Archive for January, 2013

The Bitcoin transaction fetch memory exhaustion attack (TFMEA)

Overview Suppose most Bitcoin clients are installed in Windows operating systems. Suppose most people that use Windows does not compile the source code, but download the 32 bit executable from Sourceforge, which is a 32-bit application. This assumptions seems probable in practice. To process a transaction the Satoshi client loads all referred transactions inputs into […]

Leave a comment

Fixed Bitcoin vulnerability explanation: Why the signature cache is a DoS protection

I read a transcript of  #bitcoin-dev ( where jgarzik and, Sipa debated whether the signature cache was a performance optimization or a DoS protection and why. The sig cache is both of them. But the sig cache was included before performance was a problem because of the DoS protection requirement. The following attack against versions […]

Leave a comment

Global Pool Mining Proposal and a fast light tx verification system

Pooled mining is a mining approach where multiple generating clients contribute to the generation of a block, and then split the block reward according the contributed processing power. Pooled mining effectively reduces the granularity of the block generation reward, spreading it out more smoothly over time. A share is awarded by the mining pool to […]

Leave a comment

About my new Bitcoin vulnerability: get your peer public addresses

I really thought this had been fixed, because I commented the problem of using IsFromMe / IsMine to the developers in the github forums (, but no. Not fixed, so I’d better alert people before they can be tracked… The attack requires you to connect to the victim’s node and be disconnected from the victim’s […]

Leave a comment

CVE-2012-3789 disclosure

Given that update ratio from 0.6.2 to 0.6.3+ has probably passed the 80% (*) barrier for a long time, I decided to publish the full CVE-2012-3789 vulnerability report, since that is my obligation with the community. I encourage those who are working in the Satoshi client to peer review the report. Also I suggest […]

, , , ,

Leave a comment