Today, in a last ditch rather pathetic effort to draw attention away from themselves, Mt Gox issued a press release blaming their recent problems on a (non)issue that dates back to 2011: Transaction malleability. In short, it allows you to alter the hash of a transaction by changing non-essential data. Since this issue has been well-known and well-documented for the past several years now, all it means is that if you’re an exchange, you should not be tracking transaction IDs to confirm if a payment has gone through or not. Rather, you should be tracking your inputs/outputs.
For most exchanges, this hasn’t been an issue. Set the system up such that inputs/outputs are tracked, not transaction IDs, and you’re unaffected by transaction malleability. Can you guess how Mt Gox, the self proclaimed leader of bitcoin exchanges, set their system up? Yep, they were tracking transaction IDs.
It’s been long known that Gox is incapable of fulfilling all their USD debts ever since their main bank account was seized. On this front, they have been operating as a psuedo ponzi scheme, where new money would pay off old money. There’s been a lot of debate lately whether or not Gox had the BTC on hand to pay off all their debts, and if you read between the lines, this press release confirms that they do not. Make no mistake about it: Mt Gox is likely insolvent in BTC as well.
How, you ask? The fact that they’re complaining about this one (non)issue in particular is very telling. Since their system ran off transaction IDs, they’ve been vulnerable to attacks involving transaction malleability for god knows how long. The attack is simple: Intercept their original transaction, alter the hash of it, and rebroadcast the new transaction. If the altered transaction gets accepted into a block, you have your BTC, but it’s still marked as unreceived within the Gox system. You can then complain to support that you never got your BTC. Support would search by TXID, see that their original transaction is not included in the blockchain, and then credit your account. Congratulations, you just doubled your BTC! This is similar to how a double spend is done, but magnitudes easier to pull off.
How much BTC have they lost as a result of people abusing this? Who can say for sure, but it’s enough to cause the shitstorm that they’re now in. For an exchange that’s been around as long as Gox has, to fall victim to such a well documented issue is simply inexcusable. Gox has always been held together by duct tape, and at this point it’s safe to say that Gox has caused more harm than good to the Bitcoin community over it’s miserable existence. This latest stunt is the final nail in the coffin, and I for one am glad that Gox is finally dead. There are much more competent exchanges eager to take their place.
Of course, the mainstream media is absolutely loving this, as it gives them the chance to proclaim that bitcoin has been “hacked”. Things like this do serious harm to the public perception of Bitcoin, but it’s not like Gox cares. They’re only trying to cover their own ass. Andreas Antonopolous summed it up well by saying “A DnD geek wrote a currency exchange in PHP and three years later we’re still paying a price for that.”
To whoever is selling their BTC now: I feel sorry for you. Despite Gox’s best efforts to make it seem so, there is no flaw within the bitcoin protocol. The flaw resides entirely within their system.
Great Article, well written, and totally true! Exactly my thoughts!
Nice article you have here. I have seen pieces of the puzzle going back and forth on twitter/reddit today but you have done a great job of summing up this news in a way that is easy to understand. When I was first getting into digital currencies I found many how-to guides for new people saying to use Mtgox. A quick Wikipedia search on the history of their site had me thinking that using them would be some of the worst financial advice ever. I couldn’t get past the gut feeling of “using gox would be like employing my local comic book store owner as my financial planner and accountant” that seemed like a bad idea unless I was trading in comic books.
Agreed but one request, when quoting somebody, please provide the supporting link. It’s much better all around. Thanks.
The quote in question was just a tweet. Linking to it doesn’t add much additional value.
Great article; someone with this much bitcoin understanding I hope will be willing to debate this anti-bitcoin guy; we’re giving a reward of 100mBTC
details: http://www.reddit.com/r/Bitcoin/comments/1xlewm/100mbtc_reward_for_smart_bitcoiner_to_debate_this/
The guy doesn’t know what he’s talking about. He’s using the BitStamp shutdown due to a DDOS attack to support his arguments about the Mt.Gox disaster. Apparently he doesn’t even know what a DDOS attack is, and clearly he doesn’t understand that such attacks can occur on any website, whether it’s a bank website, or a stock exchange website.
Not much to debate there. Just a guy who really thinks well of himself.
MT GOX ARE FUCKING WHORES, THEY ALSO STAGED THE FLASHCRASH in 2011… MT GOX SHOULD BE PUT DOWN LIKE THE SICK PUPPY IT IS…
Quite a well written article, though I think you’re giving Gox too much credit saying it’s held together by duct tape. Post it notes would be a more comparable adhesive. This recent folly by Gox reminds me of that one article by some brilliant students claiming they’d found the doom of Bitcoin, which was basically a hybrid 51% attack, which relied more on network propagation of blocks more than anything else.
Anyway, it’s sad that Mt. Gox felt the only way to stay alive was to kill the very thing that is the essence of its being.
Gox needs to go into receivership (now more than ever), and a forensic accountant needs to track down the double withdrawers. Depending on when they began double-withdrawing, they may have been required to send in AML/KYC documentation, so bringing criminal charges would be simple if they refused to send the BTC back.