Bitcoin Forum

Dear Mt.Gox Users,

It’s no secret that since Tibanne took over Mt.Gox in March 2011 we’ve had a bumpy road, both in terms of growth and security.  The violation of our exchange that took place in June has left an ominous cloud hanging over us and in part, Bitcion and the community.  It has taken us several months to reestablish the level of trust we have now, and we feel as the leading Bitcoin Exchange it is our place to continue to set the model of trust for companies whose business revolves around Bitcoin.

Today we will be putting up a deck, aptly called “Transparency” where you will find basic information about Mt.Gox including operation cost, basic security details, revenue, turnover and so on...

A update to this document will be done every three months or so and we plan to provide as much information as possible without breaching our companies security or competitive advantage. Also, please note that this iteration is a first attempt and we plan to refine subsequent attempts in an effort to be continually more accurate and clear. Your feedback on this deck is of course welcome!

Also, we plan to have this document verified by third party auditors for future releases, however we want to set a realistic expectation this may not happen by the next quarter.

We sincerely hope that our effort here will be mirrored by other exchanges, Bitcoin related business, and that we have the communities backing on this “move”.

Transparently,

The Mt.Gox Team.

Commendable.  I'm glad to see you disclose deposits and withdrawals.  I've been interested in this data for some time to help evaluate the Bitcoin economy as a whole.

From a security standpoint I would be interested in more information on how, technologically and operationally, you are handling security.  The big one (90% of BTC in cold storage) is there, though, and appreciated.

How about you guys fix mtgox live, so that more than a bus load of people can use it at the same time and does not crash at the "perfect" time...?

+1000 for publishing this information.

In particular, the 90-98% cold storage claim is very helpful to know, and to my knowledge is the first time this has been published.  (I say "claim" not derisively, but only to acknowledge that it's unverified.)

Extremely interesting info. 80 tickets per week? Wow!

We are planning to update MtGox Live soon, don't worry.

We have planed for this but don't expect an answer by tomorrow ;-). This part is scheduled to be audited for a better accuracy and to make sure that we are true to our words.

This is really good. Kudos for taking the lead.

EDIT

I just read it and it seems pretty impressive. Especially customer support and the server setup. Good Job!

+1

Thanks Gox

Nicely done.

One nit pic.

You quoted the monthly Data Centre cost in USD at $5K on page 8.
In Monthly Operating costs you quote in Yen at 5,000,000 on page 16.

Is the Data Centre cost included in the Monthly Operating costs?
I would have thought so, but the currency switch threw me.

Yes you are correct, the monthly $5K of our servers cost is indeed included in the ¥5M Yen.

BTC is conspicuously missing from the deposits and withdrawal stats. Can you add it?

Sorry, I guess we forgot some info while putting this document together.

We'll include this information for the next time. Note also that unlike bank operations, bitcoins are handled in realtime and there are many more operations in one month. Also, since people may send bitcoins to themselves, as many times as they want, this data may not be really useful.

+1 Gox

Good stuff Mt.Gox, I think that you're doing a great job reestablishing the trust. Would be interesting to know some more details about the company. For example, how many employees are there?

+1
MtGox seems more professional than I thought.

P.S.: Still, I wish other exchanges would get more love, especially cryptoxchange. Competition is good! :)

Did you forget a 0 at page 14 for USD? 383,00 (as in 383 USD) is weird, because it seems too low and I think it is used as a seperator?

Do you intend to manipulate a rally with faulty information? ;D ;D

Oops, we'll fix this right now, thanks for the report.

Sorry this is entirely my fault! Anyway this has been fixed.

Cheers

Very, very impressed. +1 to Gox.

Other brokers, take note.

Nice to see MtGox taking steps to rectify their issues, hopefully others will follow.

Damn clever move, Gox team!  ;D Was this a direct result of hazek's hell-raising with CxC?  ;)

You go Gox !

Thanks!

Of interest would be total funds owed to depositors in relation to reserves.

Even without actual figures or verification, simply stating "We have enough funds on hand to back 100% of all deposits" in some sort of credible format would be a faith promoting claim.

Does Mt. Gox publish the address of it's Bitcoin holdings so that anybody can use block explorer to check that they have the bitcoins they are supposed to have.

This wouldn't be useful: they could publish any bitcoin address that wasn't theirs and claim funds they don't own.

What would be useful is if they signed a message to prove ownership of private keys, which then could be used to deduce their holdings.

But that would come at a major expense of network-wide anonymity for users - anyone could positively identify exit of funds from MtGox.  Not a whole lot of users would like that, so it would be a major tradeoff.  Any investigation that arrived at one of these addresses would be met with legal demands placed on MtGox: "we know this address is yours, so we hereby compel you to tell us who got these funds."

A plausible compromise might be for them to sign only their cold storage, which would compromise anonymity only for the largest transactors who probably have to "d0x" themselves to death anyway.

Even if they signed only 50% of their bitcoins, if they were bitcoins that rarely or never moved because they were cold storage, I would probably be 90% as satisfied as had they signed 100% of their coins.  I would want to know that the cold storage had not just appropriate storage, but proper contingency plans (so that one plane crash or one death wouldn't send my coins to their grave).

All of this recent disclosure is actually a great thing for Bitcoin as a whole.  The more people who are willing to leave money in MtGox without fear it will vanish, the deeper the order books will get, hence greater liquidity and less chance for sudden swings in the price.

Good to see the pro-activeness.

This is awesome.

But, can you guys please fix your data API?  GoxLive and websockets is consistently down during peak trading, then bitcoincharts  lags by minutes, and orders on mtgox are stuck pending for excruciatingly long.

Excellent! As a customer I couldn't be happier to read this and I feel now more assured about having my business with you than ever before. Really huge props for being first to make this move which is word for word what I suggested to cryptoxchange!

You see cryptoxchange? This is what you could have done and been first to get an edge, but you dropped the ball..

Again, major props to MtGox!

Who is the outside auditing entity?

Please make MTGOXLIVE transparent (aka live) during heavy trading periods. Thank you.

As stated in our first post : "Also, we plan to have this document verified by third party auditors for future release". There is not yet any auditing entity for this first publication. Once we have one, we will publish their information on the document and on our webpage. But please keep in mind that this may take time, not only to find the auditing company that will do the job we need, but it will also take time for them to audit us.

We have been discussing this for a long time and even shared some data and discussed this with some of you at CES, what we published yesterday was in fact something we planed for a longtime. But your comments and others ones has been taken into consideration to make it happen.

Cheers

What's the latest number ? 
Is it time to release NO.2 ?

Hi, the N.2 is coming soon, we have been so much busy on other projects that we had to postpone this Transparency Overview. But do not worry we did not forget about it

Cheers

Are you guys working on releasing the report for the last four months?

We did not forget about it, but we are concentrating our effort somewhere else at the moment!

Will we see an audit some time this year?

If you ask MtGox if they've done an audit, their answer is YES, we've done it, just look at our name Tibanne is listed at such-and-such Japanese website.

If you ask for the audit report though, their answer is basically... "Aww, shucks.  Sorry, we can't let you see it.  You actually have to pay for your own copy of it straight from the auditor, we can't let you see ours.  And it's really expensive.  Sorry about that."

If you ever could see the audit, and if it's even in English, it almost certainly was written by someone who doesn't have a clue what a Bitcoin is, and doesn't cover whether MtGox has USD and BTC to cover customer balances, it probably merely covers whether MtGox complies with some certain accounting standard and certifies that they filed some forms on time and in the proper format.

In other words, what I bet you WON'T see in the document: "We went through Tibanne's accounting records and discovered that they have liabilities of $X in the form of customer deposits, and as shown on the balance sheet and verified by bank statements, they have enough currency in their bank accounts to cover it."

And even MORE unlikely is a statement "We went through Tibanne's accounting records and discovered that they have liabilities of BTCX in the form of BTC customer deposits, and they signed messages for us proving that they own some certain addresses, and we verified ourselves on the block chain that they have all of the BTC they claim they have."

The audit I want to see would contain statements like that.

MtGox says getting such an audit is impossible or unfeasible due to cost, because according to them, they are a multinational conglomerate and any auditor would have to trot the globe just to confirm your money is there.  They even told me that some of the bank accounts they use don't offer internet banking.  (It's a multinational conglomerate kind of like Sony, but of course, if the website goes down while one guy is sleeping, it stays down for 4 hours until someone wakes him up!  Go figure.)

As I own a business that has undergone such audits several times, I know these we-can't-get-an-audit claims are simply untrue.  The first exchange or business who comes to the table with a SSAE 16 or comparable audit is going to be a major asset to the Bitcoin community.

Periodic deposit/withdrawal volumes, gross turnover, revenue/opcosts...these things don't provide ANY worthwhile information about the risk of doing business with you.  Why would would you bother having them attested to by a third party auditor?   

I'd also point out that as a practical matter, it's impossible to audit BTC balances on financial statements.


LOL wut?  MtGox told you that a copy of their audit was available for purchase from their auditor?!?  That would really be something.  Who at MtGox told this to you?

E-mail from Mark Karpeles to me, received 10 July 2012, 05:17 UTC

Heh, Teikoku Databank is a market research firm.  They do not provide audit services.  Mr. Karpeles should be a little more careful about the language he uses in his outside communications.

Seriously, I doubt an outside auditor has ever set foot into MtGox/Tibanne offices.  The only need they have for a CPA of any kind is for their taxes.

What's the cost? And who's collecting the BTC to buy a copy to share with the community?

I guess I misunderstood what an audit is. I thought is was one that shows where the money is, oppose to showing that the patella is connected to the femur.


An adult by the name of Bruce Wagner once stepped on Holy Ground and even provided us a video of his adventure. Does that count? BTW, does anybody know where we can view said video?

~Bruno~

The cost is "52,500 yen (before tax 50,000 yen) + Data Charge x Output Records" (http://www.tdb.co.jp/english/services/db_service/cosmos1.html) (I estimate to be around 700 bucks).

But before anyone goes spending any money, they should be aware that Teikoku Databank makes no assurances on the veracity of the financial statements you buy from them.  Probably because their financial statement data for privately held Japanese firms is (by and large) gathered via surveys.  It is entirely possible that Mr. Karpeles submitted MtGox's financial data to Teikoku Databank himself.


Many types of audits performed by public accountants. The SSAE 16 referred to by casascius would provide an opinion on the internal controls implemented in MtGox's end-user systems vis-à-vis the system's ability to provide reliable financial data.  Some caveats with an SSAE 16 are: the audit is based on management's description of the controls/system, the audit gives no opinion on the accuracy of the financial data extant in the system being audited, and the audit gives gives no opinion on the accuracy of the service firm's consolidated financial statements.

When we get a SSAE 16, some of the things we have to account for includes how we are doing our data backups, who has access to data/facilities/equipment, and how software source code changes get vetted and sent to production.  A lot of those topics are relevant to the risk one faces when doing business with MtGox (if Bitcoinica didn't make that painfully obvious enough to many).

Also relevant is what happens if Mark Karpeles gets hit by a bus.  He may very well be the only one that has access to the bitcoins on deposit, just to avoid the risk of getting stabbed in the back.  But if our coins die with him, that can't be good, and also is relevant to anyone doing business with Gox.  If they have a contingency plan in place, SSAE 16 would hopefully disclose enough of it to suggest that they have one in place and that it's probably effective, without giving away the secrets to a would-be thief.

Yep, while SSAE 16 would reveal a lot of information relevant to someone evaluating the risk of doing business with MtGox, SSAE 16 itself isn't a "the money's there" audit.  In fact, SSAE 16 isn't necessarily the part I think everyone's after: the fundamental critical part is a third-party assertion from someone with credentials on the line to say "We looked - we saw - we believe the money's there - signed, us".

If they were interested in doing so, they could solicit a CPA firm (such as one also doing a SSAE 16) to make that attestation on their behalf.  They just don't seem interested in it.

Absolutely correct.  In fact, it's likely that a practitioner would require an SSAE 16 as a prerequisite to auditing their financial statements.  But in my mind, surviving an SSAE 16 isn't necessarily a problem for them.  Getting an unqualified opinion on their financials, however, is a completely different story.

Not because they're engaging in any monkey business, but because they simply don't have enough bodies in the organization to have the necessary segregation of duties to qualify as having "strong internal controls".  This would place them in a situation where the auditor would require "substantive tests of detail" of their balances (which isn't a problem for their fiat-denominated balances, but is extremely problematic for their BTC balances).


TBH if I was in their shoes, I'm not sure I'd be interested in an outside audit either.  There might be some upside in terms of gaining market share/revenue - as long as they get a clean opinion.  If they don't, all they've done is spend a bunch of money to get a list of things for which they will have to spend even more money.

It seems that some people on this forum has a better understanding of the overall Bitcoin economy and problems than others.

As I stated many times (under Mt.Gox_Support), we have been the first to come forward and tried to be as transparent as possible, we are not against an audit and such thing will come at some point, but the truth is that as for today it will be extremely costly, long and difficult to get something done and done PROPERLY! And this due to the nature of Bitcoin. On top of that we will have to find someone that is capable to understand Bitcoin and "Appreciate" all its challenges.

But we understand the needs for you to be reassured that we have what we say we have and that our system is as secure as we say it is secure. We are working on this and hope to give you all something that you will accept.  But once again, and this should at least count for something : Mt.Gox is still the largest exchange, one of the oldest exchange, and we survived Everything that has been thrown to us. So if this alone can't at least give you a chance to start trusting us, what will? You also have to understand that what some people dislike (being somehow secretive sometimes) is what helped us to keep all your asset safe and sound!

What about moving BTC or signing messages to prove possession?  These don't even have to be published (and many customers would prefer they not be) - I would take the word of a trusted few who verified the sigs. That could all be done within an hour.  But the way I see it, this is either too much of a burden (unlikely) or there is a shortage.

Whas so "long and difficult" about moving some coins around ?

So, in other words, we should be thankful for unexplained open-ended delays and implausible "AML" investigations because all of this helps us keep our money safe?

Good call!  At least because of this, we don't have to worry about hackers withdrawing our USD, because their withdrawal will take 2 weeks after which we will know exactly where it went.

Bitcoinica hacker withdrew $340 000 instantly without any problems ;)

I am not sure if you realize what you are asking for, anyway I will to try to explain it to you again (Mark already did I believe). You are asking us to move ALL our coins that are safe in cold storage into a single live/hot wallet. No only this is a rather very dangerous thing to do... I mean we will have ALL OUR CUSTOMERS coins for a certain laps of time stored on a single wallet, but it will also require a lot of man power and time to do so. Indeed we do not store people's coins in 1 or 2 places but a LOT of different places and always in small quantities that if something really bad happen ONLY a few coins will be lost.

As you must be aware, it is very easy for everyone to track coins and moving all these coins to a single address and this will certainly raise some attention.

-- Edit --

And this is the "Secretive" part that I was referring to and nothing else.

*eyes rolling*

Yes, I am pretty sure I understand exactly what I am asking for.

Yes, Mark did explain this to me.  As though he too had never heard there is a feature to sign text messages with an address's key.

I mean use the message* signature feature built right into the reference client.  You know, signmessage, verifymessage.  Do it on an offline computer so there is no risk of contact between the internet and the keys.  Write a script to enumerate the keys in the wallet and sign a message with each one, and then transfer the signatures to online computers with a flash drive.  You guys have your own custom bitcoind*, and certainly are qualified to understand how to do this.  Tell us nothing, that's fine, I get it, but don't tell me it's dangerous, that's a complete *.


* = I removed the profanity because I don't normally get on here and go into tirades of swearing.  But saying proving possession of BTC is too dangerous is a pretty weak excuse and I am shocked you guys offer it. EDIT2: ahh, nevermind, you all quoted it.

I will ignore the bad language for a second and believe that you are a descent person who had a bad day. Hell that can happen to any one.

You have no clue on how our system work so I will forgive you for that. First of all we do not use the Bitcoin Client add to that the fact that these wallet are everywhere (They are spread pretty much everywhere and in a HUGE quantity) you can understand that this will take time and that WE want to make sure that things are safe

I am 100% certain you guys maintain private keys for your bitcoin addresses, otherwise technically you don't have the bitcoins in the first place.

I am 100% certain you could export the keys to a file.  They are just short strings of numbers.

I am 100% certain you could import them into a wallet.dat with a trivial script.

I am 100% certain you could sign messages with them using the reference client after doing so.

I am 100% certain you guys already understand this.

I am 100% certain they are not "spread everywhere" as, for example, none of them are on my lawn.

I am 100% certain that no matter how HUGE the quantity, the quantity is not too big for a for-loop to iterate through them.

I actually have not had a bad day.  It's hard to have a bad day when your stash of coins just took a nice solid leap and you aren't in the midst of trying to fight for possession of them from a bankrupt foreign entity.  I just get a little animated when the #1 Exchange of Bitcoin blatantly misrepresents their ability to accommodate a reasonable request, no differently than a doctor claiming his patient must bleed to death because there, according to him, exists no such thing as stitches.

For what it's worth, the phrase "for Christ's sake" is also considered profane in countries where Christianity is popular.  I thought I might point that out, because you only bolded "fucking" and "crock of shit" when quoting me. ;)

Wait...are you saying you might have actually learned something from this thread?   ;D


I couldn't agree more (except for the "transparent as possible" part).  It's clear you are the first to make some data available, and you have been rightly applauded for doing so.  But you made a mistake by making promises you can't/didn't keep: "A update to this document will be done every three months", "we plan to have this document verified by third party auditors for future releases".

Look, I don't know how my knowledge of the overall Bitcoin economy stacks up against yours, but it's pretty clear to me that a couple of big bitcoin scams/hacks/thefts/whatevers happen every *fucking* year.  Each time, there are calls from the wider bitcoin community for more transparency/accountability from bitcoin institutions.  Guess what...you are one.  Not taking the time to update your deck every third month after making a commitment to do so is, well, a big mistake.  Especially given the rather limited and ho-hum nature of the data you published.


LOL, have you ever heard the saying "if you find yourself in a hole, the first thing to do is stop digging"?
__________________________

@casascius: while I think your idea has some merit, to me it makes more sense to press MtGox for a published audit.  Having them push transactions/messages into the blockchain ain't exactly best practices when it comes to assurance.

I agree and believe they should do both.  The "messages" part doesn't refer to pushing anything into the blockchain, just, in a nutshell it is a recently added feature to the client that allows them to concretely prove they possess the BTC they have without having to transact with any of it.  The proof comes in the form of a code they can publish.  For example, by publishing the following code, I have just proven possession of about 280 BTC in the most certain way possible by anyone who knows what they're doing, short of actually sending them the BTC:


We as a community are interested in knowing how much BTC they possess in relation to their liabilities to us, and if a auditor had a magically-expert awareness of how BTC works, he'd know to ask for these codes.  This code took me less than 2 minutes to produce.

I think a more valid response is screw the amount of bitcoins. They are virtual and are essentially worthless. The real problem Gox has is fiat liquidity and that should be perfectly tangible and easily provable.

Gox has little interest in bitcoins. It's merely a moneychanger. The question is where is the money going as it certainly isn't coming out.

It's much more likely behind the scenese Gox is stacking the deck and "buying" coins themselves and driving the price as it would suit them to make it go ever higher and of course then they would be the ones to profit by selectively selling and actually being able to cash out while screwing everyone else over.

It's just like any money laundering scheme. Follow the money.

How about just posting some financials.  Anyone can go through Gox history and figure out the float and what has gone in and out and be able to see if anything nefarious has been going on.

If MtGox had a relatively unlimited number of these worthless coins, any fiat shortage wouldn't be a huge problem, as they'd eventually be able to sell their way out of it, possibly sooner rather than later.  Deck stacked or not, I believe the market really does demand these virtual coins and that this demand will continue grow.  They are no less virtual than the dollars in your bank account.  If by some stretch, MtGox was able to prove that it had its own huge stash of BTC above and beyond customer deposits, I'd worry less about a genuine fiat shortage and would tolerate delays.

I am fully aware of this as I am the person who made this very document. I push the team on a weekly basis here to get the data out of our DB but they are so swamp with other priorities that I could not keep the promise I made when publishing the first document. And for this I am truly sorry. Once again Mark and Mt.Gox is not opposed to this program but the fact that Making Deposit/Withdrawal faster and and work on making more Deposit/Withdrawal methods available is for us a priority and I won't ague with that.

And as promised we will give these document verified by third parties auditors, when? I am not sure, but we will. Let's make sure that we have this 2nd document ready first.

I was not aware of that!  I will have to re-consider my position that BTC balances on financial statements are unauditable.  Heh, maybe I learned something from this thread...  :D


http://files.sharenator.com/CANt_tell_if_serious_or_trolling-s360x270-250614.jpg


Kudos to you for making this commitment.  If I may make a suggestion: the stuff of most interest to the community is on your balance sheet and statement of cash flows...do your best to publish info from those documents.  If you're hesitant about publishing absolute figures, consider using simple ratios/KPIs.  I think a simple ratio expressing total btc/customer btc would go a long LONG way to instilling confidence in the community (as casascius has suggested).

I'd also throw out my opinion that expecting MtGox to provide audited figures of any kind more than once a year is unreasonable (at least until they grow s'more)   ;D

Well noted.

Will there be an update soon?

There seems to be at least one newer report, from August: https://mtgox.com/img/pdf/20120831/Transparency_august.pdf
Oh, and even newer data (not in a pdf report though) here: https://bitcointalk.org/index.php?topic=120953.0