On the heels of its recent tug-of-war with the IRS, news has now surfaced of intermittent payment failures at Coinbase involving the use of (BIP70) protocol. According to Bitcoin product tester and UX specialist Patrick Patton, reports began trickling in during December of users experiencing trouble paying with or donating to sites like Overstock, Wikipedia, and GiveDirectly.org.
Patton started researching the issue, finding that it is more widespread than he previously thought. The problem is affecting scores of commercial and charitable websites that accept bitcoin and seems to occur with particular user wallets. The issue, he says, became particularly problematic over the busy holiday season, with some users not being able to use bitcoin as a payment method at all.
All evidence suggests that this is a problem only with those merchants and donation pages which use Coinbase as their payment processor. With this discovery, Patton has clearly stated that he has no intention of being a thorn in the side of Coinbase. Rather, he hopes that the company will be able to get the issue resolved in short order so that users, merchants, and charitable organizations are not adversely affected moving forward. Meanwhile, though identifying the deeper, underlying cause of the problem, Patton has outlined a way to bypass the issue and still complete a payment. He will provide a link to his solution later in this article.
Patton: “Something Odd Is Happening Here.”
Patton says he began noticing something amiss with Coinbase payments a few weeks ago and promptly started a Reddit thread to see if others had encountered similar issues. He reported it to Coinbase and had thus far received a tepid acknowledgment but non-admission to a system-wide complication. “I’m only trying to bring as much attention to this problem as I can so that they’ll take it seriously. Sadly, it could be costing their clients significant sales volume,” says Patton more than slightly annoyed at Coinbase’s casual manner in addressing the issue
By way of example, he notes that Mycelium errors out on this matter without recourse.
“Anyone using Mycelium for a Coinbase payment request would have to manually import the payment data to pay or switch to a different wallet.”
Continues Patton: “Mycelium rejects the Coinbase payment attempt, showing that there is a mismatch between the URI amount parameter and the bitcoin amount retrieved from Coinbase’s server directly. For example, the parameter could say 0.0602 BTC and Coinbase’s server could be requesting 0.060199 BTC. Mycelium assumes this mismatch is an MITM attack and denies the transaction. Other wallets like Airbitz seem to trust the server response and ignore the mismatch (or accept it within a certain range.)”
Patton has pegged the problem to Coinbase’s implementation of payment protocols BIPs 70 to 73, primarily BIP 70. Here the functionality of the payment system is being interrupted across ALL of their client’s websites, from the biggest e-commerce store in the Bitcoin space (Overstock) to Wikipedia to any small donation widget or button generated by Coinbase.
Also known as the “Payment Protocol,” BIPs 70-73 were created in 2013 as an enhancement in the way Bitcoin wallets receive payment requests and then submit those payments.It was incorporated into several big wallets afterward, including the “Bitcoin Wallet” (Android), Airbitz, Mycelium, and likely Copay.
There is also the BIP 21 upgrade, a payment protocol communication standard which allows wallets and payment processors to share one-time payment information more securely and with greater safeguards.
Still with us…
BIP 70 serves as the key protocol for communicating payment information between merchants and consumers. Instead of providing the bitcoin address and amount information directly (BIP 21), the customer’s wallet loads a URL on the merchant (payment processor’s) website to retrieve those payment detail; this has the advantage of providing the customer with the name of the entity receiving funds within the wallet app itself. It also sets a standard the practice of transmitting a refund address automatically to the payment processor in case of issuing a refund. Once the customer approves the transaction, the wallet bundles its return address with the signed transaction and sends it back to the payment processor for acceptance. The wallet then receives an acknowledgment message back that it was received and accepted, which potentially serves as a “receipt” for the transaction.
The problem, says Patton, is that the last few times he has used a Coinbase-generated payment request, his wallet has encountered a fatal error with the BIP 70 process, requiring either a fallback to BIP 21 (i.e. the protocol used by Airbitz) or failing without recourse (Mycelium.) Says Patton:
“Clearly this is Coinbase’s problem, and I’m trying to get them to fix it.”
Unfortunately, something appears to have gone wrong with Coinbase’s destination for the receipt of the wallets’ signed payment messages (technically, the “payment_url” destination within the Payment. Detailed messages retrieved from Coinbase appears to be invalid or empty.) What happens next is entirely dependent on the wallet used.
Patton says that this problem affects Mycelium and Breadwallet users most severely. (Note from Patton: “I can only test Breadwallet Android right now.”) Both of these wallets he laments fail either “loudly or silently,” but neither provide the user with an option to pay the “old” way (BIP 21.) Airbitz and “Bitcoin Wallet” users he notes get an error message but can continue paying with BIP 21 data. Copay/Bitpay users can see the mistake, but the payment protocol automatically reverts to BIP 21 without user intervention.
“Mycelium and Breadwallet are both very popular mobile wallets. Customers or donors may not have another funded wallet available to pay and may end up canceling their transactions altogether, costing Coinbase’s clients lost bitcoin revenue.”
Desperate one night after encountering his issues while trying to make a bitcoin payment, Patton took the extraordinary step of creating a visual step-by-step guide for getting around the problem. The trick here he says involves modifying the Coinbase URI and stripping out the payment protocol information. “This forces the affected wallets to use the BIP 21 data to generate a payment. Consequently, it is a safe way to pay as long as the user’s original payment request from Coinbase has not expired (Coinbase provides a 15-minute window).”
Patton has included the link to an Imgur gallery which contains his step-by-step visual guide to bypassing the problem when using any affected wallet (particularly, Mycelium and Breadwallet). That gallery also includes examples of the error in Mycelium, Airbitz, and “Bitcoin Wallet.”
Explains Patton, “QR codes are just a 2-dimensional barcode encoding of the above string. That’s why I can modify the URI as I like and then create a new QR out of the result. My guide shows you how to remove the payment protocol extension to get around the payment problem that Mycelium and Breadwallet users are having with Coinbase right now.”
Concludes Patton who spends quite a few waking hours digging into the guts of issues like this for clients and the Bitcoin community as a whole:
“I hope to bring more attention to this problem so Bitcoin users can in the interim confidently complete their transactions. This comes from my love of educating users about the functionality of their wallets and the Bitcoin payment protocols that support this ecosystem. Meanwhile, these details have been submitted to Coinbase to research, and I hope they can resolve the matter soon.”