So how did Mt. Gox lose all those bitcoins?

by Joe Curtis| 28 February 2014

CBR explains how hackers emptied the Bitcoin exchange’s account.

Mt. Gox, the world's biggest Bitcoin exchange, has now filed for bankruptcy.

The repercussions of its alleged loss of $350m in bitcoins are massive for the digital currency, with people's faith in it being quite severely shaken by the announcement.

But how did it happen?

It's all because of something called a "transaction malleability" flaw.

Before we explain how the flaw came about, let's talk about how hackers could take advantage of it.

Whenever you send or receive bitcoins, you are taking part in a transaction. All these transactions are sent off to be processed by bitcoin miners, and once completed appear confirmed on the blockchain, basically a virtual publicly ledger that keeps track of all transactions.

When a transaction completes, it produces what's called a hash, which is like a confirmation code specific to that transaction.

One of the things that makes the hash distinct is that it is created from a variety of factors, one of which is the user's digital signature - a critical piece of the hash, because it proves the transaction originated from that user.

However, the digital signature is meant to be in a particular format.

We'll tell you why in a second, but there wasn't always something in place to confirm that format was correct, and so incorrectly formatted signatures were still accepted in creating the hash.

Because the signature was now different, the hash was completely different too: just like if you replaced eggs with, say, tar, in a cake mix, you'd get a pretty different cake.

Now, anybody who stored fiat funds in Mt. Gox could request to withdraw that stored cash as bitcoins at any time, and Mt. Gox would send them.

Remember; anytime you send or receive bitcoins, you take part in a transaction. Therefore every instance in which Mt. Gox sent bitcoins to people, it appeared as a transaction that needed to be mined, before appearing publicly on the blockchain once it had been completed.

Hackers with money in Mt. Gox were doing the same thing, but taking advantage of the transaction malleability flaw to insert an incorrectly formatted digital signature in place of the real one, producing a hash that was completely unrelated to the transaction.

This made it appear on blockchain as if the transaction had never taken place, and the hacker could therefore request to have the money sent again from Mt. Gox.

This process was repeated a countless number of times, and resulted in Mt. Gox losing hundreds of thousands of bitcoins.

So where did the flaw come from?

The flaw originated in a Bitcoin reference client, a piece of software people can use when building their own services around the cryptocurrency.

The reference client was basically failing to make sure that the digital signature was correctly formatted. This was solved in the latest version of the client.

So why is Mt. Gox suffering while others aren't?

This seems to be because its CEO, Mark Karpeles, admitted that the exchange had failed to keep up with all the updates being churned out by the Bitcoin Foundation, and so the fault was still present on the exchange.

Also, not all exchanges rely on the reference client to build their own software.

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

717 people like this.
1540 people follow this.


Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.