How to Lose Your Bitcoins with Bitcoin Core Client

The answer is: just accept to receive a regular payment with bitcoin core client v0.9.2.1.
All your bitcoins may be lost! 

Here are the facts.

Today we have done  the following experience.

  1. I had my client synchronized and running on my laptop, then suddenly it hanged and I had to reboot it. Just few minutes before the experience.
  2. I have pressed the “Request payment button” which generates fresh addresses each time on the PC.
  3. Then I sent 0.01 BTC from my mobile phone wallet to the client.
  4. Then the client hanged several times during the day… with twice error messages like the hash of the block did not verify correctly (line 1738 in man.cpp).
  5. Then eventually at the end of the day after several reboots it went back to normal.

HOWEVER here is the catch.
Money were never received. Moreover the software has no recollection that it has generated a new receiving address this morning. Probably the reader will not believe us. Quite happily we have done it on camera and with a witness, and I have the full video!

detective-searching-investigates-searches-footprints-crime-scene-40878956

There is clearly a serious problem with bitcoin core client and money can be lost. Every single user should feel concerned about it.

Here are some further technical remarks:

  1. We used core client v0.9.2.1-g354c0f3-beta under Windows.
    Done on a PC running a F-SECURE antivirus fully active and up to date.
  2. This version runs OpenSSL 1.0.1h 5 June 2014 and is officially claimed immune to the famous Heartbleed exploit.
  3. However it might be vulnerable to bash exploits, yes, and also under Windows as explained here.
  4. At this moment we do not know if this problem was fixed in later releases.

This incident is currently under investigation. There are exactly two possibilities:

  1. Either the client has mismanaged the key management, and the money can be recovered later but the software is just too stupid to realize that it has requested this payment itself, and that it can compute the corresponding keys to see and spend this money.
  2. Or a hacker has been able to Bitcoin Core client in order to make it display HIS bitcoin address.

In other words, it is either lost or stolen. If your bitcoins are lost or stolen in the similar way, let us know.
We will know soon because in case 2. the money will be spent by the criminal sooner or later. We will see when this happens on the blockchain and will keep this blog post updated.

P.S. We dispose of other data of actual past criminal activity with much larger amounts involved. We are willing to share them with other researchers. Please also note that there will be a talk at UCL about tracing bitcoin activity on the blockhain this Thursday 16/10 at 5PM at MPEB room 1.02.

Leave a Reply

Your email address will not be published.