Who is Mt. Gox?
Based in Tokyo, Japan, Mt.Gox was established in 2009. What started off as an online gaming card selling business soon became the talk off techies. Leaving behind the cards, the site was upgraded to the Bitcoin exchange network in 2010. Originally founded by Jed McCaleb, it was sold to Mark Karpeles, the current owner of Mt.Gox, in 2011. Mt.Gox became one of the first online sites to establish itself in the bitcoin exchange business. It played a significant role in bringing bitcoin into the lives of the masses and aided in maintaining its image. As of late, Mt.Gox has become far removed from what it came to be known as. For example, it was known to be one of the foremost in the bitcoin community, well established and well respected. With its own recent ridiculous antics and revelations, the image of Mt.Gox has been completely altered in the minds of the bitcoin community.
What was said to be a technical glitch in the system, Mt.Gox recently released statements in which they claimed that the issue was not with them but rather with the bitcoin protocol. “The problem we have identified is not limited to Mt.Gox, and affects all transactions where Bitcoins are being sent to a third party. We believe that the changes required for addressing this issue will be positive over the long term for the whole community. As a result we took the necessary action of suspending bitcoin withdrawals until this technical issue has been resolved.” Frustrations were mounting with Mt.Gox because of the abrupt halt to withdrawals from their network. Even more frustrating than that was the lack of a coherent and comprehensive response from Mt.Gox. A bitcoin user from Reddit, CoinSearcher, traveled all the way from Australia to the Mt.Gox headquarters in Tokyo, Japan looking for answers. His journey lasted for three days and the results were depressing. Only vague answers and a general evasive attitude were received. It was almost as if the bitcoin community was being conned by a major profiteer institution. It was later revealed in the statement released by Mt.Gox that the issue was larger than they expected. It turned out, according to them, that there was a problem in the bitcoin makeup itself and that the bitcoin community at large was vulnerable. Nevertheless, the issue was being handled and they had
“discussed this solution with the Bitcoin core developers and will allow Bitcoin withdrawals again once it has been approved and standardized.”
It seemed like a bit of a jump for them to make such a claim. The rising of bitcoin value was surely an indication that something positive was at works and the network as a whole was making a large progress. In fact, it was the strangest of ironies for Mt.Gox to make these statements in a time where every other bitcoin exchange seemed to be just fine. Obviously, as we came to later find out, this was not the case… sort of (this will be explained shortly.)
Transaction malleability has been known since 2011. According to Mt.Gox, “This defect, known as ‘transaction malleability’ makes it possible for a third party to alter the hash of any freshly issued transaction without invalidating the signature, hence resulting in a similar transaction under a different hash. Of course only one of the two transactions can be validated. However, if the party who altered the transaction is fast enough, for example with a direct connection to different mining pools, or has even a small amount of mining power, it can easily cause the transaction hash alteration to be committed to the blockchain.” Bitcoin network allows transaction IDs to change after a transaction has been made, but it has to be done before it is permanently set in the Blockchain. Someone messing around with the system can take advantage of this characteristic of the network. This is exactly what has happened. In the words of Mt.Gox:
“A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be resent.”
The network is being bombarded with these sorts of transactions. This slows down transactions from being processed properly, enlarges the Blockchain size and adds extra bandwidth to the bitcoin network. Gavin Andresen, Lead Developer of the Bitcoin protocol released a statement saying that “The issues that Mt.Gox has been experiencing are due to an unfortunate interaction between Mt.Gox’s implementation of their highly customized wallet software, their customer support procedures, and their unpreparedness for transaction malleability, a technical detail that allows changes to the way transactions are identified.” He further stated that this is not a problem with the bitcoin protocol itself but rather it is a challenge for the makers of the bitcoin wallet software. Andreas M. Antonopoulos, Chief Security Officer at Blockchain commented about transaction malleability saying “a problem in certain implementations that allows an attacker to modify a transaction in such a way as to make the same transaction appear under a different transaction ID (Tx Hash), without changing any of the internal information (sender, recipient, value etc),” and that
“This issue first became known in 2011 and it does not affect correctly implemented bitcoin clients, such as the reference client (bitcoind/bitcoin-qt).”
Furthermore, transaction malleability glitch is the result of some exchanges’ failure to update to the official bitcoin source code. New methods of assigning transaction IDs or hashes were introduced for the first time in this update. To employ the new code, bitcoin users or exchanges had to incorporate it in the bitcoin software. Some exchanges that were affected failed to follow this procedure and they continued to use the outdated version. It would be obvious even to a layman that the lack of following proper procedure would be a cause of problems in the future. This is exactly what has happened now. They should have implemented the phrase “better safe than sorry?”
Mt.Gox Meltdown in Action
With the recent release of statements by Mt.Gox, they have brought to light transaction malleability. It has created a domino effect in the bitcoin community and exchange markets. In fact, exchanges are now reviewing their software systems to make sure that everything is running as smoothly as it should. The different exchanges are rechecking their networks for any glitches or issues.
Coinbase, one of the renowned bitcoin exchanges in the community, released a statement shortly after Mt.Gox. “After conducting a review of our wallet software, we could not find any instances of such an attack being used. We also looked into the technical details of the transaction malleability issue and just this morning added additional security measures to our software to further prevent such an attack. From our current analysis, there weren’t any users affected by this issue, but we’ll continue to monitor transactions to make sure.”
Antonopoulos released a statement saying “Blockchain.info’s implementation follows best practices in this respect and does not rely on the transaction hash as verification of spent funds. Instead, if multiple conflicting versions of a transaction against spent inputs are seen on the network, both transactions are highlighted whenever they appear as a “double-spend”, until one of the transactions is confirmed, making the second disappear.” He further stated
“Blockchain wallet users are unaffected by this known implementation issue.”
Earlier today, the Bitcoin Foundation released much awaited news. “You can be rest assured that we have identified the issue and are collectively and collaboratively working on a solution. Somebody (or several somebodies) is taking advantage of the transaction malleability issue and relaying mutated versions of transactions. This is exposing bugs in both the reference implementation and some exchange’s software,” it said. It further stated
“We (core dev team, developers at the exchanges, and even big mining pools) are creating workarounds and fixes right now. This is a denial-of-service attack; whoever is doing this is not stealing coins, but is succeeding in preventing some transactions from confirming. It’s important to note that DoS attacks do not affect people’s bitcoin wallets or funds.”
It seems that Mt.Gox’s scare might have started something in the bitcoin world. In a way, it has given the other exchanges and the core developers a wake up call. Now, the system is being reviewed and further strengthened.
Coinreport will follow up more on the story of Mt.Gox and other exchanges, stay tuned.