I wonder if they'll ever figure out who was behind this.
You don't have to be Sherlock Holmes to realize that it's physically impossible for a major financial institution to run open loop, without ever checking the ledger, for several years. Nobody is that dumb. This means that they knew it all along, but continued to disburse BTC as if there is no tomorrow. Cui bono?
Completely agreed. The idea they were not auditing there own ledger is just too much to be believed. It is just amazing they kept the lie running for so long. It is something that should have been caught years ago. It'll be interesting to see what the Japanese authorities determine, though that might take some time.
If I understood it correctly, the problem was that they used a hash to identify transactions that is not the same hash that they sign to authorize transactions, so people could modify non-critical parts of a transaction and for the block chain the transaction would go through but to the exchange it seemed that the transaction hadn't happened, so they would retry the transaction.
As you said, it is very unlikely they wouldn't notice this if it had been going on for years. Also it sounds like a bug that is relatively easy to fix, so why would they not fix it if they knew about it? And why are they calling it a core protocol problem when it is in fact a problem of the exchange software? Are they really that incompetent?
Shouldn't it be possible to spot the retried transactions in the block chain? I assume they would have the same amount and destination address as the forged ones. Then it would be possible to determine an upper bound for how long this flaw has been exploited and how many bitcoins were taken.
I suspect you are very much correct in your understanding of the problem. You should be able to analyze the blockchain for these occurances. However you'd first need to identify all of the wallets mtgox uses to send out btc's. You could analyze the entire blockchain, but I suspect you'll find a shockingly large number of false positives due to things like pool payouts where you can setup your threshold on when they payout or even people manually moving the same amount of bitcoins over and over. I've seen some automated/bot bitcoin sellers that slowly trickle out sales of the same size over and over again (with the purpose of slowly selling btc's so to not impact the market price).
to the exchange it seemed that the transaction hadn't happened, so they would retry the transaction.
Imagine that you pay for rent with checks. Periodically the landlord calls you and says that he hasn't received the check. What would you, as a sane person, do? Would you simply cut another check and mail it in, without bothering to look if the original check had been paid? Or, perhaps, you will make sure that the double payment will not occur?
If the exchange felt the need to retry payments, this shows that the BTC system (in their opinion!) is fundamentally broken. It is unacceptable to submit a payment and then guess if it went through or not. (Especially if you haven't added the bribe to miners, also known as the voluntary fee.) Banks ensure that your payments are atomic, reliable, and verifiable at many checkpoints - and all that happens entirely for free to you. If BTC is not as reliable as a bank, who would need it? Now Mt. Gox tells us that they thought that the BTC network is not reliable. Is it true (and BTC is bad) or is it a lie (and then Mt. Gox is responsible for the loss?)
(Score: 1) by tftp on Wednesday February 26 2014, @01:54AM
I wonder if they'll ever figure out who was behind this.
You don't have to be Sherlock Holmes to realize that it's physically impossible for a major financial institution to run open loop, without ever checking the ledger, for several years. Nobody is that dumb. This means that they knew it all along, but continued to disburse BTC as if there is no tomorrow. Cui bono?
(Score: 1) by tynin on Wednesday February 26 2014, @02:05PM
Completely agreed. The idea they were not auditing there own ledger is just too much to be believed. It is just amazing they kept the lie running for so long. It is something that should have been caught years ago. It'll be interesting to see what the Japanese authorities determine, though that might take some time.
(Score: 1) by mth on Wednesday February 26 2014, @04:42PM
If I understood it correctly, the problem was that they used a hash to identify transactions that is not the same hash that they sign to authorize transactions, so people could modify non-critical parts of a transaction and for the block chain the transaction would go through but to the exchange it seemed that the transaction hadn't happened, so they would retry the transaction.
As you said, it is very unlikely they wouldn't notice this if it had been going on for years. Also it sounds like a bug that is relatively easy to fix, so why would they not fix it if they knew about it? And why are they calling it a core protocol problem when it is in fact a problem of the exchange software? Are they really that incompetent?
Shouldn't it be possible to spot the retried transactions in the block chain? I assume they would have the same amount and destination address as the forged ones. Then it would be possible to determine an upper bound for how long this flaw has been exploited and how many bitcoins were taken.
(Score: 1) by tynin on Wednesday February 26 2014, @10:28PM
I suspect you are very much correct in your understanding of the problem. You should be able to analyze the blockchain for these occurances. However you'd first need to identify all of the wallets mtgox uses to send out btc's. You could analyze the entire blockchain, but I suspect you'll find a shockingly large number of false positives due to things like pool payouts where you can setup your threshold on when they payout or even people manually moving the same amount of bitcoins over and over. I've seen some automated/bot bitcoin sellers that slowly trickle out sales of the same size over and over again (with the purpose of slowly selling btc's so to not impact the market price).
(Score: 2) by tftp on Thursday February 27 2014, @03:29AM
to the exchange it seemed that the transaction hadn't happened, so they would retry the transaction.
Imagine that you pay for rent with checks. Periodically the landlord calls you and says that he hasn't received the check. What would you, as a sane person, do? Would you simply cut another check and mail it in, without bothering to look if the original check had been paid? Or, perhaps, you will make sure that the double payment will not occur?
If the exchange felt the need to retry payments, this shows that the BTC system (in their opinion!) is fundamentally broken. It is unacceptable to submit a payment and then guess if it went through or not. (Especially if you haven't added the bribe to miners, also known as the voluntary fee.) Banks ensure that your payments are atomic, reliable, and verifiable at many checkpoints - and all that happens entirely for free to you. If BTC is not as reliable as a bank, who would need it? Now Mt. Gox tells us that they thought that the BTC network is not reliable. Is it true (and BTC is bad) or is it a lie (and then Mt. Gox is responsible for the loss?)