The Bitcoin Piñata

[marcell]

Suggestion: add an endpoint on the piñata that proves it has the private key. You can do this using Bitcoin's sign message method.

[ikeboy]

And then I just make it sign a message sending all the btc to my address, then broadcast that publicly.

Very bad idea to sign everything that comes your way, kind of like `eval` on text input.

[nadaviv]

Bitcoin has a separate schema for signing textual messages with a special magic prefix ('\x18Bitcoin Signed Message:\n'), which would prevent such an attack.

Edit: here's a JavaScript implementation I wrote that does that, if anyone is interested in details: https://github.com/cryptocoinjs/coinmsg/blob/d2cb985dd9994f1...

[martinko]

> Very bad idea to sign everything that comes your way, kind of like `eval` on text input.

Nowhere did he suggest this.

[ikeboy]

Others said it in the replies. And any implementation that tries to check the message opens up another avenue of attack.

[hannesm]

that wouldn't help - would it? any owner of the bitcoin secret can sign this message and include it then in the pinata...

for online signing we'd first need to implement the bitcoin protocol...

or am I getting something wrong?

[williamcotton]

Yup, you'd need to implement the Bitcoin protocol and load the private key and sign all the messages the echo endpoint receives.

[icebraining]

And even then, you couldn't prove the piñata wasn't only proxying the replies from some other server.

[artursapek]

The code is open source, so you could

[icebraining]

Technically, you can't know if the code running in the piñata is the same as the one published on Github.