A deep dive into the latest BCH onerous fork incident – The Coinbase Weblog

By Mark Nesbitt, Peter Kacherginsky, and Don Yu

On Might 15th, Coinbase detected a depth-2 chain reorganization on the Bitcoin Money blockchain. The reorg focused BCH funds that had been erroneously despatched to BTC segwit addresses, which had been beforehand unspendable however turned recoverable as a part of the Might 15 BCH improve. Based mostly on publicly obtainable knowledge, the reorg was brought on by a hashpower wrestle between two miners, the end result of which was $1.39M (3655 BCH) being despatched to the initially meant recipients and $82okay (216 BCH) being despatched to unknown addresses.

I. Double Spends on BCH

Twice a 12 months, the Bitcoin Money (BCH) community onerous forks as a part of scheduled protocol upgrades. The latest improve occurred on Wednesday, Might 15 at 5:00am PT (12pm GMT) and included the next two main changes:

  • Enable Schnorr signatures. Schnorr signatures are a cryptographic signature system that permits scaling options which are a part of the BCH roadmap.
  • Allow Segwit recovery. Segwit is an tackle format that's legitimate on the BTC community and invalid on the BCH community. BCH cash are sometimes despatched to segwit addresses, which, previous to this improve, resulted in these cash being unspendable. This improve modified the standing of those cash from being unspendable to, in sure instances, being claimable by BCH miners. Half II gives extra info on this.

Timeline of Occasions

The BCH improve occurred at 5:00am PT, which induced miners to supply blocks underneath the brand new consensus guidelines starting with block 582680 as the primary block underneath the post-upgrade ruleset. Between 5:20am and 9:05am PT, a vulnerability in the principle BCH implementation, Bitcoin ABC, was exploited that induced miners to supply empty blocks, leading to a backlog of transactions within the BCH mempool. Throughout this time, the non-upgraded BCH chain was prolonged with a brand new block 582680.

Shortly after a patch for the ABC vulnerability was applied, two blocks 582698 and 582699 had been mined by two separate miners recognized by “unknown” and “Prohashing” strings within the respective blocks’ coinbase transactions. The “unknown” miner mined Block 582698 which included transactions that spent BCH from greater than 1000 segwit addresses.

At 9:10 am PT, Coinbase noticed a 2-block chain reorganization, the place blocks at peak 582698 and 582699 had been orphaned by an extended chain with blocks at heights 582698 by 582701, mined by BTC.high and BTC.com. Block 582701 contained a single double spend transaction of a transaction contained in orphaned block 582699. The double spending transaction seems to be a replay from the BSV community, didn't spend from a segwit tackle, and doesn't look like associated to the opposite double spends noticed.

At 10:05 am PT, block 582705 was mined by BTC.high. This block contained 1278 transactions (1451 inputs, 1278 outputs, 3655 BCH) that double spent many of the inputs to 28 segwit-spending transactions (1387 inputs, 28 outputs, 3792 BCH) contained in orphaned block 582698. Nonetheless, 56 of the orphaned transactions’ inputs weren't included within the double spending transactions, and 120 of the inputs within the double spending transactions weren't within the orphaned transactions’ inputs. As we are going to present additional down, all of those double spends had been despatched to their equal legitimate BCH addresses.

At 12:53pm PT, block 582715 was mined by one other unknown miner. This block contained 13 transactions (620 inputs, 13 outputs, 216 BCH) that double spent inputs to 25 of the earlier 28 segwit-spending transactions (1237 inputs, 25 outputs, 3442 BCH) contained in orphaned block 582698. 1181 of the orphaned transactions’ inputs weren't included within the double spending transactions, as lots of them had been spent in block 582705, and 564 of the inputs within the double spending transactions weren't within the authentic orphaned transactions’ inputs. That is an instance of a transaction whose sixth input was double spent by the 30th enter of a transaction included in block 582715. These double spends had been despatched to 13 BCH addresses, that are supplied in Appendix A. Based mostly on blockchain evaluation, we imagine all addresses have already moved their funds to Bitfinex and HitBtc exchanges.

Double spend evaluation

The entire variety of transactions that had been double spent was 29, for a complete of 3796 BCH. The double spending transactions had been cut up into three teams:

  • 1 in block 582701 (Four BCH), which doesn't look like associated to the opposite double spends.
  • 1278 in block 582705 (3655 BCH), which spent BCH at segwit addresses to the legitimate equal BCH addresses.
  • 13 in block 582715 (216 BCH) that spent BCH at segwit addresses to BCH addresses doubtless managed by the “unknown” miner. These transactions included inputs that weren't included by BTC.high in block 582705.

Our examination concluded that the segwit inputs that had been double spent in block 582705 had been despatched to their initially meant recipients. Because of this the miner of block 582705, BTC.high, was capable of derive the “legitimate BCH equal” to the invalid segwit addresses, and reasonably than sending the funds to an unrelated tackle as was completed by the “unknown” miner of the orphaned block 582698 and primary chain block 5827015, BTC.high determined as an alternative to ship these funds to the initially meant recipients.

Based mostly on these information, it seems that there was a hashpower wrestle to assert the BCH cash that had been despatched to segwit addresses. On account of the truth that the ABC 0-day prevented BCH miners from together with any transactions in blocks for a number of hours after the improve activated, this wrestle occurred on the earliest potential second. Block 582698 contained spends of BCH at segwit addresses to addresses related to the “unknown” miner. The reorg eliminated these spends from the principle chain, and later changed them with spends to the legitimate BCH equal of the segwit addresses in block 582705. Block 582715 was then mined by the “unknown” miner that “collected the leftovers,” sending a smaller variety of BCH nonetheless remaining at segwit addresses to an unknown tackle. Based mostly on the coinbase knowledge within the blocks, we imagine that the miner of primary chain block 582715 was the identical actor because the miner of orphaned block 582698.

Pattern Double Spend Transaction

Beneath is a pattern transaction from the “unknown” miner of block 582698 which contained quite a few transactions that spent BCH cash from segwit addresses. Previous to the improve, these cash had been inaccessible.

Picture 1: Pattern orphaned segwit transaction

Within the transaction ebc4… above, the “unknown” miner spends 46 inputs to a single tackle 1My1… What is exclusive concerning the inputs to this transaction is that they're all segwit addresses, reminiscent of 35hL… highlighted above.

Beneath is a transaction that appeared in block 582705 that double spent the pattern proven above. Discover the identical 35hL… segwit tackle is an enter to this transaction, which is what makes the next transaction a double spend.

Picture 2: Double spend transaction e872… in Block 582705

As a substitute of aggregating segwit inputs just like the “Unknown” miner, BTC.high has double spent the identical inputs to particular person addresses. These particular person addresses are in actual fact the legitimate BCH equivalents to the invalid segwit addresses. For instance, the entire funds from the segwit tackle 35hL… had been transferred to its legitimate BCH equal tackle 1EVW…

As a way to perceive how this was completed, we have to dive in to the mechanics of segwit addresses.

II. Spending BCH from segwit addresses

As a part of the Might 15th improve, the BCH community made an exception to the clear stack rule to permit restoration of BCH at segwit addresses. The modification of the clear stack rule permits for the spending of cash at segwit addresses by anybody so long as the next two situations are met:

  1. The hash of the general public key or the unlocking script related to a segwit tackle are recognized. This info shouldn't be revealed when sending funds to a segwit tackle, however they're revealed within the strategy of sending funds from a segwit tackle. Thus, if a specific segwit tackle that has BCH on it additionally has acquired and later despatched BTC on the Bitcoin chain, then sufficient info can be revealed to spend funds within the BCH community as effectively.
  2. A miner should comply with mine the transaction. It is because the BCH transactions required to spend from a segwit tackle are “nonstandard transactions,” which implies they're legitimate transactions however is not going to propagate throughout the community, as a result of community nodes refuse to relay nonstandard transactions.

Recovering P2WPKH Segwit funds.

As we've got beforehand talked about, in an effort to spend funds unintentionally despatched to a P2WPKH (Pay-to-Witness-Public-Key-Hash) segwit tackle on the BCH community, a miner should know the hash of that tackle’s public key. The general public key hash could also be obtained instantly from the proprietor of the tackle or, if the identical segwit tackle has spent funds on the BTC blockchain, extracted from the transaction that spent the funds on the BTC blockchain.

For instance, within the following transaction, BCH is shipped to the segwit tackle 35hL… (Notice that “pq4lq2sfvkyh3a9wvmkeqd8f2n5v8t07qg2hd6erum” is only a illustration of the identical tackle within the “Cashaddress” format.)

Picture 3: Sending funds to a segwit tackle on the BCH community

A switch was later made to the exact same segwit tackle on the BTC community. This BTC was later spent from the segwit tackle, which revealed its public key hash.

Picture 4: Spending a pattern segwit tackle on the BTC community

The underside transaction is when the BTC is deposited to the segwit tackle on the BTC community. The highest transaction spends this BTC, one block later. The highest transaction accommodates the general public key hash to this segwit tackle as proven in its uncooked type beneath:

{“txid”:”3ffbf713629fcf66ae6e7155c1f931ad3e6108e47d557c247831c1b7f617a266″,”hash”:”469395c9292e04f0b476b77d420d882ecf7bb67be01c0314b503802e26705d32″,”model”:1,”dimension”:249,”vsize”:167,”weight”:666,”locktime”:0,”vin”:[{“txid”:”4065337e9f82c4a57aef23011185676077a7e6a96d606c27b01b28cc68b1886c”,”vout”:1,”scriptSig”:{“asm”:”001493fdaf42a7b8e82fede6fe0f6184536a11193cce”,”hex”:”16001493fdaf42a7b8e82fede6fe0f6184536a11193cce”},”txinwitness”:[“304502210097a74f034d5adb4ceec0b8617fa24ee9faf95736f188cdee22b60e824025ac8402205de42bef12a4752024368a08a83547effc6de60b78111faa9a1c8f4f89adf4d501”,”02f68ea65bb67b8552a9cc11a47c251943e64c4dad4963ae006e638de6921b54ff”],”sequence”:4294967295}],”vout”:[{“value”:0.01542272,”n”:0,”scriptPubKey”:{“asm”:”OP_DUP OP_HASH160 4aed1e7a21ee87a69be93dbeda198d65752ff73a OP_EQUALVERIFY OP_CHECKSIG”,”hex”:”76a9144aed1e7a21ee87a69be93dbeda198d65752ff73a88ac”,”reqSigs”:1,”type”:”pubkeyhash”,”addresses”:[“17qB4WvfbnNP4AVzkpGV1hsXHUpdu41FGU”]}},{“worth”:0.00049692,”n”:1,”scriptPubKey”:{“asm”:”0 532b4f8533e6a0d51ee537ec48319228b374f4cb”,”hex”:”0014532b4f8533e6a0d51ee537ec48319228b374f4cb”,”reqSigs”:1,”kind”:”witness_v0_keyhash”,”addresses”:[“bc1q2v45lpfnu6sd28h9xlkysvvj9zehfaxtkn2t65”]}}]}

As soon as the Might 15 improve modified the clear stack rule, BCH miners can use the hash of the general public key above to spend the funds on the segwit tackle. For instance, the transaction beneath spends these funds:

Picture 5: Spending a segwit tackle on the BCH community

Wanting on the uncooked knowledge, you will discover the exact same HASH160 of the general public key from the transaction on the BTC community above was additionally used on the BCH community:

{“txid”:”e872243f11d82ee348b2ae736dccd6b432f719e88c778b5513489f890c19a56d”,”hash”:”e872243f11d82ee348b2ae736dccd6b432f719e88c778b5513489f890c19a56d”,”model”:1,”dimension”:108,”locktime”:0,”vin”:[{“txid”:”unhealthy87c9a6feae56e07cbaf1d064611e43a0fab40fcef94a424d18713756be2f4″,”vout”:0,”scriptSig”:{“asm”:”001493fdaf42a7b8e82fede6fe0f6184536a11193cce”,”hex”:”16001493fdaf42a7b8e82fede6fe0f6184536a11193cce”},”sequence”:4294967295}],”vout”:[{“value”:0.50752982,”n”:0,”scriptPubKey”:{“asm”:”OP_DUP OP_HASH160 93fdaf42a7b8e82fede6fe0f6184536a11193cce OP_EQUALVERIFY OP_CHECKSIG”,”hex”:”76a91493fdaf42a7b8e82fede6fe0f6184536a11193cce88ac”,”reqSigs”:1,”type”:”pubkeyhash”,”addresses”:[“bitcoincash:qzflmt6z57uwstldumlq7cvy2d4pzxfueckq7xg080”]}}]}

Thus, as soon as the BCH clear stack rule was modified, the spending of funds from this tackle on the BTC community allowed any BCH miner to spend any BCH that is likely to be on the tackle. Within the case of the transactions in blocks 582698 and 582699, this BCH was spent to unknown addresses. Nonetheless, within the case of the transactions in block 582705 that double spent these transactions, the BCH was spent to particular addresses.

What makes segwit transactions mined by BTC.high particular is that their vacation spot addresses reminiscent of bitcoincash:qzfl… and its legacy equal 1EVWEWrvrjcpHXPtEvY3D4JfWLrzRVtMQc within the instance above are literally managed by the identical personal key as the unique segwit tackle. It's fairly easy to derive this tackle as soon as the general public key hash for the segwit tackle is understood, which was a requirement to spend these cash within the first place. Producing this tackle makes use of the traditional BTC/BCH tackle derivation algorithm, simply skipping the HASH160 step, since we have already got the output of that step from the general public key hash:

$ echo ‘93fdaf42a7b8e82fede6fe0f6184536a11193cce’ | bx address-encode


By sending funds to the tackle managed by the identical personal key because the segwit tackle, the miner is successfully making beforehand unrecoverable funds accessible to the initially meant recipient.

Recovering P2WSH Segwit Funds

The instance above solely works for sends to segwit addresses that had been of kind P2WPKH, however there's a second kind of segwit tackle — P2WSH (Pay-to-Witness-Script-Hash). Beneath is a pattern transaction to recuperate funds mined by BTC.high illustrating such an tackle:

Picture 6: Recovering funds from a P2WSH segwit tackle

Discover that funds within the segwit tackle 3G8Z… had been despatched to the P2SH tackle 35VG… as an alternative of a P2PKH tackle which begin with a “1”. The 3G8Z… tackle is definitely a multi-signature P2SH script as outlined in BIP-141 which makes issues a bit extra difficult for restoration.

Similar to with P2WPKH the unlocking scriptSig will be obtained from a corresponding transaction on the BTC community:

{“txid”:”085685b104a6ee79d90546a27873d52fdf9cd252aa714d4f533a780bfe31dd88″,”hash”:”300564866319ba006cfecea46b354c649c5f91fe778f5857091977efd11824c0″,”model”:1,”dimension”:408,”vsize”:216,”weight”:864,”locktime”:0,”vin”:[{“txid”:”acc8ef9eca068e36062b050321fd8e4adf13bcad49718eb4f992e29c6426a512″,”vout”:1,”scriptSig”:{“asm”:”0020883a730777b7119f563b84221abd5c742665f659d4c835advert771fb0bfb21064be”,”hex”:”220020883a730777b7119f563b84221abd5c742665f659d4c835advert771fb0bfb21064be”},”txinwitness”:[“”,”3045022100af15f05927517cfaa4978ab7d3ef1036664df44f47f6f1efeb0ae16bd358137902205fe531c37fab614d0e2cd802d8f481fcfb968901aed1e0d4c5771be4579626a501″,”3045022100e229eabf5e2779453aff54544e657858eece5fcf528dedbb0bbfe413df7b37e00220694de848b5b7ca58f31483baff4a7f890d64256b10ebc5f38c2c8f6348f0be6401″,”5221026965ff50ba461b7bc54ae88c5dd45f334db242d0bf63a5bd5a6158835784b8f82102f864ea0765243a045bf572b6f62bb2ccd0c736ffcda21442ecc252eb32c388262103e3f2e6c762fd7aeafcd390b492accf5cd1108cf1eff1b8f78f76a56442e8684e53ae”],”sequence”:4294967295}],”vout”:[{“value”:0.01848363,”n”:0,”scriptPubKey”:{“asm”:”OP_HASH160 c55c269abd40a8d21519d44b030c7d14e1ecd544 OP_EQUAL”,”hex”:”a914c55c269abd40a8d21519d44b030c7d14e1ecd54487″,”reqSigs”:1,”type”:”scripthash”,”addresses”:[“3KgZS5q7KRh2eM1NKXhe3nVGAYgE7Bz3ic”]}},{“worth”:0.0262,”n”:1,”scriptPubKey”:{“asm”:”OP_DUP OP_HASH160 89e5e15821fe9c9ec96b078c0e1ed72db3743589 OP_EQUALVERIFY OP_CHECKSIG”,”hex”:”76a91489e5e15821fe9c9ec96b078c0e1ed72db374358988ac”,”reqSigs”:1,”kind”:”pubkeyhash”,”addresses”:[“1Da8xeA4Zr6tgnDAeDE52Q87qwRFT7RiCD”]}}]}

Taking the hash160 of the scriptSig confirms the unique segwit tackle and may now be used to recuperate the transaction:

$ echo ‘0020883a730777b7119f563b84221abd5c742665f659d4c835advert771fb0bfb21064be’ | bx bitcoin160 | bx address-encode -v 5


Nonetheless, in an effort to ship these funds to the non-segwit equal on the BCH community we've got to have a look at the unlock script within the segwit part of the BTC transaction. Discover the final txinwitness entry above, it defines a multi-signature script and will be decoded as follows:

$ echo ‘5221026965ff50ba461b7bc54ae88c5dd45f334db242d0bf63a5bd5a6158835784b8f82102f864ea0765243a045bf572b6f62bb2ccd0c736ffcda21442ecc252eb32c388262103e3f2e6c762fd7aeafcd390b492accf5cd1108cf1eff1b8f78f76a56442e8684e53ae’ | bx script-decode

2 [026965ff50ba461b7bc54ae88c5dd45f334db242d0bf63a5bd5a6158835784b8f8] [02f864ea0765243a045bf572b6f62bb2ccd0c736ffcda21442ecc252eb32c38826] [03e3f2e6c762fd7aeafcd390b492accf5cd1108cf1eff1b8f78f76a56442e8684e] Three checkmultisig

As a way to replicate the identical conduct on the BCH community, we have to generate an equal P2SH tackle primarily based on the complete checkmultisig script above:

$ echo ‘5221026965ff50ba461b7bc54ae88c5dd45f334db242d0bf63a5bd5a6158835784b8f82102f864ea0765243a045bf572b6f62bb2ccd0c736ffcda21442ecc252eb32c388262103e3f2e6c762fd7aeafcd390b492accf5cd1108cf1eff1b8f78f76a56442e8684e53ae’ | bx bitcoin160 | bx address-encode -v 5


This corresponds to the identical tackle used within the restoration transaction by BTC.high and will be unlocked by the identical meant recipients on the BCH community.


Coinbase’s investigation is ongoing. The scope of this evaluation is proscribed to transactions that had been double spent, nevertheless, it's potential that there have been transactions spending BCH at segwit addresses that weren't double spent, and thus wouldn't have been included on this evaluation. You will need to attain a full understanding of the whole quantity of BCH despatched to segwit addresses, how a lot of that BCH continues to be at segwit addresses, how a lot has been despatched to the legitimate BCH equivalents of these segwit addresses, and the way a lot has been despatched to unrelated BCH addresses.

The Segwit restoration mechanisms described above work by gleaning uncovered public key or unlock script knowledge recorded on the BTC blockchain. Since this info is publicly obtainable, it created a race situation the place the unknown miner tried to spend the segwit cash earlier than the BTC.high mining pool had an opportunity to execute the segwit restoration course of.

We discover it exceptional that BTC.high derived the technical answer to recuperate BCH funds mistakenly misplaced by customers, selecting to ship the cash to their meant recipients reasonably than claiming the funds for themselves.

Appendix A

BCH addresses with recovered segwit funds mined in block 582715














This web site might comprise hyperlinks to third-party web sites or different content material for info functions solely (“Third-Social gathering Websites”). The Third-Social gathering Websites are usually not underneath the management of Coinbase, Inc., and its associates (“Coinbase”), and Coinbase shouldn't be liable for the content material of any Third-Social gathering Web site, together with with out limitation any hyperlink contained in a Third-Social gathering Web site, or any modifications or updates to a Third-Social gathering Web site. Coinbase shouldn't be liable for webcasting or every other type of transmission acquired from any Third-Social gathering Web site. Coinbase is offering these hyperlinks to you solely as a comfort, and the inclusion of any hyperlink doesn't indicate endorsement, approval or advice by Coinbase of the location or any affiliation with its operators.

Until in any other case famous, all photos supplied herein are by Coinbase.

Download WordPress Themes Free
Download Premium WordPress Themes Free
Download WordPress Themes
Download Premium WordPress Themes Free
download udemy paid course for free

Comentarios cerrados.

  • bitcoinBitcoin
    $ 8,540.00 1.5%
  • ethereumEthereum
    $ 268.09 2.42%
  • rippleXRP
    $ 0.433372 0.37%
  • bitcoin-cashBitcoin Cash
    $ 439.87 1.74%
  • litecoinLitecoin
    $ 113.44 2.76%
  • ethereum-classicEthereum Classic
    $ 8.70 3.36%
  • bitcoin-goldBitcoin Gold
    $ 28.66 3.89%
  • bitcoin-diamondBitcoin Diamond
    $ 1.37 0.18%