MTGOX "UPDATE"

[smoothie]

Dear MtGox Customers and Bitcoiners,

As you are aware, the MtGox team has been working hard to address an issue with the way that bitcoin withdrawals are processed. By "bitcoin withdrawal" we are referring to transactions from a MtGox bitcoin wallet to an external bitcoin address. Bitcoin transactions to any MtGox bitcoin address, and currency withdrawals (Yen, Euro, etc) are not affected by this issue.

The problem we have identified is not limited to MtGox, and affects all transactions where Bitcoins are being sent to a third party. We believe that the changes required for addressing this issue will be positive over the long term for the whole community. As a result we took the necessary action of suspending bitcoin withdrawals until this technical issue has been resolved.


Addressing Transaction Malleability
MtGox has detected unusual activity on its Bitcoin wallets and performed investigations during the past weeks. This confirmed the presence of transactions which need to be examined more closely.


Non-technical Explanation:
A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be resent. MtGox is working with the Bitcoin core development team and others to mitigate this issue.


Technical Explanation:
Bitcoin transactions are subject to a design issue that has been largely ignored, while known to at least a part of the Bitcoin core developers and mentioned on the BitcoinTalk forums. This defect, known as "transaction malleability" makes it possible for a third party to alter the hash of any freshly issued transaction without invalidating the signature, hence resulting in a similar transaction under a different hash. Of course only one of the two transactions can be validated. However, if the party who altered the transaction is fast enough, for example with a direct connection to different mining pools, or has even a small amount of mining power, it can easily cause the transaction hash alteration to be committed to the blockchain.

The bitcoin api "sendtoaddress" broadly used to send bitcoins to a given bitcoin address will return a transaction hash as a way to track the transaction's insertion in the blockchain.
Most wallet and exchange services will keep a record of this said hash in order to be able to respond to users should they inquire about their transaction. It is likely that these services will assume the transaction was not sent if it doesn't appear in the blockchain with the original hash and have currently no means to recognize the alternative transactions as theirs in an efficient way.

This means that an individual could request bitcoins from an exchange or wallet service, alter the resulting transaction's hash before inclusion in the blockchain, then contact the issuing service while claiming the transaction did not proceed. If the alteration fails, the user can simply send the bitcoins back and try again until successful.

We believe this can be addressed by using a different hash for transaction tracking purposes. While the network will continue to use the current hash for the purpose of inclusion in each block's Merkle Tree, the new hash's purpose will be to track a given transaction and can be computed and indexed by hashing the exact signed string via SHA256 (in the same way transactions are currently hashed).

This new transaction hash will allow signing parties to keep track of any transaction they have signed and can easily be computed, even for past transactions.

We have discussed this solution with the Bitcoin core developers and will allow Bitcoin withdrawals again once it has been approved and standardized.

In the meantime, exchanges and wallet services - and any service sending coins directly to third parties - should be extremely careful with anyone claiming their transaction did not go through.

Note that this will also affect any other crypto-currency using the same transaction scheme as Bitcoin.


Conclusion
To put things in perspective, it's important to remember that Bitcoin is a very new technology and still very much in its early stages. What MtGox and the Bitcoin community have experienced in the past year has been an incredible and exciting challenge, and there is still much to do to further improve.

MtGox will resume bitcoin withdrawals to outside wallets once the issue outlined above has been properly addressed in a manner that will best serve our customers.

More information on the status of this issue will be released as soon as possible.

We thank you for taking the time to read this, and especially for your patience.

Best Regards,
MtGox Team

[1714641648]

1714641648

[1714641648]

1714641648

[1714641648]

1714641648

[1714641648]

1714641648

[1714641648]

1714641648

[1714641648]

1714641648

[underhood]

I opened thread also in Development/Technicall discussion thread. Want to see what Bitcoin core developers have to say about this.

[smoothie]

So basically because MTGOX is running a custom version of the bitcoin client their user base is fucked on bitcoin withdrawals.

Other exchanges like BTC-e and bitstamp do not appear to have this issue.

Looks like more delay.

Sucks to be anyone with BTC or fiat stuck in MTGOX. It is looking like a prison for your money.

[Buffer Overflow]

Sounds dodgy. Wonder how many MtGox coins have been stolen?

[underhood]

So basically because MTGOX is running a custom version of the bitcoin client their user base is fucked on bitcoin withdrawals.

Other exchanges like BTC-e and bitstamp do not appear to have this issue.

Looks like more delay.

Sucks to be anyone with BTC or fiat stuck in MTGOX. It is looking like a prison for your money.

Nope they are blaming general security problem in Bitcoin protocol. Means it affects all users of bitcoin (it is not problem of single client but protocol). MtGox just seems to be attacked as first.

[RandomPleb]

For the the first time in a very long time, I can see how MtGox could possibly come out of this smelling of roses...

[mp420]

So basically because MTGOX is running a custom version of the bitcoin client their user base is fucked on bitcoin withdrawals.

Other exchanges like BTC-e and bitstamp do not appear to have this issue.

Looks like more delay.

Sucks to be anyone with BTC or fiat stuck in MTGOX. It is looking like a prison for your money.

Nope they are blaming general security problem in Bitcoin protocol. Means it affects all users of bitcoin (it is not problem of single client but protocol). MtGox just seems to be attacked as first.

Yes this would make sense, but I would really like to have an independent expert confirmation that the issue really exists and can't be worked around just by changing MtGox's wallet code.

[mp420]

So basically because MTGOX is running a custom version of the bitcoin client their user base is fucked on bitcoin withdrawals.

Other exchanges like BTC-e and bitstamp do not appear to have this issue.

Looks like more delay.

Sucks to be anyone with BTC or fiat stuck in MTGOX. It is looking like a prison for your money.

Nope they are blaming general security problem in Bitcoin protocol. Means it affects all users of bitcoin (it is not problem of single client but protocol). MtGox just seems to be attacked as first.

Yes this would make sense, but I would really like to have an independent expert confirmation that the issue really exists and can't be worked around just by changing MtGox's wallet code.

And it appears that this is a problem caused by MtGox looking at the wrong things when trying to find out if a transaction has been confirmed. So, while the protocol could be improved in this respect, they're pretty much admitting their incompentence.

[underhood]

Well looking for transaction hash is normal way to look for transaction. This is how it was intended by Bitcoin developers.

However there is a bug found/known where attacker can change this hash. He cannot change the transaction only the hash. This way transaction goes trough and to sender it seems it didn't.
There is workaround where you simply look at transaction with same inputs and outputs in block-chain (ignoring hash) but is requiring much more work to do and is just workaround (you need to go trough all transactions one by one after date/time it was issued).

Truth seems to be that Bitcoin protocol is simply flawed ... thankfully only in non critical way (you cannot alter transaction only fool sender for some time).

proof issue is known: https://en.bitcoin.it/wiki/Transaction_Malleability
technical discussion about this https://bitcointalk.org/index.php?topic=458076.0

[picobit]

This really makes it looks like closing withdrawals was the right thing to do, at least until the problem was identified.  They should be able to fix it in their own software.

[pazor]

now it is time to buy litecoin !
 

[picobit]

now it is time to buy litecoin !
 

Since litecoin is a clone of bitcoin, they probably have the same problem.

Note that although this is technically a flaw in the bitcoin protocol, it is not a serious one, at least not once it is known.  It just means that before you conclude that a transaction did not make it into the blockchain, you have to check the blockchain a bit more carefully.

[underhood]

This really makes it looks like closing withdrawals was the right thing to do, at least until the problem was identified.  They should be able to fix it in their own software.

This is not really about their software only. Flaw is in protocol.
What they do now from what I heard from MtGox staffis implement workaround (example looking for transaction not by hash but inputs/outputs as i said in previous post)
and later change bitcoin protocol to prevent this problem/attack --> this is the only real long term solution

They say they are discussing with Bitcoin core developers about how to do this temporary workaround as well as fixing Bitcoin protocol.

Seems like MtGox is really not to blame here.... maybe only for not noticing the issue sooner when the failed transaction count (or attack count) was lower.

[Sawadekub]

only mtgox having this issue.. so wake up NOOB!

[underhood]

only mtgox having this issue.. so wake up NOOB!

This is hard proof that issue is known and is not exclusive to MtGox:
https://en.bitcoin.it/wiki/Transaction_Malleability

Wish you a nice day too

[Last1212]

MTGOX LIERS!!!!!!!!!!!!!
http://www.cryptocoinsnews.com/2014/02/10/mt-gox-blames-bitcoin-core-developer-greg-maxwell-responds/

[Sawadekub]

yea  freaking noob FreaK MTGOX FOR THEIR COSTOM BITCOIN PROTOCOL!!!!

GUYS HURRY UP AND BUY THOSE BITCOINS FROM OTHER BROKERS!!!

BITCOIN RULES!!!!!! THATS WHY ITS BEEN HERE FOR THE PASS 5-6 YEARS FK U MTGOX.. U THINK WE ARE STUPID?

[DooMAD]

[guybrushthreepwood]

now it is time to buy litecoin !
 

Since litecoin is a clone of bitcoin, they probably have the same problem.

Note that although this is technically a flaw in the bitcoin protocol, it is not a serious one, at least not once it is known.  It just means that before you conclude that a transaction did not make it into the blockchain, you have to check the blockchain a bit more carefully.

Isn't the flaw with the software they are currently using? If they updated I think it'd be fine.

[flower1024]

now it is time to buy litecoin !
 

Since litecoin is a clone of bitcoin, they probably have the same problem.

Note that although this is technically a flaw in the bitcoin protocol, it is not a serious one, at least not once it is known.  It just means that before you conclude that a transaction did not make it into the blockchain, you have to check the blockchain a bit more carefully.

Isn't the flaw with the software they are currently using? If they updated I think it'd be fine.

hey cant update as they have developed it theirself...
and they managed to overlook a bug whixh is fixed in bitcoin for about 3 years

i'd like to know how much has been stolen