Coinkite, a bitcoin platform that transacts more than 400,000 BTC per month, has reported a bitcoin malleability attack that requires users to be careful about zero confirmation receipts since there are two versions of a transaction (low S high S). Coinkite is requiring one confirmation for deposits before it uses them in a new transaction.
Transactions have been modified and rebroadcast with new transaction numbers, indicating a malleability attack. The attacks have occurred over the last 24 to 48 hours. Almost all transactions on the network have suffered the attacks.Customer Funds Not At Risk
The company noted in a blog that the attacks do not put Coinkite’s customer funds at risk. The modification being made to the transactions is a simple numeric tweak to one number (S) in the ECDSA (Elliptical Curve Digital Signature Algorithm) signature, the blog notes. “It’s documented as part of BIP62 and is called the ‘low S’ requirement.” Coinkite always uses the lower S value, but the attackers have been replacing it with the higher S value.
The attackers change the transactions without any knowledge of the private keys involved.