Experts Weigh in on Bitcoin, Transaction Malleability, and the Mt. Gox’s Meltdown
In the wake of this morning’s news that Mt. Gox has filed for bankruptcy protection, some players in the field of cryptocurrency and bitcoin have weighed in on just where Mt. Gox seems to have gone wrong.
The consensus? The missing 750,000 bitcoins are a result of Mt. Gox’s poor practices rather than any actual weaknesses in bitcoin itself. In essence, the loss of these funds could almost be thought of as a bank giving you a fresh $20 bill after you complain that the ATM stiffed you–when it hadn’t.
Peter Conrad, German author of Bitcoin: Perspective or Risk?
“Bitcoin transactions have a unique identifier or fingerprint, their “hash value.” Transaction malleability means that it is possible to modify the transaction (and its fingerprint) without invalidating it. This has presumably been used to rip off MtGox like this:
1. The thief has an account at MtGox with an active bitcoin balance. He withdraws coins from his account using the MtGox web interface. MtGox creates a transaction, stores the transaction ID, for example ‘123,’ and deducts the amount from his balance.
2. The thief sees the transaction on the bitcoin network and modifies it so that it has a different ID, for example ‘456.’
3. The bitcoin network accepts the modified transaction. The coins arrive in the thief’s wallet with transaction ‘456.’
4. The thief complains at Mt. Gox that his withdrawal failed. Mt. Gox checks that transaction ‘123’ was not accepted by the bitcoin network and credits the amount to the thief’s account.
This process can be repeated over and over. Most likely this was done by only a few thieves, but it is hard to tell.
Professional accounting at Mt. Gox should (must) have shown that the accumulated balance of all user accounts exceeded the number of bitcoins in Mt. Gox’s own wallet. At that point, the exchange should have shut down and investigated how the loss happened, preventing the
catastrophic outcome we’re seeing now.
On the technical side, Mt. Gox made the mistake to rely on the transaction ID to check if a customer’s withdrawal was successful. Instead they should have used the transaction input as an identifier. An input can be spent only once and is therefore always unique. Supposedly this is what other exchanges do.
Such a tremendous loss of bitcoins cannot be explained by a single (technical) mistake, though. Negligence and malpractice on the Mt. Gox side play the vital role in these events.”
Matt Branton, Founder of Coinlock, a bitcoin micro-payments platform for files:
“What happened to Mt. Gox is very open to debate. The reality is that we may never know the whole truth except that a potent mix of incompetence and lack of transparency led to its demise. The exchange has been troubled for years, with clear indications that it lacked the technical expertise necessary to be in control of so much money. Further shoddy accounting controls, possible fractional reserve banking and other practices might have let it accumulate massive exposure over many years. There is an old expression, never attribute to malice that which can easily be incompetence. It isn’t clear yet on which side of that line Mt. Gox is.
However, despite this setback Mt. Gox is not bitcoin, the protocol, the community, and the potential for disruptive change is still present. Other exchanges have addressed the malleability bug, and this vacuum will no doubt be filled by substantially more astute players.”
William Kehl Coinigy a bitcoin and cryptocurrency day trading platform:
“In regards to the transaction malleability issue that Mt. Gox faced, at present time there is no way to be certain exactly how much was taken and by exactly how many individuals, save for Mt. Gox making their accounting records public and/or disclosing their public wallet addresses.
Each exchange dealing in bitcoin has a responsibility to accurately track each transaction.
Gox at the time of the issue was taking a ‘hash’ of the withdrawal transaction, and watching the block chain for that transaction to appear. The offending user would then change some data on the unconfirmed transaction, which would still result in a valid transaction, but it would
no longer be trackable under the original hash.
Gox’s system, looking for the original hash, would subsequently not be able to detect a successful transaction on the blockchain. The offending user would then contact Gox support and claim that their funds never came through and another transaction attempt would be initiated, and/or Gox’s system would automatically retry a new transaction after a set period of time. This could result in double spends and if in fact their system was set to automatically retry transactions, could allegedly result in many, many valid withdrawals occurring.
Note that Mt. Gox was not the only exchange with this issue—Bitstamp also had vulnerability problems but mitigated the situation quickly.
As I understand it, exchanges have fixed the issue by instead of monitoring the blockchain for a specific hash, they’re now tracking the receiving and sending addresses for transactions with the correct amount. Tracking withdrawals in this manner would assure that the user actually received the proper amount to the address specified.
I can’t speak as to Gox’s particular accounting situation, but it lends to the theory of serious oversight if indeed 750,000 BTC were lost in this way. There are other allegations that Gox no longer has the private keys to access their cold storage, which if true, could mean that those coins could sit in a wallet, untouched, for eternity. At present time there’s no official word on this however several Reddit users claim to have found addresses containing over 200K BTC that haven’t been spent since 2011 that may belong to Gox.”
Josh Tordsen, Founder of Gigastrand International:
“Gigastrand entered the bitcoin game when things were much less stable than they are now. Hacks and break-ins were common to bitcoin wallets and finding a site that was both trusted and had the tools necessary to make a useable online store were in short supply. Mt. Gox had everything we needed.
This is where our experience may shed some light on your story. After setting up a test store, we were interested in speculating on bitcoin value. So, we transferred a meager sum of $300 to Mt. Gox on April 25, 2013. It took over 2 months just to e-mail us to ask a question about
the wire transfer. How inundated were they that they could not process our wire transfer for 2 months. From what we saw there was far more going on there behind the scenes.
By the time we had it hashed out, it was August and our confidence in Mt. Gox was shaken. We pulled the online store shortly after and until just this week did we reinstate bitcoin as an optional payment.”