Bitcoin API provider Blocktrail has discovered a bug in BitGo’s security platform that causes Bitstamp's transaction data to be identifiable on the blockchain. The bug reveals information that traders could potentially abuse if they have access to it.
The heart of the problem is that BitGo does not randomly generate the order of change addresses in the output section of transactions, but instead generates the change address as the last output of each transaction. By identifying certain addresses as change addresses — specifically, addresses belonging to Bitstamp — it is possible to identify more Bitstamp addresses, as they are used in the same transactions. The addresses can then be linked to each other, creating a cluster that makes it easy to analyze how many bitcoins are transferred into and out of Bitstamp's accounts.
Blocktrail CTO Ruben de Vries discovered the bug and subsequently wrote a fix for the problem, which he submitted to BitGo's GitHub repository on Saturday. However, BitGo has not yet accepted the fix.
After the submission, Blocktrail CEO Boaz Bechar published a blog post about the issue on Blocktrail's blog. Describing the core of the problem, Bechar wrote:
“If one is able to correlate trends in deposits and withdraws to the price movement (for example, maybe a high velocity of BTC deposits might indicate upcoming sell pressure, uncovering big sellers, etc.), then so long as this data was not in common knowledge, it could be greatly valuable to traders. But just like looking for a good domain name, you often enough find that someone smart was there before you — and so I am left wondering not if such information is already being used by traders with informational advantages, but rather to what extent.”
Although the publication of the issue might of course result in even more traders using the information to their own benefit, Bechar said he believes this is probably for the best for now. Bechar explained to CoinTelegraph:
“Having stumbled upon this issue and seeing its implications run in the wild should serve as a good reminder for us all that not all transactions are created equal. And since some people — possibly including traders — already know of this information, we assessed that it would be better to openly publish the information so that everyone can use it, hence creating a more even playing field for all until the bug is fixed.”
Bitstamp started to use BitGo's security platform after their exchange was hacked in January of this year.
CoinTelegraph reached out to BitGo and Bitstamp, but received no response by the time of publication.
May 7 update
In accordance with BitGo, Bitstamp provided us with the following statement:
"The blockchain is inherently a public forum. The ability for traders to view transactional data is not new. That said, we are working closely with BitGo and will be randomizing the change address process in the coming week."