bitcoins

Transaction Malleability is a Scapegoat for Mt. Gox Bitcoin Loss: Security Experts

1 comment

With the tremendous growth of the value of Bitcoins over the past several years, many have been creating cryptocurrency wallets, doing Bitcoins transactions, used Bitcoin exchanges, and started Bitcoin mining operations.

However, with major Bitcoin exchange Mt. Gox filing for bankruptcy protection and halting transactions after allegedly losing roughly $380 million worth of customers’ Bitcoins, many are rethinking their investment in Bitcoin.

But while the Mt. Gox situation is enough for many to abandon Bitcoin altogether, it’s important to realize it’s too soon to assume that Mt. Gox failed to keep customer Bitcoins safe because of the Bitcoin system itself.

Of course, like any banking system, Bitcoin is not without flaws and requires vigilance from anyone dealing with currency and transactions. One of these supposed faults is the transaction malleability feature, which is confusing for many people, and could be potentially misleading as to the true problems at Mt. Gox.

Many, including Mt. Gox, have cited transaction malleability, a core feature of Bitcoin, as one of the main reasons for its problems. And while this can lead to transaction mistakes that send Bitcoins to criminals, it looks like transaction malleability isn’t at the root of Mt. Gox’s problems because it’s unlikely that it could be exploited at such a large volume.

Transaction malleability basically allows small changes to take place in legitimate transactions without invalidating them and without having to access private keys. In Bitcoin, this means users can change the unsigned transaction ID accompanying each transaction – during a very short window and under limited conditions – but in a way that can add confusion.

In an interview with CNN Money, Bitcoin Open Source Project core developer Jeff Garzik said transactions can be mutated for valid reasons but they can also introduce some ambiguity that can be exploited. A legitimate mutation would be, for instance, a crowdfunding application where multiple users collaborate on a transaction, requiring multiple transaction IDs.

Less legitimate mutations could be ones where the recipient changes the transaction IDs, so that it looks like the money didn’t transfer. Then, the sender or recipient can complain to the exchange that they never received the currency and convince them to send it again.

This has likely caused exchanges to lose money, but this would have to be done at a very suspicious rate in order to steal hundreds of millions of dollars in the case of Mt. Gox.

Many influential people in the security community including Black Lotus fellow Jeffrey Lyon say that Mt. Gox is using this transaction malleability issue as a scapegoat for something else that is going on.

In an email, Lyon said, “The prevailing theory in security circles is that the company was hacked and the cold storage had been stolen, possibly in 2011 and that the missing coins had been kept secret for several years.”

This “cold storage” means Bitcoins kept outside of the exchange system in a supposedly more secure location.

Another theory is that the cold storage was not stolen, but rather that Gox no longer has the private keys to access their cold storage, which remains in an untouchable wallet that neither Gox nor its customers can access.

Coinigy’s William Kehl notes, “At present time there’s no official word on this however several Reddit users claim to have found addresses containing over 200K BTC that haven’t been spent since 2011 that may belong to Gox.”

Bitcoin emerged as a fast growing alternative to more traditional forms of payment that aren’t as suited to the internet. It’s too soon to give up on Bitcoin and other cryptocurrencies, but Mt. Gox shows that for Bitcoin to continue to be trustworthy that Bitcoin exchanges must accurately track each transaction and have proper processes in place so that transactions can’t be exploited or that large Bitcoin vaults suddenly disappear.

About the Author

David Hamilton is a Toronto-based technology journalist who has written for the National Post and other news outlets. He has covered the hosting industry internationally for the Web Host Industry Review with particular attention to innovative hosting solutions and the issues facing the industry. David is a graduate of Queen’s University and the Humber College School of Media Studies.

Add Your Comments

  • (will not be published)

One Comment

  1. You left out one of the most popular theories, and that is the one that says MtGox had it's cold-storage bitcoins frozen as part of the Silk-Road investigation and is under a gag order not to discuss it. One thing you can be sure of, you can't trust anything that MtGox says about this.

    Reply