitcoin, Litecoin, Zcash and Ethereum

bg002h

Legendary



Offline



Activity: 1441

Merit: 1010





I outlived my lifetime membership:)







DonatorLegendaryActivity: 1441Merit: 1010I outlived my lifetime membership:) Re: A successful DOUBLE SPEND US$10000 against OKPAY this morning. March 12, 2013, 06:38:59 PM #3 Quote from: macbook-air on March 12, 2013, 06:22:02 PM All time UTC+08:00:



08:08  Well before I knew what later have happened, I deposited $10000-worth Bitcoins to BTC-e over OKPAY's Bitcoin payment, I paid OKPAY address 12z2n8YCJw1BEsJhhQPLCTuLqwH341nKnE 211.9093 BTC and 0.0005 BTC as transaction fee.

09:30  The transaction was included in version 0.8's fork, block 225446

10:08  Deposit completed, $9800 credited to my BTC-e account

12:53  After some study, I recognized, the transaction, though included in version 0.8's fork, was never confirmed by the pre-0.8 fork, so I decided to make two double spend transactions on two of the vins of the OKPAY transaction, and broadcasted them with the raw transaction API, 0.001 BTC transaction fee included in each transaction.

13:01  The double spend transaction was included in pre-0.8 fork block 225446



You should know what happens next...



I bet merchants would think twice before they decide to accept Bitcoins after the incident.



Good thing someone honest was the cause of the double spend... Good thing someone honest was the cause of the double spend...

1GCDzqmX2Cf513E8NeThNHxiYEivU1Chhe Hardforks aren't that hard. Its getting others to use them that's hard.

casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1062





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1062The Casascius 1oz 10BTC Silver Round (w/ Gold B) Re: A successful DOUBLE SPEND US$10000 against OKPAY this morning. March 12, 2013, 07:13:20 PM #11 A serious solution is simply for several major stakeholders to publish signed endorsements and/or kills to blocks. Users can subscribe to them, and if a supermajority agrees to kill a block, the merchant at the very least can be configured to stop and go into safe mode.



I have thought of this long ago, now others might take the idea seriously. It was aggressively rejected in the past under the pretense it was too "centralized". I believe we need it to raise the bar on the risk of a 51% attack. Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.