
What Did Not Happen At Mt. Gox - hamdal
http://hackingdistributed.com/2014/03/01/what-did-not-happen-at-mtgox/
======
M4v3R
I think that his points against transaction malleability are invalid:

\- technical one - Bitcoin clients have a 100 ms delay before they relay
messages. An attacker can compile a modified client that doesn't have these
limitations and successfully outrun the rest. It was shown once that an
attacker managed to successfully modify most of Bitcoin transactions on the
network for some time in February

\- social one - IIRC Gox had an automatic system, which reissued Bitcoin
transfers if they failed. So you didn't need to phone them or convince in any
way - Mt.Gox would send you a new transfer (and exhausting inputs has nothing
to do here since they had no reason to use raw transactions API which lets you
to use specific inputs, and instead they probably just used the more common
sendto API) after it detected the old one failed (TXID not found on the
network).

~~~
emin-gun-sirer
Author here. I think there is some subtlety around the technical point that
may be getting lost.

Ittay Eyal and I were the ones who discovered an attack against Bitcoin called
selfish mining, where we showed how a miner could earn more than his fair
share. This attack did not require, but could benefit from, the attacker
racing against honest participants on the peer-to-peer network. Some members
of the Bitcoin community claimed that the attacker would reliably lose these
races because they start behind.

In the article, I point out that there is indeed a transaction race in this
case, that people have demonstrated an ability to outrun transactions, and
that this has ramifications for selfish mining. I do not claim that there is a
technical impossibility -- quite the contrary! The tricks used to make that
succeed are identical to what an aggressive selfish miner would use.

To be fair, malleability attacks require a modified client and some network
positioning, so there is nevertheless a technical obstacle. Not one that is
impossible to surmount, but one that requires some effort.

I did not know that Mt. Gox performed automatic reissues -- thank you for
bringing that up. Would you happen to have a pointer that establishes this?

On the whole, I do not believe that malleability accounts for Gox's collapse
at all. Even automatic reissues would put at most the hot wallet at risk.
Studies of malleable transactions do not show anywhere near the volume
required to account for Gox's collapse. And something I did not mention in the
post is that the timing of the observed malleable transactions doesn't match
the story from Mt. Gox at all. There is undoubtedly more to this story.

~~~
gojomo
It'd be most accurate to say you rigorously described a kind of mining-cartel
attack that had been discussed years earlier, but I know I won't convince you
of that, because you only count published academic papers, and the earlier
discussions of the same attack all happened in less-formal bitcoin forums.

Regarding MtGox scenarios:

Reliable evidence on what MtGox truly did is scarce, but people have widely
speculated that at times they auto-reissued payouts, and without the
protective measure of reusing the same inputs. It would be in character – see
other examples of their recklessness below.

So while I share your doubt that malleability could have resulted in
significant losses, there is a theory for that, which doesn't require
extensive social engineering/human-in-the-loop processes. And, if it had been
happening for years, only outsiders with a giant archive of long-ago race-
losing transactions (that never reached blocks) would be able to estimate the
magnitude of the losses. (I don't know any public source for such an archive.)

Similarly, at times Karpeles mentioned that the cold storage was a "paper-
based RAID" in 3 parts, or some other scheme in 6 places. As the 'key man' in
an enterprise that suddenly found itself atop $100MM+ in easily-transferable
assets, his feared threats may have included kidnapping/extortion to force
disclosure of the keys. Thus his cold storage scheme may have involved putting
necessary key-shares totally outside his easy control, even via people and
safety-deposit boxes in other countries. Any "key-loss" scenario should
consider the chance law-enforcement-actions or other calamities, far from the
MtGox offices or Japanese accounts, have made essential parts of the cold-
storage keys unrecoverable, for now and perhaps permanently.

There's a forum thread from years ago where people mention 2600+ bitcoins
MtGox lost from their own bad-transaction-issuing code
([https://bitcointalk.org/index.php?topic=50206.0;all](https://bitcointalk.org/index.php?topic=50206.0;all)).
Karpeles wrote his own SSH server in PHP. Over the years MtGox suffered SQL
injection & cross-site scripting attacks. In the June 2011 'flash crash', the
entire user database with weakly-hashed passwords was lost (supposedly via an
auditor compromise), allowing outsiders to carry off some unknown number of
artificially-cheap bitcoin – but MtGox made customers 'whole' via a database
rollback. MtGox later that year made the customers of competing exchange
Bitomat whole, at a cost of 17,000 BTC or more, after that exchange lost its
keys.

So when speaking of MtGox, we're already in Alice-in-Wonderland territory,
with both custom (and often unwisely eccentric) implementation choices, and
overconfident grand gestures. It's hard to rule anything out, based on ideas
from elsewhere about plausible engineering or business practices.

~~~
tlrobinson
_" only outsiders with a giant archive of long-ago race-losing transactions
(that never reached blocks) would be able to estimate the magnitude of the
losses. (I don't know any public source for such an archive.)"_

Is that actually the case, or can most/all forms of malleability be detected
by looking abnormal transactions that wouldn't have been generated by any
known client?

Looking at the known sources of malleability, most of them would never be done
intentionally:
[https://gist.github.com/sipa/8907691](https://gist.github.com/sipa/8907691)

Has anyone done a comprehensive analysis like this yet?

~~~
gojomo
I don't know of a comprehensive survey of all kinds of malleability evidenced
in the blockchain. It should be possible.

The issue with using it to estimate an upper bound on potential MtGox losses
is that since some portion of MtGox's historic transactions were non-
canonical, a third-party mutation could result in a 'normal' transaction
entering the blockchain... but MtGox still confused, perhaps to the point of
loss. Any survey would miss such transactions.

Maybe there's a private archive of never-confirmed transactions. Since it
seems MtGox at times provided a public feed of (some of?) its own intended
transactions, someone who'd been scraping/saving that for long enough _might_
have a useful estimator dataset.

------
nwh
> _But elliptic curve crypto is not one of these topics. If the code can
> generate a handful of Bitcoin account numbers and corresponding keys
> correctly, there is hardly any reason why it cannot do so for all account
> numbers and corresponding keys._

Not totally true, not every input can yield a valid private key. The very
upper ranges of the private key space are limited, as only integers 0x0
through 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140 are
valid private keys for Bitcoin.

You'd have to be stupid unlucky to randomly generate an invalid private key,
but it can possibly happen.

> _If one must pick a cryptocurrency, the lowly dogecoin, of all things, is
> doing everything right._

Yeah, an ancient fork of Litecoin with a meme name is going to save us. Has
absolutely no relevancy to the issue at hand of course.

~~~
efuquen
It's funny how you took that last line completely out of context, the author
was clearly tongue-in-cheek with that statement, here is the what comes
_immediately_ after that sentence:

> _The community does not take itself seriously. Most importantly, no one
> pretends that Doge is an investment vehicle, a slayer of Wall Street, or the
> next Segway. No one would be stupid enough to store their life savings in
> Dogecoins._

~~~
nwh
Eh, I hear that a lot but it's fairly far from the reality. It's a two faced
presentation from that community, when the price of dogecoin goes up they get
behind "doge to the moon", if the price goes down it's "all for fun". To pay
for the amount of mining that is going on in altcoins, people _must_ be
treating it as an investment vehicle, otherwise miners wouldn't be pulling
upwards of 400BTC[0] a day out of the retched things.

[0]: Based on Middlecoin.com's performance a few weeks ago, before their
hashrate dropped, they were pulling a clean 400BTC from dogecoin and friends
(and this is only one single pool!). For them to be pulling 400BTC a day there
must be considerably more volume going _into_ the altcoin markets beforehand.
No doubt "investors" getting in on the "next big coin" and losing out.

~~~
derefr
> when the price of dogecoin goes up they get behind "doge to the moon"

I don't see how this is incompatible with it being "all for fun." People cheer
for sports teams they've bet on, and that's "all for fun." They're not
investing in it in a way you'd invest in stocks and bonds; they're just
gambling in the same way you'd do at a casino.

------
jordigh
Haha, full of Magic: The Gathering cards. That's the kind of humour that I
appreciate in a MtGox article.

~~~
doorhammer
It took me way too long before I stopped reading, looked at a card, and had a
lightbulb moment.

------
Jd
<<The community has designated a Nobel leaurate as its nemesis, solely because
he asked some inevitable questions every thinking person in his profession
ought to ask>>

If I'm not mistaken the Nobel leaurate [sic] in question wrote an article
entitled "Bitcoin is evil." That seems to be slightly more than asking
questions.

~~~
Cless
As he explained, it was a joke.

[http://krugman.blogs.nytimes.com/2013/12/29/the-humor-
test/](http://krugman.blogs.nytimes.com/2013/12/29/the-humor-test/)

------
ck2
By the way have you seen Mark Karpeles public apology in Tokyo?

(20 seconds in)
[http://www.youtube.com/watch?v=15IZtzWOzRU](http://www.youtube.com/watch?v=15IZtzWOzRU)

So he is French, educated in Paris and living in Japan since 2009?

Speaks French, English and Japanese. Sounds interesting, he's no dummy.

~~~
afterburner
Born in France, so he speaks French.

Involved with the internet, so he speaks English.

Lives in Japan, so he speaks Japanese.

This is not impressive.

~~~
jmduke
Speaking as someone who is anti-Karpeles and unilingual: I think speaking
three languages, regardless of context, is incredibly impressive.

~~~
nkuttler
That's probably because of your upbringing and your surroundings. When English
is your native language, and all the input you get (books, tv, music,
internet) is in English, there's little incentive to learn more languages.

For a majority of the people on this planet, this isn't the case.

------
jeremyjh
I think that there are only two real possibilities here: either Gox lost the
money but doesn't know how they lost it, or they stole it. Theft is a _much
simpler_ hypothesis than many that are being proposed, but this doesn't really
fit the pattern of the previous major thefts by wallets trusted by the
community. The main difference is we that we know who these people are. It
doesn't seem likely they could ever really cash-out without being observed.
Even if they don't try to do that there are likely to be indictments and
prosecutions that they will have to live through.

~~~
pmorici
There were reports that they laid off a number of employees in late January
before this all went down. Maybe one of those disgruntled employees took a
copy of the cold storage private keys with them.

[http://www.reddit.com/r/Bitcoin/comments/1wc2mg/things_just_...](http://www.reddit.com/r/Bitcoin/comments/1wc2mg/things_just_got_real_at_mtgox/)

------
ama729
> The community has designated a Nobel leaurate as its nemesis, solely because
> he asked some inevitable questions every thinking person in his profession
> ought to ask.

Does someone know who he's referring to?

Edit: Thanks!

~~~
blatherard
Paul Krugman, who won the 2008 Nobel Prize in Economics, has been very
critical of Bitcoin. See, e.g.
[http://krugman.blogs.nytimes.com/2013/12/28/bitcoin-is-
evil/](http://krugman.blogs.nytimes.com/2013/12/28/bitcoin-is-evil/)

------
egor598
How about all the passport + proof of address data, required for registering
with Mt.Gox. Where is it stored and has it been stolen / taken by third party?
No one seems to ask any questions about this.

------
jeffdavis
Question:

If the bitcoins were stolen, and the thieves later try to trade them, will
that be obvious from the blockchain? Or can they successfully spend them
without anyone realizing they are stolen?

~~~
wmf
In theory, yes. In practice, MtGox hasn't said what outputs were lost/stolen
and there are ways to defeat blockchain analysis like depositing to BTC-E and
withdrawing.

------
iancarroll
FYI, you can't put <em> tags in your title, although I assume your CMS did
that.

------
mads
We are talking about a half a billion dollar heist here. That's a lot of money
- probably in the top 10 of biggest robberies ever committed.

You wouldn't have be a super hacker to pull it off. Some hidden cameras, USB
key loggers and some microphones in the office could probably have gotten you
a lot closer to that money.

And if you then could lure MtGox into emptying their hot wallet with the tx
mal problem, then even better, but that was probably not even necessary.

~~~
DrStalker
Third biggest robbery ever if this list is accurate:
[http://listverse.com/2009/12/01/10-largest-robberies-in-
hist...](http://listverse.com/2009/12/01/10-largest-robberies-in-history/)

~~~
gnerd
I'm not sure it would count as a robbery as usually in English jurisdictions
the term robbery implies force (through violence or threat of violence).

------
vesinisa
If the CEO of MtGox Mark Karpeles is under gag order and he is on IRC,
couldn't people confirm this by asking him while he is actively discussing
some other topic on the channel, to publicly deny that he is under some sort
of gag order. If he continues discussing other topics, without denying the gag
order, it is an easy way for him to passively communicate that he is under
such order without actually breaking the order.

------
rdmcfee
I would think that insider theft is one of the least damaging outcomes for the
Gox depositors.

Unfortunately I don't know that the Japanese government is going to have the
technical expertise to properly identify the theft and track where the coins
have moved. I can't imagine that the thieves have managed to squander all of
the 750k BTC.

------
SeanDav
Of course this is wildly speculative but perhaps a simple answer is that
someone internally at Mt Gox cleaned out the accounts and is blaming hackers
and/or bugs. 100's of millions of dollars is easily enough of a temptation for
someone to commit major fraud.

------
Geee
Btw, wouldn't it be easy to track down the mauled transactions and look who
initiated them? After all, no one can use MtGox anonymously. Obviously, 'the
hacker' could have used hacked accounts (this would have been noticed) or
false identities.

------
marshray
I guess I don't see why the simplest explanation isn't that the US Feds seized
the contents of the safe deposit boxes where their cold wallet was kept last
year along with the $5m in bank deposits.

~~~
wmf
Then why isn't anyone saying that? Why could they admit $5M was seized but not
admit that BTC was also taken at the same time?

~~~
marshray
A gag order?

Could explain a lot of their behavior, actually.

------
spindritf
There are many interesting points made and dealt with in this article but
what's weird/wrong/suspicious about a CEO using IRC?

Did he say something specifically stupid there? Or is the very medium tainted?

~~~
lutusp
> There are many interesting points made and dealt with in this article but
> what's weird/wrong/suspicious about a CEO using IRC?

It contradicts the image of a corporate heavyweight, who by definition would
want to avoid making informal remarks that might be misinterpreted by
stockholders or the public. In some contexts, informal remarks by a corporate
insider could be taken to suggest an intent to manipulate the public's
perception of the company and therefore its market valuation.

> Did he say something specifically stupid there? Or is the very medium
> tainted?

Answers: Not necessarily, and yes, definitely.

------
ck2
Just noticed this new website www.goxbux.com trying to form some kind of group
action.

------
richardknop
I love the Magic: The Gathering cards in the article. Well done, indeed.

------
corresation
Far too sarcastic for something that is almost entirely raw, unsupported
speculation. Further, it is conflicted -- it disbelieves some statements by
Gox, while fully believing others (e.g. "they were in cold storage").

The one element that seems believable are questions about the malleability
attack. I do not understand how Gox or any exchange or service wouldn't have
an up to the minute, blockchain verified knowledge of exactly what their
positions are. _Maybe_ they only did such accounting weekly, or even
monthly...but at some point over the supposed multi-year exploit they would
have seen that account balances > address holdings.

~~~
agorabinary
This. The author likes to fill the space between his unexplored technical
points with this tasteless, dismissive tone that makes me question the value
of his argument even before I scroll down to look for an appropriately brief
TL;DR. Unfortunately all I find is some strange reverence for the most
irreverent cryptocurrency, Dogecoin. I'm sure the billions of unbanked and
poor in need of affordable remittances would prefer a currency that takes
neither itself nor its users seriously, and which lacks even the economic
principles to deflect its alt-coin implausibility, over an increasingly
established and appropriately ambitious alternative to the current financial
system.

------
drakaal
Author put a lot of thought and work in to telling a great story, but...

Would be better if it weren't built on speculation, and limited by the things
the author clearly doesn't understand about crypto.

Articles like this hurt the Crypto Currency movement because the things they
get wrong about what did or didn't happen are speculation that just fuels
fires of mistrust for what could happen. And the thing touted as solutions to
it happening in the future aren't well researched so they give false security
and opportunity for things to happen again.

I appreciate the authors effort to drive up the price of Dogecoin, and prevent
further fall of BTC prices, but that's all this is.

~~~
axanoeychron
This argument is weak and your tone is dismissive. I think you're ascribing
too much intent based on your own biases.

You can't just say 'someone doesn't understand' crypto and not explain why. It
reeks of an appeal to an authority and is not conducive to discussion.

The Dogecoin mentioned at the end was a joke.

It's also disingenuous to accuse someone of trying to inflate the price
(without evidence) and to say that someone is 'hurting the cryptocurrency
movement'. You accuse someone of speculating and and that fuels mistrust and
yet oblivious to yourself doing it.

~~~
drakaal
Enough other people pointed to flaws in the explanations that I didn't feel
the need to beat a dead horse about those things.

The whole article was a joke. The stuff about Dogecoin seems less a joke than
the rest of the article.

It is clear the author owns Bitcoins or Dogecoins or both. I can't prove this,
but I'll bet 1 cryptocoin of my choosing on it.

I don't currently own any Cryptocoins. I sold just shy of $950 after the first
fall from $1000 to nearly $550. I bought 10 at $650-ish. It was a good deal, I
did not make any comments about BTC while I held with out disclosing my
investment in the currency. (I have some journalistic ethics)

~~~
axanoeychron
I was personally tempted to buy BTC from Mt Gox when they were worth around 90
dollars but decided against it. Shortly thereafter, they were breached and now
this.

When the currency stabilizes, I'll consider getting some.

------
ryanobjc
The article is ok, and unsurprisingly did well on hn, but it's still the easy
first level technical analysis. I learned nothing here.

I'd love to see a deeper analysis, but it probably can't come from a computer
scientist.

