edgecase
Author: StJohn Piano
Published: 2021-02-06
Datafeed Article 203
This article has been digitally signed by Edgecase Datafeed.
265 words - 127 lines - 4 pages




Background:

Bitcoin is an alien battlefield. [0]




Threat assessment:

An unknown entity at blockchain.com records transactions sent to their transaction publishing tool, and checks to see if transactions sent from the same address are signed with the same random entropy value. If they are, the private key can then be extracted. Any bitcoin accessible from the private key is immediately transferred to the entity's own addresses. The entity may be located in either the frontend client (e.g. poisoned javascript dependency) or the backend system (e.g. rogue employee).

Link to transaction publishing tool:
www.blockchain.com/btc/pushtx




More detail:


Friend:

I just heard that [NameDeleted] lost some bitcoin.



StJohn Piano:

yes, he did

he skimped on rolling dice.

sent 2 transactions that were signed using the same entropy value (never do this)

Apparently the first one was incorrectly formatted, and rejected by the broadcast tool, and he then constructed the second one right away, without generating new entropy.

he would have gotten away with it

but it looks like someone, somehow, was able to intercept both transactions, and extract the private key because of the same-entropy-value-reuse.



Friend:

Oh my



StJohn Piano:

could have been an attacker at any level of the codebase in blockchain.com



Friend:

Has he got the rest protected



StJohn Piano:

could even have been an employee

yes



Friend:

He's said he's gonna write up



StJohn Piano:

ah, good for him

painful lesson

but this battlefield is very unforgiving

bears some resemblance to the Old Testament God.

Lots of judgement, smiting, pain. Not big on forgiveness.











[start of footnotes]


[0]
I got this phrasing from Jameson Lopp.

[return to main text]

[end of footnotes]