Talking about blockchain (19): Security risks of Bitcoin wallets

People are currently keen on speculating in Bitcoin, but rarely pay attention to the security issues of Bitcoin technology itself. You may not know that the Bitcoin wallet you are currently using contains huge risks, so I decided to write this article to warn you, otherwise you may lose several, dozens, or even more Bitcoins in the future.

We know that Bitcoin is based on UTXO. Suppose you are Alice, and you have a Bitcoin wallet, which contains a Bitcoin address, which contains a UTXO, and the UTXO contains a balance of 10 BTC. Now you want to transfer 10 BTC to Bob (not considering the handling fee), then the generated transaction is very simple (use your UTXO as input, use Bob's address as output), as shown below:

Now, the situation becomes a little more complicated. You only need to transfer 5 BTC to Bob, so the transaction becomes a little more complicated (1 input still refers to your UTXO, 2 outputs, 1 is 5 BTC for Bob's address, and the other is 5 BTC for your own address).

Now comes the question. Should the 5 BTC transferred to yourself be sent to the original address or the newly created address? This is a standard policy in Bitcoin, called Change Address. Let's take a look at why Bitcoin has such a policy. Before the change address policy, our transfer model was like this:

All remaining BTC are transferred back to the sending address. Because Bitcoin's blockchain is publicly queryable, it is easy to track A's payment behavior and his wealth status in this way, and there is no privacy at all. Therefore, Bitcoin introduced the change address policy (not mandatory), and the working method under the new model is as follows:

A new address is created for each transfer balance. In fact, C in the above figure is another address of user A.

In the output of a transaction, the output is in order (index). Always putting the target address first (index is 0) will lead to the disclosure of transaction behavior. In order to further enhance privacy, the shuffleOutputs function will be added on this basis, which will disrupt the order of outputs in the transaction and arrange them randomly. After several such transfers, you will not be able to track A's transaction behavior.

This is a perfect solution and has been widely used. However, it introduces huge risks to the security of wallets, which is the main point of our article today.

Now the standard steps for most of us to use Bitcoin wallets are as follows (without studying online wallets and exchanges, which have other security issues):

1. Download a Bitcoin wallet (PC or mobile)

2. Back up your wallet (keys in your wallet)

3. Various transfers in and out

We think this is safe because I have backed up my wallet. Even if my computer is scrapped or my phone is lost, I can still use the backup to restore it. Yes, that's right! But that's only if you don't transfer out! Once you transfer out, your wallet may generate a new address for you, and this new address may not be included in your backup!

Imagine you have 100 BTC in your wallet, and you have transferred out 50 BTC in total through multiple transfers. Suddenly one day you lose your phone (your wallet is in your phone), and you quickly buy a new phone, install a new wallet, and restore it from the backup, only to find that the balance in your wallet has become 0. This is because you did not back up the address of your remaining 50 BTC, which is a new address generated during the transfer process!

The following is the transfer made by the author using a mobile wallet. The address in the red box is a newly generated address and is not in the author’s last backup.

We say it is possible here because different wallets now adopt different modes. The current modes are roughly divided into the following categories:

1. Single-address wallet, which is the most primitive type of wallet that does not use the change address solution;

2. Random address pool wallet: This type of wallet randomly generates an address pool for you at the beginning, for example, it contains 100 addresses (some can set the pool size through the -keypool parameter). Within the range of 100 transfers, there is no need to generate new addresses. However, as the number of transfers increases, the same problem will still occur;

3. Hierarchical designated address pool wallet (HD wallet), generates a master private key through a password, and then generates several sub-private keys through the master private key;

4. Customizable wallet that supports multiple modes;

How to solve it?

If you don't care about privacy (because most people don't care about the disclosure of transaction behavior, because the address itself is anonymous, they are more concerned about the security of the currency), you can use a single-address wallet. The same is true for online wallets. The author changed the Bitcoin payment platform (bitbill.com) he operated back to the single-address mode (slightly expanded). The author used bitcoinj and made the following changes in its core code:

 log.info("selection.gathered length:"+selection.gathered.size());
for (TransactionOutput output : selection.gathered){
//added by Tom @2017/2/9 for change address issue.
if(req.changeAddress==null){
try{
req.changeAddress=output.getAddressFromP2PKHScript(org.bitcoinj.params.MainNetParams.get());
}catch(Exception ex){}//in case not P2PKH
log.info("Tom's fix for req.changeAddress:"+req.changeAddress);
}else{
log.info("req.changeAddress is not empty:"+req.changeAddress);
}
}

For users who use Bitcoin wallets, it depends on the wallet type (especially non-HD wallets, most of which are currently non-HD wallets). Generally, more backups are required. Remember, either you don't transfer money, or you may need to back up immediately after the transfer!