Hackers do what they do to make money. That’s why they create ransomware like Linkup and Cryptolocker, and that’s why massive corporations like Microsoft pay bug bounties as large as $100,000 to anyone who can detect vulnerabilities in their software. It’s also why the Mt.Gox Bitcoin exchange did what it did last Friday, February 7th.
Bitcoin Transaction Malleability
Mt.Gox is one of the largest Bitcoin exchange sites in operation today. At one point, they were the largest. Bitcoin trading is an extremely competitive field, however, where things change fast. It’s also an industry notorious for growing pains, as many of the finer points of Bitcoin technology are still in flux.
One of these finer points is called Transaction Malleability, and it’s the reason Mt.Gox made the decision to freeze all withdrawals on February 7h, 2014. Essentially, each and every Bitcoin transaction is tracked using a unique hash; however, due to what Mt.Gox calls a “design issue” in Bitcoin’s coding, this hash can be altered without invalidating a Bitcoin’s signature. Fraudsters are taking advantage of this “design issue” to receive multiple payments from Mt.Gox from what should be just a single withdrawal.
Imagine going to the bank with a withdrawal slip and requesting $100 from your teller. You fill out the slip, your teller types the information into her computer, the computer processes the information, and moments later you’re handed a crisp $100 bill. Now, imagine that each time you do this, the computer assigns a Transaction ID to your withdrawal in the form of a random number, and that that ID is the only way to prove you just pulled out $100.
Imagine having the power to freeze time in this scenario. Imagine also that you can shrink down to the size of an electron and go into the teller’s computer to change that Transaction ID. This is basically what’s going on with Mt.Gox and transaction malleability. Since the computer has no record of your $100 withdrawal, and since the teller can’t prove she just handed you $100, you can simply unfreeze time, point to your withdrawal slip, and say “Hey, where’s my $100?!” And, because that Transaction ID was the only way to prove that the bank had given you your money, they’ll have no choice but to admit fault and pay you out of their pocket.
Do this 100 times in a row, and you’ve made $10,000.
Bitcoin’s Response to Mt.Gox
Fraudsters are taking advantage of Bitcoin’s transaction malleability by changing transaction tracking hashes before they are recorded. This has no effect on the withdrawal’s taking place, and it means that when the fraudster complains to Mt.Gox about not being paid, Mt.Gox has to pay them because there’s no proof saying they already did. This transaction malleability hack works because the specific tracking hashes in question are the only way Mt.Gox keeps track of withdrawals and transactions.
Many among the Bitcoin community are branding this (over)reliance on a single and vulnerable tracking mechanism an epic mistake. Mt.Gox’s Feb. 7th withdrawal freeze press release caused at least a $160 dip in the value of Bitcoins and provoked response from Bitcoin founder, Greg Maxwell. Maxwell, and many others, point to the fact that the transaction malleability issue has been well known by just about everyone involved in Bitcoins since 2011, and that Mt.Gox’s freeze was an over reactive response to something they should be fixing on their own. Namely, there are other exchanges that use other ways to track transactions, limiting vulnerability to a transaction malleability hack.
The Death of Bitcoins
Beyond the issue of where to place the blame, the biggest question surrounding Mt.Gox’s decision to freeze withdrawals indefinitely is: Why? Why would a company that relies on the value of Bitcoins make a decision that they had to have known would negatively affect said value, and did? One answer is that they’re losing a ton of money, and they panicked. Another is that that they’re pulling for a power play.
Mt.Gox’s press release states that the transaction malleability issue “is not limited to Mt.Gox, and affects all transactions where Bitcoins are being sent to a third party.” It also states Mt.Gox believes “that the changes required for addressing this issue will be positive over the long term for the whole [Bitcoin] community.”
The press release goes on to say that these changes would include “using a different hash for transaction tracking purposes,” while continuing to include the old transaction tracking hashes in each Bitcoin block Merkle Tree. What this amounts to is essentially a new mode of encryption, which Mt.Gox would then standardize and implement in all future transactions. Being that Mt.Gox is one of the largest Bitcoin exchanges in the world, this new mode of encryption would send ripples throughout the Bitcoin community. Mt.Gox may very well be attempting to position itself as the solution to transaction malleability, even when other, smaller companies have dealt with the issue using multi-variable tracking methods, such as Bitcoin amount, timestamp, and address, for the last three years.
Traders are not happy about this. As Mt.Gox has yet to implement its new encryption standard and unfreeze withdrawals, it is difficult to say whether their solution is a legitimate improvement or simply a marketing stunt; but, for now, one thing is certain: Bitcoins are worth about half as much as they were just one month ago. Also important to consider is that the legal waters surrounding the cryptocurrency are murky at best — just Google Silk Road or Charlie Shrem if you’re interested — and that the majority of Internet users don’t even know what they are. This latter characteristic rings true with most things computerized and is even reminiscent of the early days of World Wide Web itself. What remains clear is that computer security is a matter mostly financial, and that for the time being Bitcoins will play their part.
For more on this topic, check out Emsisoft’s Attack on Bitcoins.
Shortly after publishing this article, the Bitcoin Foundation announced an ongoing DoS attack on various Bitcoin exchange sites. The attack is taking advantage of the transaction malleability issue by relaying mutated versions of transactions and thereby preventing transactions from confirming. In response, Slovenian-based Bitcoin exchange Bitstamp has frozen withdrawals, as was done by Mt.Gox.