Today, in a last ditch rather pathetic effort to draw attention away from themselves, Mt Gox issued a press release blaming their recent problems on a (non)issue that dates back to 2011: Transaction malleability. In short, it allows you to alter the hash of a transaction by changing non-essential data. Since this issue has been well-known and well-documented for the past several years now, all it means is that if you’re an exchange, you should not be tracking transaction IDs to confirm if a payment has gone through or not. Rather, you should be tracking your inputs/outputs.
For most exchanges, this hasn’t been an issue. Set the system up such that inputs/outputs are tracked, not transaction IDs, and you’re unaffected by transaction malleability. Can you guess how Mt Gox, the self proclaimed leader of bitcoin exchanges, set their system up? Yep, they were tracking transaction IDs.
It’s been long known that Gox is incapable of fulfilling all their USD debts ever since their main bank account was seized. On this front, they have been operating as a psuedo ponzi scheme, where new money would pay off old money. There’s been a lot of debate lately whether or not Gox had the BTC on hand to pay off all their debts, and if you read between the lines, this press release confirms that they do not. Make no mistake about it: Mt Gox is likely insolvent in BTC as well.
How, you ask? The fact that they’re complaining about this one (non)issue in particular is very telling. Since their system ran off transaction IDs, they’ve been vulnerable to attacks involving transaction malleability for god knows how long. The attack is simple: Intercept their original transaction, alter the hash of it, and rebroadcast the new transaction. If the altered transaction gets accepted into a block, you have your BTC, but it’s still marked as unreceived within the Gox system. You can then complain to support that you never got your BTC. Support would search by TXID, see that their original transaction is not included in the blockchain, and then credit your account. Congratulations, you just doubled your BTC! This is similar to how a double spend is done, but magnitudes easier to pull off.
How much BTC have they lost as a result of people abusing this? Who can say for sure, but it’s enough to cause the shitstorm that they’re now in. For an exchange that’s been around as long as Gox has, to fall victim to such a well documented issue is simply inexcusable. Gox has always been held together by duct tape, and at this point it’s safe to say that Gox has caused more harm than good to the Bitcoin community over it’s miserable existence. This latest stunt is the final nail in the coffin, and I for one am glad that Gox is finally dead. There are much more competent exchanges eager to take their place.
Of course, the mainstream media is absolutely loving this, as it gives them the chance to proclaim that bitcoin has been “hacked”. Things like this do serious harm to the public perception of Bitcoin, but it’s not like Gox cares. They’re only trying to cover their own ass. Andreas Antonopolous summed it up well by saying “A DnD geek wrote a currency exchange in PHP and three years later we’re still paying a price for that.”
To whoever is selling their BTC now: I feel sorry for you. Despite Gox’s best efforts to make it seem so, there is no flaw within the bitcoin protocol. The flaw resides entirely within their system.