Bitcoin SV multisig mechanism gets hacked, user loses nearly $100,000
- A BSV user reports that he has lost nearly $100,000 due to a multisig script bug.
- BSV/USD shows little reaction to the news, continues moving inside the $150-$180 range.
The hackers exploited Bitcoin SV network vulnerability to steal the assets of a user. The Chinese media outlets report that at least one user lost 600 BSV, $97,000, due to the hack attack.
How the assets were stolen
The cryptocurrency user, aka aaron67, wrote in his blog post that the multisig solution implemented by Electrum SV contained a critical mistake that cost him 600 BSV.
The incident happened at around 2.00 am on November 6, when the user withdrew 6 UTXO (Unspent Transaction Output) with multisig, worth 100 BSV each. Later on the same day, he attempted another withdrawal of an extra 6 UTXO and an hour later, the hacker used the exploit to transfer all the money to the address 1LcKTzSzpMAwH4bzymGSkbhY2EBpmT7n5J.
BSV transactions
The co-founder of Blockstream, Gregory Maxwell, explained that Bitcoin SV developers ripped out the existing multisig mechanism P2SH and had to progress their own scheme. Thus, they came up with the idea of Electrum SV, also known as accumulator multisig.
This script looks similar to a P2PKH (Pay to Pubkey Hash) algorithm that adds up the number of passes and compares them to a threshold. In fact, the script used the 'less than or equal' parameter instead of 'greater than or equal' number of signatures in a multisig.
The result is that these scripts had no security at all and could just be spent by a scriptsig that pushes a couple of zeros. Because the only sane usage is when you provide exactly the threshold number of signatures (why would you waste fees providing too many signatures?!?) they presumably only ever tested the 'orequals' path and didn't notice that it didn't work with too many signatures as intended but did work with too few signatures (such as none at all).
A famous cryptographer, Adam Back, believes that this bug affects only BSV as the standard P2SH multisig was removed and replaced by a buggy home-brew solution after the fork.
So... Due to less than or equal number of signatures (rather than intended greater than or equal) anyone can set it to 0 valid signatures and take any of the coins in the home-brew BSV multi-sig format. Oops. Needed adversarial testing.
— Adam Back (@adam3us) November 8, 2020
BSV is locked in a range
Meanwhile, at the time of writing, Bitcoin SV is changing hands at $164. The coin with the current market capitalization of $3 billion has gained nearly 2% on a day-to-day basis amid the recovery from the recent low of $146 hit on November 4. The coin has been locked in a range of $150-$180 since the beginning of September.
IntoTheBlock's data on In/Out of the Money Around Price (IOMAP) shows that there is strong resistance between the current price and $169 as nearly 100,000 addresses are holding 764 million coins there. This formidable supply wall can trigger a sharp downside correction if prices rebound strongly enough.
Once it is out of the way, the next big cluster of addresses around $181, which roughly coincides with the upper border of the recent consolidation channel, will come into focus.
 Analytics and Charts-637405136516078178.png)
BSV's IOMAP data
On the other hand, the way to the south is less cluttered with the supply areas. Nearly 135,000 addresses holding over 500,000 coins create local support on approach to $160. If it gives way, the sell-off may gain traction. The IOMAP cohorts show that the next significant supply level sits around $155 and coincides with the lower barrier of the consolidation channel.
BSV/USD daily chart
On the daily chart, the above-mentioned resistance of $181 is reinforced by EMA100 and the Bollinger Bands upper line. Meanwhile, the lower line of the BB confirms the support zone in the approach to $155 level.
Author
Tanya Abrosimova
Independent Analyst
