Google will allow only apps from verified developers to be installed on Android (9to5google.com)

The only thing that matters is the checksum, because who cares if the destination address is not currently in the blockchain. It is obviously possible to send BTC to a new address which is not already there.

Kranar · 35m ago

Yeah this is a fairly poor article by an otherwise amazing blogger.

With that said the point stands that the likelihood of sending bitcoin to an unintended address due to a typo is very small. It's not as small as the article suggests, but it's still basically impossible (about 1 in 4.3 billion for a single character typo).

Perhaps the irony is that if you do happen to send bitcoin to an unintended address, you have a much greater chance of recovering it if that address belongs to a real person and is in use. If the address is not in use, then for all intents and purposes that bitcoin is lost forever.

juujian · 3h ago

Are people typing Bitcoin addresses by hand? Aren't they far more likely to c&p a spoofed Bitcoin address?

johnisgood · 1h ago

People use this against cryptocurrencies. It should be an argument against stupidity instead. You get a confirmation popup as well asking if you are sure about the address in many wallets.

BobAliceInATree · 54m ago

No number of confirmation dialogs going to help anyone in determining that their 27+ digit address is mistyped.

johnisgood · 46m ago

Copy paste, and triple check the first and last 4 characters.

bigfishrunning · 57m ago

People are stupid, and there's no way around that. If bitcoin can't protect stupid people against themselves, then that's a pretty major flaw.

No comments yet

giancarlostoro · 58m ago

Even when I copy and paste, I triple check the beginning and end of the addresses shown.

johnisgood · 48m ago

Same. I triple check the beginning and the end. Just like I am supposed to when handling money. In cases of many cryptocurrencies, you should focus more on the last characters instead of the first. In terms of Bitcoin, it usually begins with "bc1" (yes, depends) and ends with whatever. Triple check either way. Sometimes I would clear my clipboard and copy paste anew.

wslh · 1h ago

Shameless plug: we created an OSS "Clipboard Firewall" for Windows [1] to protect against those attacks but feel free to fork it.

[1] https://github.com/CoinFabrik/ClipboardShield

nullc · 2h ago

> Each is at least 20 bytes (160 bits) long, with at least 4 bytes (32 bits) of checksum.

Not quite. More modern addresses have 30 bit checksums (so not at least 32 bits!), but rather than being a truncated cryptographic hash the check digits are a BCH code that guarantees any 4 or fewer substitution or transposition errors will always be detected (or 5 bitflips IIRC)... along with one in a billion or better detection of other kinds of errors.

So although the newer formats provides somewhat less protection against wildly incorrect, the protection against likely errors is much greater. The newer addresses are also case insensitive which was the biggest source of transcription errors in most contexts before.

Beyond being better for real errors the use of a error correction code also makes it impossible to intentionally generate 'fragile' addresses where there does exist a one character typo which is a valid address. It also makes it practical for wallet software to highlight the position of a likely typo, which can greatly speed things up when fixing a mistake. (The spec strenuously cautions against correcting errors, because any correction undermines detection strength).

And as hleszek's comment says, existing addresses don't help, generally addresses should not be reused-- they're not accounts, reusing addresses doesn't make the system work better. Early on in Bitcoin's life people created a scheme for shortened addresses where you used truncated addresses that were unmapped to the first user of that prefix. This obviously bad idea ran into immediate spoofing problems, and people quickly learned better.

> but address typos are not a major concern.

Yeah though malware that substitutes addresses in clipboards and copying the WRONG address are both real risks.

What you also might have heard is advice about _Ethereum_, which in spite of being created long after Bitcoin has addresses with no meaningful checksum and which has caused quite significant losses. (There is an optional very weak checksum using mixed case hex, but AFAICT it's not widely used).

Deuter8 · 54m ago

Early on in Bitcoin's life, Satoshi had a clear plan for increasing blocksize as necessary, but you went and screwed that up with your buddies. Hope it was worth it for you per$onally. OGs will never forget.

bloatedGoat · 27m ago

Source?

In any case, a fork of Bitcoin with bigger blocks has existed for years and the market doesn't prefer it despite all the big names and companies hyping it up at the time of the split.

Satoshi left Bitcoin so there wouldn't be an appeal to authority so maybe your argument isn't as strong as you think it is.

skeezyboy · 49m ago

Tell Satoshi hes a numpty. How could he not forsee the issues inherent in his design?

skeezyboy · 49m ago

sounds very usable. who made it, a sadist?

OutOfHere · 2h ago

Scan a displayed QR code of the address whenever possible.

euLh7SM5HDFY · 2h ago

Isn't that actually worse option? I mean, I don't know about BTC but there are multiple instances of attacks with fake QR codes placed over parking meters. And last time I was looking for QR code generator for some random website the first one I found one "looked to be working", but actually quietly replaced the URL with own link shortening service.

gucci-on-fleek · 1h ago

> there are multiple instances of attacks with fake QR codes placed over parking meters.

Sure, but if someone can change your QR code, they could change the address just as easily. With websites you can see if the URL looks like something legitimate, so URLs are slightly better, but Bitcoin addresses are just a long random string, so being able to see the address wouldn't actually help anything.

OutOfHere · 1h ago

> Isn't that actually worse option?

When done correctly by a payment processor, the receiver's QR code for a Bitcoin payment varies for every transaction. It completely eliminates the risk of mistyping it. Granted, malware could replace it, but replacing it is a lot harder than replacing a simple address.

Google will allow only apps from verified developers to be installed on Android (9to5google.com)

Ask HN: The government of my country blocked VPN access. What should I use?

Gemini 2.5 Flash Image (developers.googleblog.com)

FFmpeg 8.0 (ffmpeg.org)

What are OKLCH colors? (jakub.kr)

Dissecting the Apple M1 GPU, the end (rosenzweig.io)

A German ISP changed their DNS to block my website (lina.sh)

Claude for Chrome (anthropic.com)

DeepSeek-v3.1 (api-docs.deepseek.com)

AI tooling must be disclosed for contributions (github.com)

Show HN: Base, an SQLite database editor for macOS (menial.co.uk)

A visual introduction to big O notation (samwho.dev)

Go is still not good (blog.habets.se)

Comet AI browser can get prompt injected from any site, drain your bank account (twitter.com)

Updates to Consumer Terms and Privacy Policy (anthropic.com)

We regret but have to temporary suspend the shipments to USA (olimex.wordpress.com)

U.S. government takes 10% stake in Intel (cnbc.com)

Waymo granted permit to begin testing in New York City (cnbc.com)

Monodraw (monodraw.helftone.com)

Ban me at the IP level if you don't like me (boston.conman.org)

Google has eliminated 35% of managers overseeing small teams in past year (cnbc.com)

Michigan Supreme Court: Unrestricted phone searches violate Fourth Amendment (reclaimthenet.org)

Altered states of consciousness induced by breathwork accompanied by music (journals.plos.org)

Scientist exposes anti-wind groups as oil-funded, now they want to silence him (electrek.co)

US Intel (stratechery.com)

Unexpected productivity boost of Rust (lubeno.dev)

Are OpenAI and Anthropic losing money on inference? (martinalderson.com)

Io_uring, kTLS and Rust for zero syscall HTTPS server (blog.habets.se)

Nx compromised: malware uses Claude code CLI to explore the filesystem (semgrep.dev)

How to build a coding agent (ghuntley.com)

What makes Claude Code so damn good (minusx.ai)

Framework Laptop 16 (frame.work)

Tesla said it didn't have key data in a fatal crash, then a hacker found it (washingtonpost.com)

Building the mouse Logitech won't make (samwilkinson.io)

Line scan camera image processing for train photography (daniel.lawrence.lu)

The Therac-25 Incident (2021) (thedailywtf.com)

Proposal to Ban Ghost Jobs (cnbc.com)

The GitHub website is slow on Safari (github.com)

I Am An AI Hater (anthonymoser.github.io)

Malicious versions of Nx and some supporting plugins were published (github.com)

Ask HN: Why hasn't x86 caught up with Apple M series?

Claude Sonnet will ship in Xcode (developer.apple.com)

A teen was suicidal. ChatGPT was the friend he confided in (nytimes.com)

Manim: Animation engine for explanatory math videos (github.com)

Everything I know about good API design (seangoedecke.com)

We put a coding agent in a while loop (github.com)

95% of Companies See 'Zero Return' on $30B Generative AI Spend (thedailyadda.com)

Uncertain<T> (nshipster.com)

Show HN: A zoomable, searchable archive of BYTE magazine (byte.tsundoku.io)

4chan will refuse to pay daily online safety fines, lawyer tells BBC (bbc.co.uk)

Probability of typing a wrong Bitcoin address

Comments (19)