Earlier today MtGox put out a press release regarding their issues surrounding halting all withdrawals. Friendly SA Forums goon Begby breaks it down for us here:
Basically when you send bitcoins to someone, there are several inputs in the transaction. Like the destination address, the amount, etc. Based on those inputs you get a transaction ID which is a hash of those inputs. If you want to see if something was confirmed on the blockchain, you can look up that transaction ID.
However, there is an attack you can do. You can actually change the order of the inputs and have the transaction still go through and end up with a different transaction ID.
Here is how the attack works:
1. Hey, MT Gox, I want to withdraw 4 butts to this address.
2. Mt Gox sends you those 4 butts and gets a transaction ID, broadcasts the transaction to get confirmed (basically yells to the internet, hey you stupid miners confirm this)
3. You, the totally awesome hacker, also broadcast the transaction with the inputs in a different order and yell to the internet louder. This results in a different transaction ID if it gets confirmed first.
4. If you yell loud enough, the blockchain confirms your set of inputs. So the transaction went through, but not under the transaction ID that Mt. Gox was expecting.
5. Call up Mt Gox and complain that you didn’t get your butts
6. Mt. Gox looks in their DB for the transaction ID they have on record, tries to look it up in the blockchain and can’t find it so they think it wasn’t confirmed. They then send you the butts again.
This is a well known issue with the bitcoin protocol and other exchanges workaround this by looking up the inputs in the blockchain instead of relying on the transaction ID, and only using the transaction ID after the transaction has been reliably confirmed. Mt. Gox is saying that this is a problem with bitcoin to cover their ass. I am not sure if its even bug. Its more of “don’t assume a transaction ID is legit until the transaction has actually been confirmed”.
So basically Mt. Gox has been getting ass raped by this known exploit for who knows how long, and has resent god knows how many butts. So their internal ledger is completely and totally fucked and they are going to have to go through every transaction they have ever done, look it up in the blockchain by inputs instead of transaction ID, and try to pick up the pieces. This is like finding out that you have accidentally been writing two checks for all your bills and then only realize this when your account goes negative.
TLDR; Mt. Gox got robbed using a well known exploit with an easy workaround that is so well known is not even a top ten issue for the devs. When successful this exploit will cause gox to double send butts to someone on a withdrawal. Who knows how much they double sent, they probably don’t even know.
Edit: Bonus, one of the devs said he had warned Mt. Gox of this several times over the past few years.
The US Federal Government shutdown has closed many “nonessential” services, but the criminal justice system is chugging along, and has outed “Dread Pirate Roberts” as one Ross William Ulbricht, and charged him with narcotics trafficking, hacking, and money laundering. It was fun while it lasted, Buttcoin!
[youtube id="NoBFhdeR9PE" width="580" height="337"]
ETA: According to some dude on reddit, “It looks like they sniffed him out by looking back at old Internet records (forum posts, IPs etc) around the times of SRs appearance. The first person to ever advertise SR was DPR himself, and he used an email account attached to his natural born identity. No NSA or technical hack.”
Following are dozens of quotes, mostly dredged from reddit and Bitcointalk.
- Sure, but it beats verifying all the transactions by hand like they did in the old days of quaint paper money, hahaha those poor bastards with their ”cash registers” and shillings and whatnot.
- I love this. People who try to make points like this against bitcoin don’t seem to realize how infantile cash and banking systems are in comparison.
- this is governments going OMG/WTF bitcoin is real–it’s a strong currency in the midst of our little currency war. All currencies are competing to devalue, simultaneously. BTC isn’t. This is like prohibition; as soon as inflation picks up, the masses will come.
- Using Xbox or PS3 to mine coins? Anybody tried this before? I know their GPU’s aren’t top of the line, but for people like me who don’t game much they could be going to much better use.
- I don’t think we are near the peak either. It’s fascinating to watch bitcoin grow, evolve and get its financial tentacles all over things.
This may be the final straw for bitcoins. There was a massive selloff today (180k coins and counting) as the price of bitcoins crashed through the $5 price point. Everyone’s jumping ship right now.
There’s really little chance of it ever coming back above that price point. Here’s the all-time chart, this is by far the largest selloff in Bitcoin’s history happening right now.
And just for fun, here’s another graph:
Remember when I called the peak at the beginning of June? I got so much shit for that.
Someone look at my post yesterday and tell me I wasn’t right on the fucking money with where in the bubble we were.
Someone decides they want to be an internet million, sells off 135k of bitcoins, becoming a millionaire off the backs of broke nerds.
What happens when you place a sell order that large in a market that volitile? It drops like a fucking rock.
Woah, nelly. And it seems to be dropping and dropping more and more every minute.
The currency of the future!
BTW Mt. Gox stands for “Magic the Gathering online exchange”. That is the larget bitcoin marketplace, a discarded MtG site.