Lazy API: Difference between revisions

From Bitcoin Wiki
Jump to navigation Jump to search
← Older edit
More reasons why this would be a bad idea.
removing explicit address mention
 
(29 intermediate revisions by 12 users not shown)
Line 1: Line 1:
For the incredibly lazy and/or incompetent web developer, I present the lazy man's bitcoin API (copied from [http://www.bitcoin.org/smf/index.php?topic=4324.msg77187#msg77187 a forum post]):
For the incredibly lazy and/or incompetent web developer, present is the lazy man's bitcoin API (copied from [https://bitcointalk.org/index.php?topic=4324.msg77187#msg77187 a forum post]):


'''Problem:'''
==Problem==


Lazy web designer (me) wants to use bitcoins without dealing with installing bitcoin on a server, installing a shopping cart interface, or using ugly merchant services with callbacks.
Lazy web designer wants to use bitcoins without dealing with installing bitcoin on a server, installing a shopping cart interface, or using ugly merchant services with callbacks.


'''Solution for sending bitcoins:'''
==Solution for receiving bitcoins==
 
Use the [https://mtgox.com/support/tradeAPI MtGox API]
 
'''Solution for receiving bitcoins:'''
# Input a list of bitcoin receiving addresses to your database
# Input a list of bitcoin receiving addresses to your database
# Give a bitcoin address to a potential customer
# Give a bitcoin address to a potential customer
# Have the customer tell you when they have sent the coins and have at least 1 confirmation (you can choose a number higher than 1 if you are worried about double-spending)
# Have the customer tell you when they have sent the coins and have at least 1 confirmation (you can choose a number higher than 1 if you are worried about double-spending)
# Check blockexplorer to see if they sent the right amount (i.e. http://blockexplorer.com/q/getreceivedbyaddress/19hMEAaRMbEhfSkeU4GT8mgSuyR4t4M6TH/1) - the /1 is the number of confirmations you require
# Check blockexplorer to see if they sent the right amount
# Give them what they paid for
# Give them what they paid for
# After a reasonable amount of time has passed, you can re-use the address for another customer
You could avoid having a list of addresses and reusing them if one of the wallet services someday lets you get a new address via API call, but this will work for now.


'''Bad idea:'''
==Risks==


* Selling bars of gold this way (owner of blockexplorer.com could rip you off)
===External Service===
* Selling anything as part of a serious business


'''Good(?) idea:'''
BlockExplorer is a service that is provided by a private party.  There is no guarantee that the information provided by BlockExplorer matches the blockchain.


Selling naked pictures of your grandma this way (owner of blockexplorer.com won't bother)
There have not been any reports that BlockExplorer has reported transaction data incorrectly.


'''Why this should not be used in a serious setup:'''
===Double Spending===


First of all 1 confirmation is too little. The block-chain can branch off and does often. This is what caused MyBitcoin.com to temporarily close as bitcoins were constantly leaking out.
A merchant is exposed to a [[double-spending]] attack when recognizing a payment before it has been [[confirmation|confirmed]] with a sufficient number of blocks.
Secondly you will become dependent of the proper functioning of MtGox and BlockExplorer. If either is compromised/corrupted/stops you will end up losing money and/or having to reprogram your system.


'''Shameless begging:'''
For an attacker to be successful with this double spend tactic a significant effort is required and thus the risk of this attack being made against the typical retail merchant is pretty minimal.  It would not be advisable for a merchant with little to no recourse against an attacker to accept payment without a sufficient number of confirmations however.


If this info is useful to you, please consider a donation: 19hMEAaRMbEhfSkeU4GT8mgSuyR4t4M6TH
Note that this attack can be performed no matter which API or client is being used.


Thanks to theymos for making changes to blockexplorer.com to make it even easier to do this. You can support blockexplorer.com by donating to 1Cvvr8AsCfbbVQ2xoWiFD1Gb2VRbGsEf28
[[de:API_für_Faule]]


[[Category:Developer]]
[[Category:Developer]]

Latest revision as of 16:23, 3 July 2017

For the incredibly lazy and/or incompetent web developer, present is the lazy man's bitcoin API (copied from a forum post):

Problem

Lazy web designer wants to use bitcoins without dealing with installing bitcoin on a server, installing a shopping cart interface, or using ugly merchant services with callbacks.

Solution for receiving bitcoins

  1. Input a list of bitcoin receiving addresses to your database
  2. Give a bitcoin address to a potential customer
  3. Have the customer tell you when they have sent the coins and have at least 1 confirmation (you can choose a number higher than 1 if you are worried about double-spending)
  4. Check blockexplorer to see if they sent the right amount
  5. Give them what they paid for

Risks

External Service

BlockExplorer is a service that is provided by a private party. There is no guarantee that the information provided by BlockExplorer matches the blockchain.

There have not been any reports that BlockExplorer has reported transaction data incorrectly.

Double Spending

A merchant is exposed to a double-spending attack when recognizing a payment before it has been confirmed with a sufficient number of blocks.

For an attacker to be successful with this double spend tactic a significant effort is required and thus the risk of this attack being made against the typical retail merchant is pretty minimal. It would not be advisable for a merchant with little to no recourse against an attacker to accept payment without a sufficient number of confirmations however.

Note that this attack can be performed no matter which API or client is being used.

Retrieved from "https://en.bitcoin.it/w/index.php?title=Lazy_API&oldid=63535"