What is Transaction Malleability and Did it Kill MtGox?
Bitcoin exchange MtGox has filed for bankruptcy protection having lost more than 850,000 bitcoins worth close to $500m (£300m), forcing it to cease trading and make plans for a final attempt at survival.
Given bitcoin's value soaring from less than $75 to more than $1,000 through 2013, and the number of users and merchants using the virtual currency growing just as quickly, it may come as a surprise that what was once the world's largest bitcoin exchange has crumbled.
MtGox's problems have been blamed on building the entire system on "layer upon layer of patchy scrap work," but they are also believed to stem from an inherent flaw in the way bitcoin is coded, called 'transaction malleability'. To understand why this problem has helped bring MtGox to its knees, we must first get to grips with two bitcoin concepts - transactions and the public ledger.
What is transaction malleability?
When bitcoins are sent from one user to another, the transaction is digitally signed by the account sending the coins; this transaction includes key information such as the amount of bitcoins being sent, who they are coming from and who they are going to. Each transaction is given a unique name, an ID, which is generated based on the information contained within the transaction.
This transaction ID can then be seen on the public bitcoin ledger, a record of every bitcoin transaction ever made and which can be viewed by anyone through Blockchain.info.
But some of the data used to create this ID comes from unsigned and insecure parts of the transaction, and as such it is possible for the receiver to alter parts of the transaction ID without the sender's permission or knowledge.
In the case of MtGox, the exchange was configured to expect transactions to show up under a specific transaction ID. When those transactions failed to appear - because the ID had been altered by the receiver withdrawing funds from MtGox - the thief could then file a complaint, which would instruct the exchange to automatically retry the withdrawal, handing over the requested bitcoins for a second time, but with neither transaction appearing on the public ledger.
Shared responsibility
Being a flaw in bitcoin itself, it is up to every exchange and service dealing with the currency to create a system which accurately reports balances and transactions between sender and receiver. It appears MtGox had failed to do this, leading to the theft of 750,000 customer bitcoins and 100,000 belonging to the company itself. In all, coins worth almost £300m at the time of publication were stolen.
MtGox was not alone with its transaction malleability weakness; the world's largest bitcoin exchange Bitstamp temporarily halted withdrawals in February while it adjusted the way withdrawals were logged, and also to strengthen its servers after numerous DDoS (distributed denial of service) attacks were launched against the site.
But where Bitstamp was able to fix the issue quickly and carry on as normal, MtGox had fallen into a tailspin from which it would never recover. The bitcoin community had long since questioned MtGox's legitimacy due to how its valuation of bitcoin was often higher than rival exchanges - a situation dramatically reversed in the weeks leading up to the company's death, when it was offering one bitcoin for around $100, far below the circa $600 charged by other exchanges.
Arbitrage
This led critics to believe MtGox CEO Mark Karpeles was participating in arbitrage by taking what bitcoins were left and selling them on other exchanges for a profit. "This was allegedly happening well before the exchange's breaking point," claims bitcoin blogger Ryan Selkis.
As protesters began to gather outside MtGox, worried they would never see their bitcoins again, US federal prosecutors issued the exchange - and other bitcoin businesses - with a subpoena to seek information on recent cyber attacks against it.
Just days before MtGox filed for bankruptcy protection, Selkis published what he claimed to be a draft of a crisis strategy document, leaked from within the exchange - and later described by Karpeles as "more or less" legitimate. The document claimed 744,408 bitcoins were "missing due to malleability-related theft which went unnoticed for several years."
Alarming...simply impossible
This in itself is particularly alarming, given one would expect MtGox to carry out regular financial audits, and a gaping hole of more than 700,000 bitcoins would surely be obvious, unless they were extracted gradually over several years, as the crisis document suggests.
The document adds: "The cold storage has been wiped out due to a leak in the hot wallet."
This statement is simply impossible, as cold storage refers to computers on which encryption keys to bitcoin wallets are kept, and which have never been connected to the internet - cold being offline, hot being online.
Quite how MtGox's cold storage could be lost through a leak in the hot, online wallet is a mystery and suggests every wallet and every bitcoin stored by MtGox could be accessed by hackers through its online servers.
No one yet knows why a small, easily-fixed coding flaw caused MtGox to lose hundreds of thousands of bitcoins without anyone noticing, but given bitcoin's anonymous nature and the fact the heist could have taken place over several years, getting the coins back is very unlikely.
Highly sceptical community
Add to this a vocal community highly sceptical towards Karpeles and his reasoning for the loss of coins, and the situation can only get worse.
The jury is still out on whether this was gross incompetence or deliberate fraud, and perhaps the subpoena - and action taken by Japanese authorities - will reveal more, but for now the bitcoin community is left to pick up the pieces.
Some fortunate users saw MtGox's problems from the start and took their coins elsewhere, but others have lost a fortune due to the apparent incompetence of the exchange's staff.
Those who survived the death of MtGox will now be looking to cast the exchange aside as a mistake and a blight on the history of bitcoin, in the same way Silk Road was. But for financial regulators the world over, the writing of cryptocurrency legislation just became much more complicated.
© Copyright IBTimes 2024. All rights reserved.
-
California Bill May Charge Employers $100 If They Call Or Text You Outside Of Work Hours
-
'You've Been Lied To About Buying Property': Multimillionaire On Why He Rents And Refuses To Buy Real Estate
-
Trump Says He Can End Russia-Ukraine War In 24 Hours By Giving Russia More Ukrainian Land
-
Businessmen Pay $18K To Join This Gruelling 3-day Bootcamp To Become Alphas
-
France Enshrines Abortion As Constitutional Right In World First
