a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by wasoxygen
wasoxygen  ·  2397 days ago  ·  link  ·    ·  parent  ·  post: Pubski: May 24, 2017

    On Sep 3, 2017, at 15:02, qrguy wrote:

    Is this your posting?

    https://hubski܂com/pub/382326

    Your image gave enough away to steal your private key. I did that and took the remaining 0.0002424 BTC out of your account (+ 0.00005 BTC transaction fee). It was mostly just as a personal challenge but I will give it back if that bothers you. Just let me know.

    QR GUY

For the record, I figured US$20 would be a fair reward for anyone enterprising enough to salvage that QR code. I gave it a trial scan to confirm that it wouldn't be easy.

Now I've gone back and forth on whether QR guy is pranking me. First of all my transaction was eventually confirmed and I believe I still control the 0.00859833 BTC. The "remaining" 0.0002924 BTC was, I think, the transaction fee, and should have gone to a miner.

Yet I see a transaction today from that address, lending credibility to QR Guy's story.

Anyone have an insight? QR Guy, are you there? [How] did you manage to recover the private key?





qrguy  ·  2394 days ago  ·  link  ·    ·  

Your original transaction sent 0.00859833 BTC to your new address, paid 0.00025 BTC in miner fees, and sent the remaining 0.0002924 BTC in "change" back to the original paper wallet.

Of that remaining 0.0002924 BTC, I sent 0.0002424 BTC to myself, and paid the last 0.00005 in miner fees. The paper wallet now has nothing left. I probably could have used a lower fee, if I had been willing to wait longer. The transaction backlog isn't as bad as when you tried it.

I also stole your 0.0002924 in Bitcoin Cash from the same address.

I recovered the private key by filling in the blanks in your picture. The private key was on your receipt twice -- once as a barcode and once as text. You covered up part of each, but not the same parts -- QR codes actually start laying out the data from the bottom right. So I could reconstruct that corner using the beginning of the text.

This was how far I got before my phone could scan it (with a bit of difficulty):

Even if I hadn't been able to fill that much in, the combination of you showing most of the QR code, plus its built in redundancy, means that it would likely have been feasible to brute force the remaining bits of the key.

wasoxygen  ·  2394 days ago  ·  link  ·  

Thanks for the clarification, and nice work!

I see now that the fee is listed separately from the input and outputs which have addresses. I assumed that the fees would be assigned to a bitcoin address, but the documentation is not quite clear, merely saying that "all transaction fees are collected by that user creating the block, who is free to assign those fees to himself."

So the only thing I don't understand is why I didn't transfer the entire amount of the ATM address, less the transaction fee, to my new address, instead leaving some leftover change. Rounding error? Sloppy copy/paste? I remember I wasn't too sure what I was doing and used the Blockchain.com app for Android.