Mt. Gox "offline" with bitcoin worth $375m down with it

Ultimately I think this will be healthy long-term for Bitcoin – it shows the ecosystem can survive a total meltdown of one of the exchanges. Proves durability in the face of adversity.

For the record, I am completely neutral on Bitcoin and own none.

That depends on who has the missing bitcoin (should be easy enough to see if one person or one group of people have it, just check the blockchain), and what happened to the missing bitcoin.

I wouldn’t say it’s healthy yet. This is an annoyance. The real scandal hasn’t even started.

1 Like

Wait a minute… “hot air” ? In a soap bubble? Well, at best it’d be 95F, is that hot ?

Do you have inside information, or are you expecting some vulnerability to reveal itself in the coming days/months/years?

There’s not a lot of data available yet, but it looks like:

To secure a transaction it is cryptographically hashed, but not all of the data fields are included in that hash (for example, you can’t actually hash the signature, because the signature is applied to the hash). In theory (and in practice, it seems) it is possible to change these data elements before the transaction is actually committed to the chain.

One of the fields that isn’t included in the hash is the transaction ID, and apparently Mt. Gox was (lazily) using that field to track transactions – in other words, what they considered to be an immutable transaction identifier can actually be mutated. Their system was apparently gamed through this, although I’m not sure precisely how.

Other exchanges that (correctly) didn’t expect the transaction ID to be authoritative (all of the other exchanges, as far as I know) were unaffected.

[I read that the developers of the protocol have been aware of this for a few years, but it wasn’t a high priority to them because when the protocol is correctly applied it isn’t much of an issue. Mt Gox, in other words, appeared to just be in over their head in the Bitcoin world. Bitcoin is a little more complicated than *Magic:* cards…]

There is also another potential vector called signature malleability – because the signature isn’t in the hash, it’s possible to change the signature verification script after the fact. Bitcoin doesn’t currently really use the full power of their scripting engine so this isn’t currently too much of an issue, but they’ll need to figure out what to do about this if they want to extend the platform in more useful/interesting ways.

2 Likes

Mt Gox says that this is just the beginning of the next phase of their existance. Their offices are cleaned out in Japan. They blame this whole thing on bitcoin protocol issues. Bitcoin blames the whole thing on MtGox management issues. Meanwhile, $375,000,000 (and probably closer to a billion dollars, since that $375,000,000 is post crash) has gone missing.

So it’s just inference to lead to the fact that someone is lying. Someone is being dishonest. And That someone is where the real scandal’s going to be.

If there’s such a massive flaw in the currency, that’s been there for years, that just took down the biggest exchange in the world … and that has been exploited for at least over six months… do you really think this is the only place that it happened to?

1 Like

Couldn’t say as I read at the perimeter of bitcoin stories, so to speak, whereas you’re clearly more familiar with the issues at hand (hence my question). And besides, couldn’t the problem stem from a confluence of the issues you mention? Mt. Gox management knows of a certain flaw in the protocol but chooses not to fix it? I am familiar with tech infrastructure to know that’s possible at the very least. As to who is being honest or not in this case, I’ve not the faintest clue.
A question: given that I’ve read bitcoin can be tracked to the ends of the earth via blockchain (which I understand to be a sort of digital provenance), is there no way to show that X number of bitcoin was siphoned off here and then take steps to recover at least some of the money in a more tangible form?

Oh, you can watch where it went to, following it around… but nobody can make them give it back. Nobody can even tell who “them” is unless they touch it to some other identifying characteristic. And there ARE bitcoin money laundering schemes to wash bit coin and make it even harder to fish out.

1 Like

You can watch the Bitcoin flowing through the system, but it is very difficult to tell where one person’s control ends and the next person’s starts. The original attackers may have moved it from one of own pockets to another repeatedly, sent it through mixing services, used it to pay innocent third parties long ago - or any arbitrarily complex combination of the above.

2 Likes

No, not really. There was GBL, but that vanished taking all its customers’ money. There was Bitfloor, who were the largest in the US, but they had a chunk of money stolen and then shut down, leaving people waiting to see if they’d get their money back. There were Bitcoin exchanges in India, but it turned out they hadn’t bothered to get regulatory approval, so they shut down in a hurry. There was Dwolla, but they suddenly shut down their service because they couldn’t make money from Bitcoin, doubtless partly because of its incredibly high volatility. Silk Road 2 offered escrow accounts, and then suddenly all the money vanished. It’s almost as though Bitcoin attracts the criminal and incompetent, isn’t it?

Oh well, feel free to send me dogecoin at DR95Lqrz8UNmxdP6sgszKvvSza4cV65CC1. Nothing can possibly go wrong with dogecoin. So security! Much money!

8 Likes

Oh well, there’s still always Beanie Babies.

7 Likes

The attack was apparently: deposit some money with MtGox and buy a bitcoin, then try to withdraw the bitcoin to your private wallet. Capture the message that describes transferring the bitcoin from MtGox to you, and modify it in a trivial way; e.g. change a “length” field from “0x48” to “0x0048” - adding extra characters to the withdrawal message changes the message hash, but not the meaning or the function. Then, submit the modified withdrawal message somewhere else to the blockchain.

You have a race. If your modified message is accepted and added to the blockchain before the original message from MtGox, the withdrawal from MtGox represented by their original message will look like a double spend and it will fail.

If you win the race, you go back to MtGox and say “hey! my withdrawal failed, can we try it again?”

Critically, MtGox used the hash of the withdrawal message to work out if a transaction succeeded. They correctly realise their withdrawal instruction to you is not included on the blockchain, but they were unable to detect that a functionally identical withdrawal succeeded, because the message representing it carried a different hash.

MtGox then issue you a fresh withdrawal transaction and you can allow that to go through unmolested - you’ve then made two withdrawals from MtGox by tricking them into thinking the first attempt failed. Rinse, repeat.

It’s a bit incredible that someone made off with >700,000 bitcoins that way, though.

1 Like

Is it actually true that a theft cannot be undone? Bitcoin is run by consensus of everyone on the network. Presumably it would be possible to create 700,000 bitcoins if everyone agrees to allow it, as an extension to the protocol - an MtGox reimbursement block - you could in principle modify bitcoin to inject extra coins by adjusting the algorithm. The theft is about 6% of all existing bitcoins.

Every single person has to agree to it. It has to be in all the block chains, and accepted by all the block chains. And if it does, it would devalue the hell out of bitcoin.

It’s gone. It won’t happen. This isn’t the first bitcoin theft, it’s just the largest. Setting a precedent like this would be too dramatic and would devalue the currency too much. At that point, it becomes just like any other “fiat currency”

1 Like

I was just thinking…

It’s rumored that this guy might be the guy that originally founded Mt. Gox. Mt Gox was, as the story goes, started as a magic the gathering online exchange, but there’s no evidence it was ever used for that. It turned into a bitcoin exchange within about a year of bitcoin’s introduction.

Remember, Mt. Gox was created before Bitcoin. The guy who made bitcoin (or group) used a pseudonym, pretending to be a Japanese guy. Mt. Gox is a japanese company. Mt. Gox now claims it was hacked by someone using some obscure protocol issue of bitcoin.

What if this all has been a very long con by the guy behind bitcoin?

Seems unlikely - According to that article Satoshi already has about 1 million bitcoins that he acquired legitimately when Bitcoin was obscure and starting up - so if he did also hack MtGox then he’s really shot himself in the foot by triggering a run on his own currency. His 1M bitcoins were worth more before MtGox blew up than 1.7M bitcoins are worth today…

I am reminded of when they found that online poker was a scam. Surprise ! Surprise !

2 Likes

Thats if you assume two things.

One, that Satoshi was ever going to be able to sell all 1,000,000 bitcoin he owns without depressing the value of the system. Right now it’s around $400 a coin. A 1,000,000 coin dump would certain depress that a lot. I’d wager it’d be hard for him to actually sell all his coins.

Two, that what was stolen in the Mt Gox situation was bitcoin. Bitcoin was stolen, yes, but bitcoin doesn’t pay for servers or most anything else. What was stolen from Mt Gox was good old fashioned fiat cash.

1 Like

I’m shocked, shocked to find that gambling is going on in here! …

We have met the future, and it is Dogecoin!