Recently I was experimenting with an offline bitcoin wallet and I wanted to use it to make a donation to mozilla.org. Mozilla uses Coinbase to process their bitcoin transactions, which means that the process goes something like this:
- You initiate the transaction on the target site (e.g. mozilla.org).
- You are redirected to the Coinbase page for that organization where you are presented with a unique payment hash and a 15-minute countdown timer.
- Using whatever wallet application you want (which for me is usually Electrum) you send the necessary funds to that payment hash.
- The Coinbase page typically updates with a confirmation message within 5 seconds of you broadcasting your transaction to the bitcoin network.
- The confirmation page also typically includes a link back to the originating site.
- Also, you may receive an email confirmation message from the originating site.
I've used this process from Coinbase about half a dozen times and it has worked very well. However, due to my offline wallet's screwy, experimental setup  I realized that I would need to reboot my computer between steps 2 and 3 above.
This realization caused a few questions to cross my mind:
- Does Coinbase require a valid browser session to mark a transaction as being legitimate? That is, what happens if my browser crashes after I initiate a new bitcoin transaction using a Coinbase-supplied hash but before the transaction is broadcast to the network? Can't Coinbase just use the payment hash as the unique identifier for the transaction instead of some session cookie?
- My understanding is that a bitcoin payment hash is valid forever. Therefore, even if the 15-minute timer runs out I can still transfer bitcoins to it. So if I did, where does that money "go" (i.e. who owns that hash)? Does Coinbase sit on it? And how would I even know ?
I wish I could say that I can answer both of these questions, but today I decided to focus on the former. I looked in a bunch of places, including the Coinbase Merchant Checkout API docs (which seem to be fairly decent). However, I couldn't find any notes on whether a session was required.
So I decided to test it out myself and blog about it, which means that it's disclaimer time!
I am not a professional security analyst and I do not guarantee that what I did below will work the same way for you. These are simply my notes on what worked for me in a very limited test. If you want to try something similar then please ensure that you are only "playing" with very small amounts of money. The Bitcoin ecosystem can change quite a bit in a very short amount of time and a lot of aspects are still very, very complicated. So, even if you follow my notes below exactly you may get very different results!!!
Not The Warning
Phew, glad that's over :-) The good news is that my transaction was processed properly even though I rebooted my computer between steps 2 and 3 above. Naturally, since my browser was also restarted during that time steps 4 and 5 also did not happen. However, step 6 did happen when I received a confirmation email message from Mozilla.
So of course, this leads to a lot of other questions:
- How much of this is due to how Coinbase Merchant Checkout system is designed and how much of it is due to how Mozilla is using that API? If I was to try the same test with another Coinbase customer such as Overstock.com would I get the same results?
- How do other bitcoin payment processors (such as Bitpay) handle the same situation?
These are questions that I'll have to look into on another day. However, I hope that this information is helpful for at least a few other people.