The Mt Gox announcement on February 10th, of this year, that ‘Hackers’ had stolen some 850,000 bitcoins, simply does not add up. Of the 850,000 bitcoins that Mt Gox claims to have lost, some 750,000, or 88%, belonged to customers. On the day the bitcoins were announced to be missing, the price of an individual bitcoin was $827, therefore, the total value of the loss in fiat was estimated to be over $700 million. This is an incredible quantity of bitcoins to lose, however, luckily enough, Mt Gox had an explanation. The missing bitcoins had been taken by ‘hackers’ that had cynically exploited a flaw in the bitcoin program, this problem, called ‘Transaction malleability’ allowed hackers to make double withdrawals from the exchange by tampering with the authorisation code. We are all familiar with this version of events; however another version of happenings is beginning to arise.
Two members of the Swiss Federal Institute of Technology in Zürich have been examining the events in the blockchain and are now disputing this version of events. Christian Decker and Roger Wattenhofer have been monitoring bitcoin transactions since January 2013 and are, therefore, in a very good position to offer an accurate assessment of the size of the problem with transaction malleability. They claim that the number of transactions, where transaction malleability is a factor, is of a much smaller level than was previously believed. The result of their examination of the blockchain was published in the MIT Technology Review.
Decker and Wattenhofer began monitoring Bitcoin transactions in January 2013, and they recorder all transactions, both those blocked by security checks, as well as successful transactions during this period. They were connected to around 1,000 nodes in the Bitcoin network, or almost 20% of the total. The transaction malleability bug, which the hackers were using, changing blockchain details to show the senders that the transaction had not been successful, that it had, in fact been blocked. The other nodes on the network were told that the transaction had been successful. The sender, believing the transfer had failed, resends the bitcoins and the amount transferred is in fact double what it should have been. Decker and Wattenhofer checked all transactions to find transactions where the details recorded were different for different users. During the period, January 2013 to February 2014, they observed 302,000 different transactions where transaction malleability attacks were clearly an issue. But! The vast majority of these attacks occurred after February 10th, the date that Mt Gox had made their announcement. These were, therefore, just copycat attacks by people who believed that they would succeed. They simply cannot have affected Mt Gox as the exchange had stopped all customer withdrawals by then. Before February 10th, Decker and Wattenhofer found that Mt Gox suffered only 1,811 attempted fraudulent bitcoin withdrawals and of these attacks only 386 bitcoins could have been successfully stolen from between Mt Gox and all other exchanges.
This leaves a giant hole in Mt Gox’s story, even if all the bitcoins stolen came from Mt Gox, and this is unlikely, there are only 386 missing bitcoins; where are the other 849,600 bitcoins? Admittedly, Mt Gox has now ‘found’ 200,000 on an old hard drive; that leaves 649,600 bitcoins that have fallen through the cracks in the Mt Gox story.