money – Zero Day BlockChain Timezone Exploit


The method described has absolutely nothing to do with Bitcoin or blockchain exploits. It appears to be exploiting a badly designed payment system, which allows a user to unilaterally cancel a payment by altering the timezone.

This leads the payment processor to think too much time has elapsed (many payment processors impose a time limit by which a deposit must be made to avoid price fluctuations and other issues). Per normal procedure for an expired invoice, any payment is refunded to the user.

The site mentioned in the link appears to credit the user regardless of whether an invoice is expired or not. This is entirely the fault of a poor system design/integration between the payment processor and the integrating website, and exploits absolutely nothing in the Bitcoin protocol, node software, or wallet implementations.

It’s basically the equivalent of you selling me something for $100 on the condition that I pay you within 10 minutes, and cancelling our transaction because I showed you the time on my phone (which I can change as I want to) which indicates more than 10 minutes has passed. Then, you refund me $100 if I pay you (since you think the transaction is cancelled), but your accountant considers it complete and ships out the goods anyways.