{"id":27421,"date":"2015-05-05T21:09:11","date_gmt":"2015-05-05T21:09:11","guid":{"rendered":"http:\/\/ci027cfe7b00082697"},"modified":"2015-05-05T21:09:11","modified_gmt":"2015-05-05T21:09:11","slug":"bitstamp-exchange-activity-trackable-due-multisig-wallet-implementation-1430860151","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/culture\/bitstamp-exchange-activity-trackable-due-multisig-wallet-implementation-1430860151","title":{"rendered":"BitStamp Exchange Activity Trackable due to Multisig Wallet Implementation"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div><figure><img decoding=\"async\" src=\"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/bitstamp-exchange-activity-trackable-due-to-multisig-wallet-implementation.jpg\" title=\"\"><\/figure>\n<p>A recently discovered issue with the client-side SDK of Bitcoin software provider BitGo allows anyone to track all incoming and outgoing transactions taking place on the Bitcoin exchange BitStamp. It was discovered by Bitcoin security firm BlockTrail over the weekend.<\/p>\n<p>BlockTrail CTO Ruben De Vries first encountered the <a href=\"https:\/\/github.com\/BitGo\/BitGoJS\/blob\/51dbd68b41136ed2ffd7e0517469f41863681dc3\/src\/transactionBuilder.js#L191\" target=\"_blank\" rel=\"noopener\">issue<\/a> while conducting analysis on the blockchain, \u201cfor our own internal purposes.\u201d He found a group of addresses had the same output, allowing them to be tracked. De Vries identified it as the <a href=\"http:\/\/blocktrail.com\/#!\/BTC\/tx\/7b7774d7d2bf9ec2e46f9d2bc83bf76b55eed9ccf8e999292fc134d35bdc46d2\" target=\"_blank\" rel=\"noopener\">change address<\/a>, that is the address created to send any remaining bitcoin leftover from a transaction.<\/p>\n<p>\u201cIf one is able to correlate trends in deposits and withdraws to the price movement (for example, maybe a high velocity of BTC deposits might indicate upcoming sell pressure, uncovering big sellers, etc), then so long as this data was not in common knowledge, it could be greatly valuable to traders. But just like looking for a good domain name, you often enough find that someone smart was there before you \u2013 and so I am left wondering not if such information is already being used by traders with informational advantages, but rather to what extent,\u201d wrote BlockTrail CEO Boaz Becher in a company <a href=\"https:\/\/blog.btc.com\/?gi=e00ebe00070e\" target=\"_blank\" rel=\"noopener\">blog post<\/a>.<\/p>\n<p><strong>The Change Bug<\/strong><\/p>\n<p>According to Becher, the company was able to get an \u201cinteresting picture\u201d of the BitStamp\u2019s activity, including deposits, withdrawals and volume, by exploiting this issue. The company <a href=\"https:\/\/github.com\/BitGo\/BitGoJS\/pull\/12\/commits\" target=\"_blank\" rel=\"noopener\">submitted a proposed fix<\/a> to BitGo\u2019s API implementation over the weekend but the fix still had not been implemented by BitGo as of Tuesday morning.<\/p>\n<p>According to a <a href=\"https:\/\/news.ycombinator.com\/item?id=948150620Ben20Davenport\" target=\"_blank\" rel=\"noopener\">comment posted online<\/a> by BitGo CTO Ben Davenport, the Bitcoin API provider has been aware of this issue for a while and has not changed it yet because they \u201cdon\u2019t consider it a huge deal.\u201d<\/p>\n<p>\u201cI wouldn\u2019t call this a bug, per se, but it\u2019s a known issue that we plan to fix,\u201d Davenport said. \u201cThe BitGo API is agnostic where the change output(s) are placed \u2013 this is just an issue with the client-side SDK.<\/p>\n<p>\u201cThe primary reason we haven\u2019t changed it sooner is that BitGoD (which Bitstamp uses), currently relies on the change output being last to determine which output of a transaction is change when listing transactions,\u201d he continued. \u201cThis was needed due to missing functionality in our back-end transaction indexer which has been remedied in the last few weeks.\u201d<\/p>\n<p>The other reason this issue is not a bigger deal is because it is already easy to identify the exchange\u2019s change address. BitGo makes the exchange\u2019s wallets multi-sig and makes the output end with a \u201c3.\u201d Since adoption of multi-sig is still low, it is already fairly easy to identify the exchange\u2019s addresses.<\/p>\n<p><strong>BitGo Security<\/strong><\/p>\n<p>This is the second bug found in BitGo\u2019s API in the past week. Over the weekend, a Reddit user going by the user name, <a href=\"http:\/\/www.reddit.com\/user\/rstn\" target=\"_blank\" rel=\"noopener\">rstn<\/a>, claimed to have lost 85 bitcoin when transferring 116 bitcoin with BitGo\u2019s Legacy Wallet Recovery Tool. The erroneous tool made the transaction\u2019s miner fee 85 bitcoin instead of the usual fractions of a bitcoin according to the user.<\/p>\n<p>BitGo acted quickly and contacted <a href=\"https:\/\/www.antpool.com\/home.htm\" target=\"_blank\" rel=\"noopener\">AntPool<\/a>, the mining pool that processed the transaction and had the bitcoin returned to the user in full. As part of the company\u2019s ongoing bug bounty program, the BitGo has since fixed the bug and rewarded the user 25 extra bitcoin for bringing it to their attention.<\/p>\n<p>The security of BitGo\u2019s API remains intact, and its clients are insured by the A-rated XL Group for $250,000 of losses in the case of a hack or theft.<\/p>\n<p><em><a href=\"https:\/\/www.flickr.com\/photos\/moia\/14266642578\/\" target=\"_blank\" rel=\"noopener\">Photo<\/a> by Marko Ahtisaari \/ CC BY 2.0<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A recently discovered issue with the client-side SDK of Bitcoin software provider BitGo allows anyone to track all incoming and outgoing transactions taking place on the Bitcoin exchange BitStamp. It was discovered by Bitcoin security firm BlockTrail over the weekend. BlockTrail CTO Ruben De Vries first encountered the issue while conducting analysis on the blockchain, [&hellip;]<\/p>\n","protected":false},"author":3612,"featured_media":27420,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[1429,882,572,3002,356,163],"class_list":{"0":"post-27421","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-culture","8":"tag-api","9":"tag-bitgo","10":"tag-bitstamp","11":"tag-blockchain-analysis","12":"tag-multisig","13":"tag-wallets"},"author_data":{"id":3612,"name":"Jeffrey Maxim","nicename":"jeffrey-maxim","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/bitcoin-schmitcoin-promo-image-2-96x96.png"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/bitstamp-exchange-activity-trackable-due-to-multisig-wallet-implementation.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/27421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/3612"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=27421"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/27421\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/27420"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=27421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=27421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=27421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}