Refund Attacks on Bitcoin's Payment Protocol
Total Page:16
File Type:pdf, Size:1020Kb
This is a repository copy of Refund Attacks on Bitcoin’s Payment Protocol. White Rose Research Online URL for this paper: https://eprints.whiterose.ac.uk/144143/ Version: Submitted Version Conference or Workshop Item: McCorry, Patrick, Shahandashti, Siamak F. orcid.org/0000-0002-5284-6847 and Hao, Feng (2017) Refund Attacks on Bitcoin’s Payment Protocol. In: Financial Cryptography and Data Security, 22-26 Feb 2016. https://doi.org/10.1007/978-3-662-54970-4_34 Reuse Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless indicated otherwise. They may be downloaded and/or printed for private study, or other acts as permitted by national copyright laws. The publisher or other rights holders may allow further reproduction and re-use of the full text version. This is indicated by the licence information on the White Rose Research Online record for the item. Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request. [email protected] https://eprints.whiterose.ac.uk/ Refund attacks on Bitcoin’s Payment Protocol Patrick McCorry, Siamak F. Shahandashti, Feng Hao School of Computing Science, Newcastle University UK (patrick.mccorry, siamak.shahandashti, feng.hao)@ncl.ac.uk Abstract. BIP70 is a community-accepted Payment Protocol standard that governs how merchants and customers perform payments in Bitcoin. This standard is supported by most major wallets and the two dominant Payment Processors: Coinbase and BitPay, who collectively provide the infrastructure for accepting Bitcoin as a form of payment to more than 100,000 merchants. In this paper, we present new attacks on the Payment Protocol, which affect all BIP70 merchants. The Silkroad Trader attack highlights an authentication vulnerability in the Payment Protocol while the Marketplace Trader attack exploits the refund policies of existing Payment Processors. Both attacks have been experimentally verified on real-life merchants using a modified Bitcoin wallet. The attacks have been acknowledged by both Coinbase and Bitpay with temporary mitigation measures put in place. However, to fully address the identified issues will require revising the BIP70 standard. We present a concrete proposal to revise BIP70 by providing the merchant with publicly verifiable evidence to prevent both attacks. 1 Introduction Bitcoin [20], the world’s first successful crypto-currency, is increasingly becom- ing a popular method of payment for e-commerce due to low transaction fees and the ease of use supplied by third party Payment Processors. BitPay and Coinbase are currently the two dominant Payment Processors that handle Bit- coin payments for more than 100,000 merchants. Their customers include Dell, Microsoft, Overstock, Shopify, Paypal and CeX. This demonstrates that large organisations are placing trust in Bitcoin as a viable form of payment. In fact, Overstock claimed to have made $3 million worth of Bitcoin sales in 2014 [12]. These Payment Processors are attractive due to their ability to convert bitcoins into fiat currency instantly which removes the risk involved in Bitcoin’s price volatility on behalf of the merchant. Both Payment Processors and all merchants are recommended to follow the community accepted BIP70: Payment Protocol standard that was proposed by Andresen and Hearn [5] to be used with Bitcoin. The motivation for this proto- col is to reduce the complexity of Bitcoin payments as customers are no longer required to handle Bitcoin addresses1. Instead, the customer can verify the mer- chant’s identity using a human-readable name before authorising a payment. 1 A form of identity (26–35 alphanumeric characters) that is related to a public-private key pair and is used to send/receive bitcoins. At the time of a payment authorisation, the customer’s wallet will also send a refund Bitcoin address to the merchant that should be used in the event of a future refund. The Payment Protocol provides two pieces of evidence that can be used in case of a dispute with an arbitrator. The customer has evidence that they were requested to authorise a payment if they keep a copy of the signed Payment Re- quest message. This can be considered evidence as the customer could not have produced the signature without the co-operation of the merchant. The second piece of evidence for both the customer and the merchant is the payment trans- action as the payment is signed by the customer and time-stamped on Bitcoin’s Blockchain, that is stored by most users of the network. In this paper, we ar- gue that a third piece of evidence is required to authenticate the refund address sent from the customer as the protocol recommends the customer’s payment and refund addresses not be the same. This flexibility leads to the following attacks: – The Silkroad Trader attack relies on a vulnerability in the Payment Protocol as the customer can authenticate that messages originate from the merchant, but not vice-versa. This allows a customer to route payments to an illicit trader via a merchant and then plausibly deny their own involvement. – The Marketplace Trader attack focuses on the current refund policies of Coinbase and BitPay who both accept the refund address over e-mail [26][9]. This allows a rogue trader to use the reputation of a trusted merchant to entice customers to fall victim to a phishing-style attack. Without the knowledge of our attacks, Schildbach asked the Bitcoin-Development mailing list why the refund address in the Payment Protocol was currently un- protected [24] and one of the original authors responded: We talked about signing it with one of the keys that’s signing the Bit- coin transaction as well. But it seems like a bit overkill. Usually it’ll be submitted over HTTPS or a (secured!) Bluetooth channel though so tampering with it should not be possible. - Mike Hearn [13] As seen above, a solution may involve the customer endorsing a refund ad- dress using one of the public keys that authorised the transaction. However, the author stated this solution was an overkill as the refund address is currently pro- tected in an HTTPS communication channel. We demonstrate that the HTTPS communication channel cannot protect the refund address as it only provides one-way authentication, the customer can authenticate messages originated from the merchant, but not vice-versa. At first glance, the ‘overkill’ solution suggested by Hearn could provide the evidence required for the merchant. Unfortunately, this solution opens the door to another attack which allows a malicious co-signer the sole authority to endorse the refund address used by the merchant and thus steal the bitcoins of other co-signers. We will discuss this in detail in Section 5. Contributions. Our contributions in this paper are summarised below: – We present new attacks on Bitcoin’s Payment Protocol and the current prac- tice of both the Payment Processors, Transac9on)A) Transac9on)0) In.ut Output In.ut Output In.ut Output Transac9on)A1s)iden95caon)hash,)) Scri.t :0itcoin)addressA,)) Transac9on)A1s)output inde8,)) Number of)bitcoins Scri.t :signature)+ .ublic)keyA) Fig. 1. Information stored in the inputs and outputs of Bitcoin transactions – We present real-world experiments that demonstrate how merchants today are vulnerable to both attacks using a modified Bitcoin wallet. – We propose a solution that removes the incentive to perform both attacks as the merchant is provided with publicly verifiable evidence whose origin can be verified by an arbitrator. 2 Background We discuss background information about Bitcoin before presenting the commu- nity accepted Payment Protocol standard. 2.1 Bitcoin We discuss three concepts that are needed to understand Bitcoin’s Payment Protocol. These include Bitcoin addresses that act as a form of identification, Transactions that are used to send/receive bitcoins and the Blockchain that stores all transactions on the network. A Bitcoin address is a form of identification in the Bitcoin community that is used to receive bitcoins and authorise payments. An address can be described as the hash of an EC (Elliptic Curve) public key and the accompanying private key is used to produce ECDSA (Elliptic Curve Digital Signature Algorithm) signatures to authorise payments. A Transaction consists of one or more inputs and one or more outputs as seen in Figure 1. Briefly, an input specifies the source of bitcoins being spent (the previous transaction’s identification hash and an index to one of its output) and is accompanied with signature(s) and public key(s) of the sender to authorise the payment. An output specifies the new owner’s Bitcoin address and the number of bitcoins being sent. Strictly, these inputs and outputs are controlled using a Forth-like scripting language to dictate the conditions required to claim the bitcoins. The dominant script today is the ‘pay-to-pubkey-hash’ which requires a single signature from a Bitcoin address to authorise the payment. On the other hand, the ‘pay-to-script-hash’ approach enables a variety of transaction types and was introduced as a soft-fork in BIP16 [4]. In practice, this ‘pay-to- script-hash’ script is widely used2 to enable escrow services and multi-signature authorisation (k of n keys required to claim bitcoins). The Blockchain is responsible for storing the entire network’s transaction history with a relatively secure time-stamp [20]. This ledger is an append-only data structure and is stored by most users of the network. To append new transactions to this ledger requires a computationally difficult proof of work puzzle to be solved. ‘Miners’ are responsible for computing this proof of work and are rewarded in bitcoins for appending a new ‘block’ of transactions to the ledger.