MtGox is a sinking ship

Earlier today MtGox put out a press release regarding their issues surrounding halting all withdrawals. Friendly SA Forums goon Begby breaks it down for us here:

Basically when you send bitcoins to someone, there are several inputs in the transaction. Like the destination address, the amount, etc. Based on those inputs you get a transaction ID which is a hash of those inputs. If you want to see if something was confirmed on the blockchain, you can look up that transaction ID.

However, there is an attack you can do. You can actually change the order of the inputs and have the transaction still go through and end up with a different transaction ID.

Here is how the attack works:

1. Hey, MT Gox, I want to withdraw 4 butts to this address.

2. Mt Gox sends you those 4 butts and gets a transaction ID, broadcasts the transaction to get confirmed (basically yells to the internet, hey you stupid miners confirm this)

3. You, the totally awesome hacker, also broadcast the transaction with the inputs in a different order and yell to the internet louder. This results in a different transaction ID if it gets confirmed first.

4. If you yell loud enough, the blockchain confirms your set of inputs. So the transaction went through, but not under the transaction ID that Mt. Gox was expecting.

5. Call up Mt Gox and complain that you didn’t get your butts

6. Mt. Gox looks in their DB for the transaction ID they have on record, tries to look it up in the blockchain and can’t find it so they think it wasn’t confirmed. They then send you the butts again.

This is a well known issue with the bitcoin protocol and other exchanges workaround this by looking up the inputs in the blockchain instead of relying on the transaction ID, and only using the transaction ID after the transaction has been reliably confirmed. Mt. Gox is saying that this is a problem with bitcoin to cover their ass. I am not sure if its even bug. Its more of “don’t assume a transaction ID is legit until the transaction has actually been confirmed”.

So basically Mt. Gox has been getting ass raped by this known exploit for who knows how long, and has resent god knows how many butts. So their internal ledger is completely and totally fucked and they are going to have to go through every transaction they have ever done, look it up in the blockchain by inputs instead of transaction ID, and try to pick up the pieces. This is like finding out that you have accidentally been writing two checks for all your bills and then only realize this when your account goes negative.

TLDR; Mt. Gox got robbed using a well known exploit with an easy workaround that is so well known is not even a top ten issue for the devs. When successful this exploit will cause gox to double send butts to someone on a withdrawal. Who knows how much they double sent, they probably don’t even know.

Edit: Bonus, one of the devs said he had warned Mt. Gox of this several times over the past few years.

It's in someone else's wallet, that's where

It’s in someone else’s wallet, that’s where