I think that his points against transaction malleability are invalid:
- technical one - Bitcoin clients have a 100 ms delay before they relay messages. An attacker can compile a modified client that doesn't have these limitations and successfully outrun the rest. It was shown once that an attacker managed to successfully modify most of Bitcoin transactions on the network for some time in February
- social one - IIRC Gox had an automatic system, which reissued Bitcoin transfers if they failed. So you didn't need to phone them or convince in any way - Mt.Gox would send you a new transfer (and exhausting inputs has nothing to do here since they had no reason to use raw transactions API which lets you to use specific inputs, and instead they probably just used the more common sendto API) after it detected the old one failed (TXID not found on the network).
Author here. I think there is some subtlety around the technical point that may be getting lost.
Ittay Eyal and I were the ones who discovered an attack against Bitcoin called selfish mining, where we showed how a miner could earn more than his fair share. This attack did not require, but could benefit from, the attacker racing against honest participants on the peer-to-peer network.
Some members of the Bitcoin community claimed that the attacker would reliably lose these races because they start behind.
In the article, I point out that there is indeed a transaction race in this case, that people have demonstrated an ability to outrun transactions, and that this has ramifications for selfish mining. I do not claim that there is a technical impossibility -- quite the contrary! The tricks used to make that succeed are identical to what an aggressive selfish miner would use.
To be fair, malleability attacks require a modified client and some network positioning, so there is nevertheless a technical obstacle. Not one that is impossible to surmount, but one that requires some effort.
I did not know that Mt. Gox performed automatic reissues -- thank you for bringing that up. Would you happen to have a pointer that establishes this?
On the whole, I do not believe that malleability accounts for Gox's collapse at all. Even automatic reissues would put at most the hot wallet at risk. Studies of malleable transactions do not show anywhere near the volume required to account for Gox's collapse. And something I did not mention in the post is that the timing of the observed malleable transactions doesn't match the story from Mt. Gox at all. There is undoubtedly more to this story.
Another point is that evidence of significant tx-mal can't be found on the block chain prior to Feb 9 [1]. Now, it's possible that the search wasn't thorough enough, but I find that unlikely. Any reissued transactions must have occurred within a very short period -- a couple of weeks in February -- that could have been attributed to malleability.
That's only looking at one kind of malleability. Notably, I've been told that MtGox for years issued its own transactions in a non-standard format... so one potential 'attack' would be to mutate those to canonical form and race them into the blockchain. There'd be no evidence of such an attack in the blockchain: only someone who'd been long-archiving losing, non-canonical transactions from multiple places in the network would have a way to estimate the frequency/magnitude of such activity.
That sounds a bit speculative. If someone has a link that shows one of these "non-canonical transactions," that might lend some credence to the idea. Furthermore, if Gox was always issuing weird transaction formats, then looking for addresses that show a statistic prevalence of these would be trivial. Showing that the attack took place would simply require showing addresses that occasionally issued a proper tx, but statistically favored outgoing transactions of the type you describe. That is, there will be evidence in the blockchain if the type of transaction you describe is very specific to gox.
Their history of oddly-composed transactions could help identify more of their likely addresses, if noone else did the same thing, but that would still be of limited use in funds-tracing depending on whether such addresses were ever reused.
I'm not sure if this was just a tiny sliver of their transactions, or a large proportion... but it complicates easy analysis of what the malleability losses could be.
Good article - it's helpful, and for me it adds clarity to the discussion.
Parsing recent industry statements, it's notable how Coinbase and peers have been using a rather loaded term of art, "bad actor", in reference to Mt. Gox, both directly and indirectly.
Yet even after all that has happened, many are still basing their conclusions on Mt. Gox's past public statements.
It'd be most accurate to say you rigorously described a kind of mining-cartel attack that had been discussed years earlier, but I know I won't convince you of that, because you only count published academic papers, and the earlier discussions of the same attack all happened in less-formal bitcoin forums.
Regarding MtGox scenarios:
Reliable evidence on what MtGox truly did is scarce, but people have widely speculated that at times they auto-reissued payouts, and without the protective measure of reusing the same inputs. It would be in character – see other examples of their recklessness below.
So while I share your doubt that malleability could have resulted in significant losses, there is a theory for that, which doesn't require extensive social engineering/human-in-the-loop processes. And, if it had been happening for years, only outsiders with a giant archive of long-ago race-losing transactions (that never reached blocks) would be able to estimate the magnitude of the losses. (I don't know any public source for such an archive.)
Similarly, at times Karpeles mentioned that the cold storage was a "paper-based RAID" in 3 parts, or some other scheme in 6 places. As the 'key man' in an enterprise that suddenly found itself atop $100MM+ in easily-transferable assets, his feared threats may have included kidnapping/extortion to force disclosure of the keys. Thus his cold storage scheme may have involved putting necessary key-shares totally outside his easy control, even via people and safety-deposit boxes in other countries. Any "key-loss" scenario should consider the chance law-enforcement-actions or other calamities, far from the MtGox offices or Japanese accounts, have made essential parts of the cold-storage keys unrecoverable, for now and perhaps permanently.
There's a forum thread from years ago where people mention 2600+ bitcoins MtGox lost from their own bad-transaction-issuing code (https://bitcointalk.org/index.php?topic=50206.0;all). Karpeles wrote his own SSH server in PHP. Over the years MtGox suffered SQL injection & cross-site scripting attacks. In the June 2011 'flash crash', the entire user database with weakly-hashed passwords was lost (supposedly via an auditor compromise), allowing outsiders to carry off some unknown number of artificially-cheap bitcoin – but MtGox made customers 'whole' via a database rollback. MtGox later that year made the customers of competing exchange Bitomat whole, at a cost of 17,000 BTC or more, after that exchange lost its keys.
So when speaking of MtGox, we're already in Alice-in-Wonderland territory, with both custom (and often unwisely eccentric) implementation choices, and overconfident grand gestures. It's hard to rule anything out, based on ideas from elsewhere about plausible engineering or business practices.
I never heard of that one, although I know Mark Karpeles is the author of a few tools in PHP. I met him around 2003 when he developed, hosted and managed a Ragnarok Online (not so) private server (fRO) on Linux (hence his surname, MagicalTux). The whole time he paid the hosting himself. Contrary to more known servers such as eAthena, this server had a unique feature is that it was written in PHP and developed mostly by himself. The server was stable, allowed for quick iteration and took the load quite fine. The whole time he paid the hosting himself. He also wrote an inetd daemon in PHP. Another PHP game project that never took of was 'Inochi', but I can't remember what it was about. He started a few other projects such as a homegrown OS and a VoIP system/company.
Still I can't tell much about the quality of his code since I never read it, and all traces of his code have vanished, and that's been more than 10 years ago. What I can remember though is that he was smart and friendly, but very sloppy at communicating.
For a side story, fRO grew sufficiently big that it caught attention of Gravity and Mark received a cease and desist letter, which he obeyed short of facing a trial. He rebuilt the server soon after though, authorising only a select few members (of which I was one) resulting in something more like a permanent, albeit remote, LAN party, and finally abandoned the project, stepping down and transitioning the management to the player community. The community stayed strong enough even without access to the server that Gravity offered an exit in a form of an officially sanctioned, monthly-paid server. That server was eventually integrated into the official Gravity managed euRO.
"only outsiders with a giant archive of long-ago race-losing transactions (that never reached blocks) would be able to estimate the magnitude of the losses. (I don't know any public source for such an archive.)"
Is that actually the case, or can most/all forms of malleability be detected by looking abnormal transactions that wouldn't have been generated by any known client?
I don't know of a comprehensive survey of all kinds of malleability evidenced in the blockchain. It should be possible.
The issue with using it to estimate an upper bound on potential MtGox losses is that since some portion of MtGox's historic transactions were non-canonical, a third-party mutation could result in a 'normal' transaction entering the blockchain... but MtGox still confused, perhaps to the point of loss. Any survey would miss such transactions.
Maybe there's a private archive of never-confirmed transactions. Since it seems MtGox at times provided a public feed of (some of?) its own intended transactions, someone who'd been scraping/saving that for long enough might have a useful estimator dataset.
Thank you for the reply. I don't have any proof for the automatic reissuing on hand at this moment, I've read about it on Bitcointalk forums where several people claimed that they observed this behavior.
Definitely agree on both points, though I'm not convinced malleability has anything to do with their current troubles. They might have lost a few Bitcoin with that trick but it's nothing against half a billion dollars.
> since they had no reason to use raw transactions API which lets you to use specific inputs, and instead they probably just used the more common sendto API
There's a very good reason to use specific inputs - the only correct way to re-issue transactions is with the same inputs from the failed transaction, ensuring that its impossible for both the old failed transaction and the new one to both exists on the same blockchain.
> But elliptic curve crypto is not one of these topics. If the code can generate a handful of Bitcoin account numbers and corresponding keys correctly, there is hardly any reason why it cannot do so for all account numbers and corresponding keys.
Not totally true, not every input can yield a valid private key. The very upper ranges of the private key space are limited, as only integers 0x0 through 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140 are valid private keys for Bitcoin.
You'd have to be stupid unlucky to randomly generate an invalid private key, but it can possibly happen.
> If one must pick a cryptocurrency, the lowly dogecoin, of all things, is doing everything right.
Yeah, an ancient fork of Litecoin with a meme name is going to save us. Has absolutely no relevancy to the issue at hand of course.
It's funny how you took that last line completely out of context, the author was clearly tongue-in-cheek with that statement, here is the what comes immediately after that sentence:
> The community does not take itself seriously. Most importantly, no one pretends that Doge is an investment vehicle, a slayer of Wall Street, or the next Segway. No one would be stupid enough to store their life savings in Dogecoins.
Eh, I hear that a lot but it's fairly far from the reality. It's a two faced presentation from that community, when the price of dogecoin goes up they get behind "doge to the moon", if the price goes down it's "all for fun". To pay for the amount of mining that is going on in altcoins, people must be treating it as an investment vehicle, otherwise miners wouldn't be pulling upwards of 400BTC[0] a day out of the retched things.
[0]: Based on Middlecoin.com's performance a few weeks ago, before their hashrate dropped, they were pulling a clean 400BTC from dogecoin and friends (and this is only one single pool!). For them to be pulling 400BTC a day there must be considerably more volume going into the altcoin markets beforehand. No doubt "investors" getting in on the "next big coin" and losing out.
> when the price of dogecoin goes up they get behind "doge to the moon"
I don't see how this is incompatible with it being "all for fun." People cheer for sports teams they've bet on, and that's "all for fun." They're not investing in it in a way you'd invest in stocks and bonds; they're just gambling in the same way you'd do at a casino.
Bitcoin is an experiment, it's not meant to be a new investment product. It should be very clear to anyone involved that this is a volatile atmosphere and anything can happen. After all, it's really just a bunch of geeks with a website. There is no liability here.
That said, I do think the author was a bit naive about the Dogecoin reference. Weren't they implicated in some kind of fraud as well? Seems as though that is the primary reason why no one would store their life savings in Dogecoin.
>>No one would be stupid enough to store their life savings in Dogecoins.
Author must have missed that Reddit thread on Gox horror stories. There were some really awful decisions people made with their savings. I bet someone is going to make a similar mistake with Doge. We already have folks like this: https://news.ycombinator.com/item?id=7166318
Just keep on reading that whole post. At first you'll feel sorry for them, but quickly that sorrow will turn into anger. "Why the @!#&^%$ did you do that?!" is what you'll be repeating in your mind over and over. But none of them beat this one by a Reddit admin from awhile back:
Bitcoin, and all the services around it, are gambles. Never gamble with money you can't afford to lose. Reddit should have a huge red glowing banner at the top of /r/bitcoin reminding their users of that at least weekly.
<<The community has designated a Nobel leaurate as its nemesis, solely because he asked some inevitable questions every thinking person in his profession ought to ask>>
If I'm not mistaken the Nobel leaurate [sic] in question wrote an article entitled "Bitcoin is evil." That seems to be slightly more than asking questions.
Some non-Japanese speakers are giving him credit for apologizing in Japanese, and Japanese media is also giving him leeway -- only because he's a foreigner. But his Japanese is really pitiful, and the apology is a farce.
The point of this kind of apology is to tell people you are sorry and you have caused trouble to other people, and you are repenting for this trouble. There is no such feeling in this act of Karpeles.
Moushi-wake-arimasen is a phrase used to mean "there is no excuse [for what I have commited]". He was unable to finish it, and half way through he goes, nan-dakke? Meaning "what was it?". If Mark is really trying to do it Japanese style, he would not have messed up like this. Some people say he is under stress. I don't think that gives a free pass for such a shameful performance.
It's like a foreigner going to US court and thinking, I should act American, so starts by saying "Yo dude, my bad."
That's probably because of your upbringing and your surroundings. When English is your native language, and all the input you get (books, tv, music, internet) is in English, there's little incentive to learn more languages.
For a majority of the people on this planet, this isn't the case.
It's extremely circumstance based. I have countless relatives that are tri- or quadri-lingual (or more), merely because they have different cultures in their background and/or were forced to immigrate. Those that are uni- or bilingual simply were lucky enough (or stuck enough) that they didn't move much. And I don't think there's any particular astonishing knack for languages needed to explain this.
Additionally, if you're exposed to a new language early in life, it becomes much easier to learn new languages in the future. And being immersed in it forces you to learn, as your survival depends on it.
So, incredibly impressive? Nah. Mind you, if someone is legitimately a fast language learner, given that I am not at all, it does impress me, especially if they truly master it and can think in that language.
It isn't. I'm Dutch, and had to learn Dutch (obviously), English, French and German. And so did all the other people I know. People who attended gymnasium also had to learn ancient Greek and Latin.
I can't speak for his French (or English) proficiency, but I wouldn't go so far as to say that he "speaks Japanese."
He may know enough Japanese to get along in daily life -- many people I know who have lived here for a number of years develop some level of listening proficiency regardless of whether they can speak it -- but the Japanese he uses in the video does not convince me that he can "speak Japanese" in either the normal usage of the phrase (proficiency in the language) or the cultural usage of the phrase (understanding register and when and how to say things).
This should be a perfect, well-rehearsed apology. There's really no excuse for the level of Japanese he demonstrates in there. At the least, he should have written something, had a native check it, and then practiced saying it. He should also have gotten a suit/shirt that fit properly.
I know this comes across as sounding very superficial and nitpicky, but image means a lot here, especially in business situations, and especially with these formal apologies.
I don't know about his motives or feelings, but when I watch that video, it comes across as very half-assed, as if he doesn't really care and someone is making him do it. It's very unprofessional and culturally deaf; I would not use it as evidence that "he's no dummy."
I suppose it's all relative, but it should be pretty easy to judge his code and how he operates a business--MtGox was by all measures poorly coded and that directly resulted in hundreds of thousands of people being damaged financially.
He may have a high IQ, but he is not fit to run a giant financial exchange. I'm not sure any single person is, this is why large financial organizations have tons of people with different areas of expertise (development, security, law, finance, risk, etc etc). He rode "internet freedom" all the way to being way over his head and took everyone else down with him.
He built an MVP and then kept going by iterating on the same codebase. This is literally the mentality HN tries to collectively push forward. If he had gotten the security/crypto right the tables would be turned and we'd be reading an article about how a guy bootstrapped the largest crypto currency exchange and how many people thought they could do it too and lost everybody's money collectively trying.
I'm beginning to think that the only constant in security/crypto is that people fuck it up.
That's one way to look at it, another is that it wasn't minimally viable at all because it did the worst thing that an exchange can possibly do--lost everyone's money.
Coding aside, I don't think anyone at HN tries to push the mentality that you should try a financial startup without any accountants or a compliance department.
where do people get the idea that speaking multiple languages makes you intelligent. In a lot of third world countries almost everyone speaks 4 or 5 languages.
The normal French academic school curriculum mandates three languages: French, a secondary language studied in-depth, and a tertiary language. So school leavers should be fluent in one, competant in another, and have the basics of a third.
If people are expected to learn languages early, polyglots are the norm.
I think that there are only two real possibilities here: either Gox lost the money but doesn't know how they lost it, or they stole it. Theft is a much simpler hypothesis than many that are being proposed, but this doesn't really fit the pattern of the previous major thefts by wallets trusted by the community. The main difference is we that we know who these people are. It doesn't seem likely they could ever really cash-out without being observed. Even if they don't try to do that there are likely to be indictments and prosecutions that they will have to live through.
There were reports that they laid off a number of employees in late January before this all went down. Maybe one of those disgruntled employees took a copy of the cold storage private keys with them.
> The community has designated a Nobel leaurate as its nemesis, solely because he asked some inevitable questions every thinking person in his profession ought to ask.
I'm guessing it's Paul Krugman. He wrote a few posts questioning the value and viability of bitcoin, and was mocked for it on a number of bitcoin forums.
How about all the passport + proof of address data, required for registering with Mt.Gox. Where is it stored and has it been stolen / taken by third party? No one seems to ask any questions about this.
If the bitcoins were stolen, and the thieves later try to trade them, will that be obvious from the blockchain? Or can they successfully spend them without anyone realizing they are stolen?
In theory, yes. In practice, MtGox hasn't said what outputs were lost/stolen and there are ways to defeat blockchain analysis like depositing to BTC-E and withdrawing.
We are talking about a half a billion dollar heist here. That's a lot of money - probably in the top 10 of biggest robberies ever committed.
You wouldn't have be a super hacker to pull it off. Some hidden cameras, USB key loggers and some microphones in the office could probably have gotten you a lot closer to that money.
And if you then could lure MtGox into emptying their hot wallet with the tx mal problem, then even better, but that was probably not even necessary.
If the CEO of MtGox Mark Karpeles is under gag order and he is on IRC, couldn't people confirm this by asking him while he is actively discussing some other topic on the channel, to publicly deny that he is under some sort of gag order. If he continues discussing other topics, without denying the gag order, it is an easy way for him to passively communicate that he is under such order without actually breaking the order.
I would think that insider theft is one of the least damaging outcomes for the Gox depositors.
Unfortunately I don't know that the Japanese government is going to have the technical expertise to properly identify the theft and track where the coins have moved. I can't imagine that the thieves have managed to squander all of the 750k BTC.
Of course this is wildly speculative but perhaps a simple answer is that someone internally at Mt Gox cleaned out the accounts and is blaming hackers and/or bugs. 100's of millions of dollars is easily enough of a temptation for someone to commit major fraud.
Btw, wouldn't it be easy to track down the mauled transactions and look who initiated them? After all, no one can use MtGox anonymously. Obviously, 'the hacker' could have used hacked accounts (this would have been noticed) or false identities.
I guess I don't see why the simplest explanation isn't that the US Feds seized the contents of the safe deposit boxes where their cold wallet was kept last year along with the $5m in bank deposits.
> There are many interesting points made and dealt with in this article but what's weird/wrong/suspicious about a CEO using IRC?
It contradicts the image of a corporate heavyweight, who by definition would want to avoid making informal remarks that might be misinterpreted by stockholders or the public. In some contexts, informal remarks by a corporate insider could be taken to suggest an intent to manipulate the public's perception of the company and therefore its market valuation.
> Did he say something specifically stupid there? Or is the very medium tainted?
Far too sarcastic for something that is almost entirely raw, unsupported speculation. Further, it is conflicted -- it disbelieves some statements by Gox, while fully believing others (e.g. "they were in cold storage").
The one element that seems believable are questions about the malleability attack. I do not understand how Gox or any exchange or service wouldn't have an up to the minute, blockchain verified knowledge of exactly what their positions are. Maybe they only did such accounting weekly, or even monthly...but at some point over the supposed multi-year exploit they would have seen that account balances > address holdings.
This. The author likes to fill the space between his unexplored technical points with this tasteless, dismissive tone that makes me question the value of his argument even before I scroll down to look for an appropriately brief TL;DR. Unfortunately all I find is some strange reverence for the most irreverent cryptocurrency, Dogecoin. I'm sure the billions of unbanked and poor in need of affordable remittances would prefer a currency that takes neither itself nor its users seriously, and which lacks even the economic principles to deflect its alt-coin implausibility, over an increasingly established and appropriately ambitious alternative to the current financial system.
Author put a lot of thought and work in to telling a great story, but...
Would be better if it weren't built on speculation, and limited by the things the author clearly doesn't understand about crypto.
Articles like this hurt the Crypto Currency movement because the things they get wrong about what did or didn't happen are speculation that just fuels fires of mistrust for what could happen. And the thing touted as solutions to it happening in the future aren't well researched so they give false security and opportunity for things to happen again.
I appreciate the authors effort to drive up the price of Dogecoin, and prevent further fall of BTC prices, but that's all this is.
This argument is weak and your tone is dismissive. I think you're ascribing too much intent based on your own biases.
You can't just say 'someone doesn't understand' crypto and not explain why. It reeks of an appeal to an authority and is not conducive to discussion.
The Dogecoin mentioned at the end was a joke.
It's also disingenuous to accuse someone of trying to inflate the price (without evidence) and to say that someone is 'hurting the cryptocurrency movement'. You accuse someone of speculating and and that fuels mistrust and yet oblivious to yourself doing it.
Enough other people pointed to flaws in the explanations that I didn't feel the need to beat a dead horse about those things.
The whole article was a joke. The stuff about Dogecoin seems less a joke than the rest of the article.
It is clear the author owns Bitcoins or Dogecoins or both. I can't prove this, but I'll bet 1 cryptocoin of my choosing on it.
I don't currently own any Cryptocoins. I sold just shy of $950 after the first fall from $1000 to nearly $550. I bought 10 at $650-ish. It was a good deal, I did not make any comments about BTC while I held with out disclosing my investment in the currency. (I have some journalistic ethics)
I was personally tempted to buy BTC from Mt Gox when they were worth around 90 dollars but decided against it. Shortly thereafter, they were breached and now this.
When the currency stabilizes, I'll consider getting some.
- technical one - Bitcoin clients have a 100 ms delay before they relay messages. An attacker can compile a modified client that doesn't have these limitations and successfully outrun the rest. It was shown once that an attacker managed to successfully modify most of Bitcoin transactions on the network for some time in February
- social one - IIRC Gox had an automatic system, which reissued Bitcoin transfers if they failed. So you didn't need to phone them or convince in any way - Mt.Gox would send you a new transfer (and exhausting inputs has nothing to do here since they had no reason to use raw transactions API which lets you to use specific inputs, and instead they probably just used the more common sendto API) after it detected the old one failed (TXID not found on the network).