The Bitcoin Transaction Malleability May Have Nothing to Do With the Missing Coins at MtGox

27 Mar
2014

mtgox-logo

The problems that MtGox had that have led to the exchange shutting down and announcing the disappearance of about 750000 Bitcoins of users from the exchange (about 850000 total) that they have claimed to be stolen due to the Bitcoin Transaction Malleability. Yesterday MtGox has released another official announcement that they are cooperating with the metropolitan police department of Tokyo and that they have provided all of the required records and documents to the police that are required for the ongoing investigation. At the same time a new report made by Christian Decker, Roger Wattenhofer from the ETH Zurich University in Switzerland has concluded that MtGox may have lost just a few hundred Bitcoins due to the transaction malleability and not hundreds of thousands as they claim.

In Bitcoin, transaction malleability describes the fact that the signatures that prove the ownership of bitcoins being transferred in a transaction do not provide any integrity guarantee for the signatures themselves. This allows an attacker to mount a malleability attack in which it intercepts, modifies, and rebroadcasts a transaction, causing the transaction issuer to believe that the original transaction was not confirmed. In February 2014 MtGox, once the largest Bitcoin exchange, closed and filed for bankruptcy claiming that attackers used malleability attacks to drain its accounts. In this work we use traces of the Bitcoin network for over a year preceding the filing to show that, while the problem is real, there was no widespread use of malleability attacks before the closure of MtGox.

The transaction malleability problem is real and should be considered when implementing Bitcoin clients. However, while MtGox claimed to have lost 850,000 bitcoins due to malleability attacks, we merely observed a total of 302,000 bitcoins ever being involved in malleability attacks. Of these, only 1,811 bitcoins were in attacks before MtGox stopped users from withdrawing bitcoins. Even more, 78.64% of these attacks were ineffective. As such, barely 386 bitcoins could have been stolen using malleability attacks from MtGox or from other businesses. Even if all of these attacks were targeted against MtGox, MtGox
needs to explain the whereabouts of 849,600 bitcoins.

Now, MtGox definitely needs to explain how come only 386 Bitcoins could have been stolen using malleability attacks and they claim that about 850000 coins were in fact missing. Did they just find a good excuse to get away with the users Bitcoins or there is something different going on here. We do recommend that you take a look at the report in question.

To read the full report called Bitcoin Transaction Malleability and MtGox in PDF format…



Other Similar Publications:

Leave a Reply

Your email address will not be published. Required fields are marked *

top