
Experts Find Mt.Gox Only Lost 386 Bitcoins Due To Transaction Malleability - antonius
http://techcrunch.com/2014/03/27/experts-found-that-mt-gox-lost-a-mere-386-bitcoin-due-to-transaction-malleability/
======
olalonde
The title is not accurate. Mt.Gox could have lost _at most_ 386 BTC to
transaction malleability. From the report's conclusion: " As such, barely 386
bitcoins could have been stolen using malleability attacks from MtGox or from
other businesses."

In other words, the set of "successful" transaction malleability attacks
totalled a sum of 386 BTC among which some may or may not have been targeted
at Mt.Gox (impossible to know without knowing Mt.Gox addresses).

~~~
sillysaurus3
Interestingly, that would also mean Silk Road stole its users' coins. They
couldn't have lost 4,400 coins to malleability, which is what they blamed the
theft on. [http://www.forbes.com/sites/andygreenberg/2014/02/13/silk-
ro...](http://www.forbes.com/sites/andygreenberg/2014/02/13/silk-
road-2-0-hacked-using-bitcoin-bug-all-its-funds-stolen/)

~~~
sillysaurus3
Nevermind, I'm mistaken. After reading the paper more carefully, it's saying
only 384 coins were involved in successful malleability attacks before Feb 7th
(when Mt. Gox stopped withdraws). But between the 7th and the 13th (when Silk
Road announced they'd lost their coins), the number of coins involved in
malleability attacks increased to almost 300,000 BTC:
[http://i.imgur.com/H8YVLXO.png](http://i.imgur.com/H8YVLXO.png)

As such, it's entirely possible that SR lost 4,400 coins due to malleability.

------
broolstoryco
While very interesting, the scope of this study is limited by the fact that
their data collection only goes back to January 2013, so anything that
happened before that was not considered. I don't want to defend Gox, but it is
conceivable that they lost significant amounts of BTC prior to this via TM and
were just doing business with a deficit of BTC.

~~~
tlrobinson
Has anyone tried analyzing the actual blockchain for likely malleated
(malled?) transactions? Depending on which form of malleability was exploited
(see:
[https://gist.github.com/sipa/8907691](https://gist.github.com/sipa/8907691))
it should be fairly easy to separate "normal" transactions generated by
"normal" clients and intentionally malleated transactions.

~~~
fsckin
The past tense is "malleableized".

~~~
pygy_
"Modified"?

~~~
Aqueous
Mauled.

------
devindotcom
How easy/difficult would it be to assemble and analyze the full set of
transactions going back to mt gox's start, assuming we know what we're looking
for and can just sift through looking for those, as the researchers did?

------
RV86
It may be inconvenient to keep as much of your holdings in cold storage as
possible, but it's much more convenient than assuming the third party service
you're using is secure/not a bad actor.

------
TaylorAlexander
I don't know much about this, but is it possible that Mt Gox simply stole the
bitcoin themselves and blamed it on hackers? I imagine the coin is supposed to
be cryptographically protected, but I don't know where users stored their
keys. Bitcoin is so new that we all seem to have bought the malleability loss
claim, but it could have been a red herring. Disclaimer: That is all
speculation, I know nothing about this.

~~~
sillysaurus3
I don't know why people are saying that Mt. Gox may be under a gag order.
They're based in Japan, so an American gag order seems like it's not
applicable. And while the US did seize some millions of theirs from US banks,
their bitcoin cold storage wallets were probably based in Japan, not the US,
so there's no way the US could seize them. And even if they did seize them,
there's no evidence at all suggesting that they could compel Mt. Gox to remain
silent about it.

Mt. Gox absolutely could have stolen the bitcoin themselves. It's still one of
the more likely scenarios.

~~~
Aqueous
I don't think it's likely at all. It would have been discovered by now if that
were true. If you want to get away with stealing $400 million you certainly
don't do something that invites the maximum amount of scrutiny, as they did in
closing Mt. Gox in such a haphazard, clearly minute-to-minute manner. If their
aim was to steal $400 mil and get away with it they would have shut down the
Mt. Gox operation in a much more graceful, deliberate, and mysterious way.

Plus Karpeles does not strike me as a criminal mastermind. Maybe that's why
he's a mastermind?

------
cpncrunch
This seems to suggest that if someone did a thorough audit of MtGox's mess
they might be able to figure out where these bitcoins went.

~~~
sillysaurus3
Unfortunately, Mt. Gox's accounting appears to be nonexistent. For example,
they recently revealed that they found 200,000 of the missing bitcoin. I could
be wrong, but I don't think anyone analyzing the blockchain had a clue that
those particular 200,000 bitcoin were still under Mt. Gox control, let alone
traced where any other bitcoin went.

~~~
gnaritas
I think you're wrong, reddit was tracking those coins and said Gox still
controlled them over a week before he announced he'd found them. However I
think you're right about accounting being non-existent.

~~~
sillysaurus3
Really? Hmm, do you have any links I could look at? I thought they'd found
some other large quantity of coins, but not the ones that have remained
inactive since 2011 (the ones Mt. Gox said they recently found).

Thanks for the info!

~~~
gnaritas
I recall this
[http://www.reddit.com/r/Bitcoin/comments/210s3t/keep_digging...](http://www.reddit.com/r/Bitcoin/comments/210s3t/keep_digging_into_gox_we_may_have_prompted_the/)

~~~
sillysaurus3
Indeed, I remember similar threads. But the 200,000 BTC that Mt. Gox found has
remained inactive and unmoved since 2011. I can't find any Reddit thread that
discovered those inactive coins before Mt. Gox did.

------
Zarathust
While this doesn't explain MtGox losses, this is still around 200k$ at today's
worth, enough to interest a lot of criminals

------
sciguy77
How can I get in on the class action lawsuit?

~~~
JonFish85
Even in a best-case scenario, you'll be lucky to get anything at all. Even
assuming there is a successful lawsuit, and after all of the assets have been
divided up, and after the lawyers have taken their fees, in 10 years maybe
you'll end up with $20. Maybe.

~~~
daniel-cussen
I doubt it. IANAL, but it must depend on how much money you lost.

~~~
gress
Have you ever been part of a class action?

~~~
daniel-cussen
I was invited to one last week, actually, but don't know if I'll get involved.

------
jgalt212
I know this sounds trollish, but why is the tech community so bullish on
Bitcoin when theft seems so rampant/easy?

------
userbinator
386 - not a round number but a pretty recognisable one nonetheless.

~~~
broolstoryco
It is a very rough estimate that mainly serves to give us an idea of the
magnitude of possible theft due to TM.

------
pistle
Experts? Conspiracy. Inside job... _sigh_ Popcorn. Bored. Ambivalent.
Shadenfreude. Apathy.

