Bitcoin Signature vs Orphan Block Replay

What Is an Orphan Block?

An orphan block is a valid block that was mined almost simultaneously with another one, but ultimately rejected by the Bitcoin main chain due to latency or consensus. Although the block is discarded, its data — including valid signed transactions — is still accessible from certain full nodes or external archives.

How Bitcoin Signatures Work

Every Bitcoin transaction must be signed with the private key of the sender. This signature proves ownership of the funds and binds the transaction inputs and outputs. However, a key vulnerability exists:

The signature is tied to the transaction, not to the block it's in.

The Vulnerability: Replay Attack Using Orphaned Signatures

If a signed transaction appears in an orphan block but is never confirmed on the main chain, its signature can still be reused. If the associated UTXO (unspent output) remains unspent, an attacker could reconstruct the original transaction using the orphaned signature and rebroadcast it — effectively stealing the original funds.

Reproduction Walkthrough (Simplified)

We extracted orphaned blocks from archival nodes and decoded the transactions inside.
We identified unconfirmed transactions with exposed valid signatures.
We verified that their input UTXOs were still unspent on the main chain.
We rebuilt the transaction identically and rebroadcasted it — successfully spending the funds.

Note: modifying the outputs (e.g., changing the destination address) breaks the signature. This limits attack scenarios but does not eliminate them.

Why We Cannot Publish the Full Code

This vulnerability is not theoretical. We've confirmed successful reproduction. To protect the ecosystem, we have intentionally withheld full scripts and source code. Publishing such tools could lead to widespread abuse, draining dormant or vulnerable wallets.

If you're a developer or security researcher, contact us for responsible disclosure collaboration.

Are You at Risk?

If you've broadcasted a transaction that appeared in a rejected block but never confirmed — check your UTXOs.
If those UTXOs are still present and unspent, they may be vulnerable.
Move funds to a new address to invalidate the old signature.

We Are Super Technical Team

We're a collective of security researchers and blockchain protocol experts. We explore the edges of crypto-safety to prevent real-world damage before it happens.

Contact

X: @C_cJason

Email: bitcoinexpert@163.com

Telegram: https://t.me/C_cexpert

Support Us：bc1pp22w3vllywrm73j99esdwu8f0p7dtuhjz3759chz3wyl4xgtmz7q88mf0n