Hacker News new | past | comments | ask | show | jobs | submit login

What are the issues?

If you haven't been following along, the brief version:

Mt. Gox is a Tokyo-based company which, most famously, took deposits in dollars, yen, and a few other currencies and also Bitcoin, and allowed people to trade Bitcoin for dollars/etc and vice versa. They charged traders a commission, and so earned a percentage of transaction volume. Transaction volume was massive -- Mt. Gox was the leading exchange for over a year.

They had a rough year in 2013, partly because their US subsidiary was closed by the US for being a money laundering operation and because, in their haste to exit the US regulatory environment, they attempted to engage a US company to serve the US/Canadians markets. This went poorly, as their counterparty was transparently also going to get shut down for money laundering. Between the feds and the counterparty, Mt. Gox had several million dollars of customers' funds frozen.

Some time after funds were seized, Mt. Gox started delaying outbound wire transfers. They variously blamed technical issues, issues with partner banks (including "The second largest bank in Japan can't process more than 10 wire transfers per day"), regulatory issues, etc etc. They didn't seem to have much problem with inbound transfers. They also didn't seem to have problems with domestic Japanese transfers until about December/January, which they blamed on the end-of-the-year holiday.

Waits for withdraws stretched from weeks to months to unbounded. During this time, they routinely transferred out Bitcoins in minutes. As a consequence, people wanting to exit Mt. Gox would buy BTC on the exchange and withdraw it. This caused the price of BTC at Gox to exceed that of other exchanges in a sustained fashion, since at least August.

Some weeks ago, Mt. Gox started delaying BTC withdraws as well. Their excuse for this was that their bookkeeping systems did not handle an edge case in the Bitcoin "protocol", where a) the One True Bitcoin Client searches for transactions by ID, b) the One True Bitcoin Client identifies a transaction by ID immediately upon creation, c) despite the above two facts, an emergent "feature" of the protocol is that that ID can change for up to about an hour after creation of the transaction.

People freaked out, because Mt. Gox now allowed neither real money nor Internet money to leave their company.

In the last 48 hours, it has been credibly alleged that Mt. Gox has suffered a theft to the tune of 700k BTC (worth somewhere north of $300 million) and that they are insolvent -- they owe debts to their customers far in excess of the Bitcoin and hard currency they have on hand.

People are quite concerned. Mt. Gox's crisis communications have been wildly below the level of professionalism one would hope to see from a company with several hundred million dollars of financial assets.

This is getting wide play in the media both internationally and in Japan, and it is possible that Mt. Gox has finally woken Leviathan, who may now take adverse notice to the fact that no-account foreigners are in his capitol making him look stupid and potentially ruining the livelihoods of some of his citizens.

Mt. Gox customers currently are unaware when (if ever) and to what degree their claims against Mt. Gox will be satisfied. People interested in Bitcoin are worried that this will tarnish the system's reputation and/or lead to additional adversarial interest from government and other parties.

[In evaluating whether I've been accurate with the above description, you might consider it useful to note that I'm a Japan-based entrepreneur with a fair bit of understanding about Bitcoin technically and systemically, and that I'm an open and notorious critic of it.]

I believed in Mark (the owner of MtGox) and his team, defending them vigorously, and got screwed as a consequence.

The support staff was on IRC every day saying "Yes, we have customers' funds. No, we aren't insolvent. Everything is fine, everything will be fine." They answered every question in a level-headed fashion.

They were either being paid to lie, or being fed lies, or somehow MtGox didn't become aware of the fact that they were missing >700,000btc until a day or two before they shut off their website.

So I was pretty gullible. And I just want to thank Patrick (patio11) for being a constant throughout this whole ordeal: constantly skeptical, and with good reason.

there is a lot of knowledge to be gained from being as humble in 'defeat' as you are right now.

It's an admirable trait that I myself often times lack, even when my defeat is obvious and ensured.

Thanks for being a good person, at least in that respect.

Clearest, most concise and level-headed summary of the whole ordeal. This comment is what I'll be linking to people who ask me to explain what's happened.

I will point out that MtGox did not use bitcoind (the official Bitcoin client), instead writing their own. However, even that would not have allowed attackers to withdraw more than they should.

What can happen is that the Bitcoin network fails to confirm a transaction. This can happen for various reasons, but a fairly obscure one is that someone on the network can mangle the transaction, changing its transaction ID without changing its signature. The transaction will actually go through, but with a different ID. The way to get around this is to keep track of what money you're spending and to whom, just like a normal ledger.

Because transactions aren't necessarily guaranteed (they're just very likely to happen, if accompanied by a fee), MtGox implemented logic to allow them to mark a transaction as not having taken place in their internal record-keeping, and generate a whole new transaction, with the money coming from a different source. This may have been an automatic process.

The thing is, if someone had mangled the transaction, MtGox would not have picked it up as having happened - because rather than keeping track of what money they'd spent and to whom, they kept track of transaction IDs - and sent more money to the attackers. This may have happened multiple times.

What they should have done is simply re-sent the exact same transaction (same money, same recipient) if it didn't go through. If it doesn't go through after several retries, that's a technical issue that should be forwarded to a developer who can look at the blockchain and see whether the money was actually spent.

This is, therefore, a cascading disaster, but a very preventable one. It started with MtGox's developers not understanding the bitcoin protocol correctly, but that in itself wouldn't have been a problem. It's what they did in a failure scenario that was the problem; if a transaction didn't go through, they simply attempted to spend different money (think a completely automated "I can't seem to spend out of one bank account, so I'll spend out of my other bank account"), and they didn't throw an error back to a human. This should never be done in financial software.

The long and the short of it is, don't trust developers who've never touched financial systems to develop closed source financial software.

This can happen for various reasons, but a fairly obscure one is that someone on the network can mangle the transaction

If it's a way to swindle people out of thousands, or hundreds of thousands, of dollars, then people are going to drive truckloads of money out that hole. it goes from "an obscure case" to "holy hell people are just stealing all our money".

Yeah, thing is, as I explained towards the bottom of the post, it was this in combination with their failure mode that caused people to be able to steal all their money.

If they had a sane failure mode, this would never have been a problem, even if they completely fucked up their understanding of the Bitcoin protocol in incomprehensible ways, or if there was a bug in the Bitcoin protocol that nobody was aware of.

> "People are quite concerned. Mt. Gox's crisis communications have been wildly below the level of professionalism one would hope to see from a company with several hundred million dollars of financial assets."

That's kinda why banks are regulated surely.

If bitcoin fails because of this incident, won't that be the free market deciding that unregulated financial institutions aren't acceptable?

Great explanation. Probably wasn't a great idea to trust a company that started as a trading card exchange (Magic The Gathering Online eXchange - Mt. Gox) with such large amounts of money.

mtgox.com was just a domain name the original owner had lying around after _possibly_ using it to host a card exchange at some point in time. https://en.wikipedia.org/wiki/Talk:Mt.Gox#Possible_citogenes...

Comments like these are why I tend to read the HN comments before (or in lieu of) the posted articles. Thanks for such an excellent synopsis.

Now picturing a kaiju-style Regulatory-Leviathon-mecha daintily picking its way through Tokyo and raising a foot over the Mt. Gox offices...

Excellent summary!

If Godzilla is angry, that is an ominous sign.

Bad case of stealingeverithingus ... usual treatment is long prison term unless you are a wall street dear.

stealing / losing ... exactly which is a little unclear at this point. Honestly, probably a little (a lot?) of both.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact