MtGox Meltdown: causes and conspiracies

Posted on March 2, 2014

1


Shortly after I took to the airwaves to tell everyone the fears about Bitcoin being iffy were overblown, one of the largest Bitcoin exchanges went belly-up in very sketchy circumstances.

Hey, I was in the rainforest. I have an alibi!

MtGox, which started out in this world as an online exchange for Magic, the Gathering trading cards (hence the initials, hence the name; there is no actual mountain named Gox), has gone spectacularly bust, with missing bitcoins of a value that had been as high as one billion dollars. All poof! Into the ether.

Dr Evil, by contrast, does NOT have an alibi

Dr Evil, by contrast, does NOT have an alibi

The short form of the official excuse goes like this:

we were upgrading our technology, so because this is just so smart we put all the bitcoins from virtually everyone’s accounts into one transient account for “safekeeping.” That account got drained. Because Bitcoin is flawed! We’re really, really sorry so stop with the death threats already!

The actual truth is far more complicated. If indeed they were upgrading their technology, where’s the software? The site’s dead. Why would anyone think to transfer money into one central account for “safekeeping?” The flaw in the fundamental Bitcoin software exists, and it goes roughly like this: when you transfer bitcoins from one account to another, there’s a glitch in communication which enables someone nefarious to send a message “hey, the transfer didn’t go through. Try it again to this address” and you can guess what happens next.

Here’s the longer version, an excerpt from that IEEE article linked above.

“Generally, malleability is a design flaw in Bitcoin, albeit a very subtle one. So we can forgive Satoshi for overlooking it,” says Mike Hearn, a developer who works on the Bitocin protocol. (Satoshi Nakamoto is the pseudonym for the inventor of the Bitcoin protocol.)

In order to understand transaction malleability, you need to know that the balances of all Bitcoin addresses are maintained on a public ledger and that the changes made to this ledger are what constitute the transfer of funds.

When a transaction is broadcast to the network, it is relayed with a digital fingerprint that identifies it. Bitcoin miners then scoop it up, verify it, and send it on to the rest of the network for confirmation. Once the transaction has been confirmed, there is no way for that same person to spend those same bitcoins because they are being checked against the public ledger.

The malleability feature allows a person to intervene, right after the transaction request has been sent, modify the fingerprint and create a duplicate transaction. So, now you have two unconfirmed transactions flying around the network. They are both for the exact same payment, but they have different fingerprints and only one of them can be added to the public ledger. “The first one that is confirmed will be accounted for in the blockchain and will become the definitive record,” says Andreas Antonopoulos, the chief security officer for the Blockchain.info Bitcoin wallet. “The other will be dropped as a double spend attempt.”

Transferring a ton of money into one account at one time creates, essentially, the perfect conditions for this flaw to be exploited. So, curious me wonders whose idea that actually was, because as Falkvinge points out, this was almost certainly an inside job. You should go read that whole article, but here’s a snippet. It’s rigorously sourced, and follows the tale of MtGox from the very beginning to the end, with references to other cryptocurrency scams as relevant. It’s an education in and of itself.

In the first and only interview so far after the still-officially-unexplained shutdown, which has already led to multiple tragicsuicides over the loss of fortunes, CEO Mark Karpeles responded to questions with a picture of his cat. This means that the communications skills from MtGox and Karpeles are either so carefully orchestrated here that only an experienced genius would understand them, or so incompetent that it falls below any description. Take a guess which is more probable.

According to research by Bryce Weiner, Karpeles himself is the person who took the funds, and this happened in 2011, which would be consistent with the observation by Jesse Powell (Weiner): “There’s nothing to indicate that Empty Gox was ever solvent.” While the timeline doesn’t conclusively show that Karpeles himself is behind the original disappearance of funds, it does show clear complicity in profiting from the heist.

Now, the minute someone starts spending that money we will have all the clues we need to find out who took it. The money exists. It wasn’t destroyed; it was stolen. And it appears now that MtGox has been lying about it for a full three years.