How does a hot wallet empty a cold wallet?

[Bit_Happy]

Assume for a moment Gox might be telling the truth (Ya right, hahaha)
The purpose of a cold wallet is security and the hot wallet(s) don't have access.
The "crisis document" is clearly a lie, or am I missing something about the cold wallet?

[Frankie]

Has Gox actually said this? Doesn't seem clear who the author is.

Whatever the supposed mechanism is, it doesn't make any sense.

You should be able to calculate how many bitcoins your wallets control. Maybe there were some fees you didn't take into account, but it should be close. Then you see how many your wallets actually control. If the total is way off, you investigate, same as any other business that checks its cash register at the end of the day.

This document suggests that no one made that simple comparison for years. It's preposterous.

It would be like McDonald's declaring they ran out of assets because the cashiers kept giving out money due to an error in their protocol, and this lost cash was continually replenished from McDonald's corporate bank account. That's what the document purports.

[Bit_Happy]

Has Gox actually said this? Doesn't seem clear who the author is...

Agreed, it was supposedly "leaked".

...It's preposterous....

It's preposterous, yes.
The "crisis document" is being widely quoted and it has this Huge, glaring flaw.
You helped verify my basic understanding of a cold wallet, thanks

[usabitcoinbuyer]

It shouldn't, if done right.  Withdrawing from a cold wallet should take some kind of conscious manual intervention.

If we assume that the wording in the crisis draft isn't literally accurate, then the following thread and article suggest one of the more believable theories I've seen about what might have happened:

https://bitcointalk.org/index.php?topic=489813.0
http://letstalkbitcoin.com/somethings-not-right-at-gox/

The TL;DR version:

A successful Transaction Malleability exploit emptied their withdrawal hot wallet for the first time in a long time.  Gox goes to refill the wallet during the initial BTC withdrawal freeze and ... uh oh... the cold wallet private key is lost/corrupted/not working.  It might have gone undetected because deposits and watching the wallet balance wouldn't evidence the broken private key.

(Edited for clarification)

[JoelKatz]

Assume for a moment Gox might be telling the truth (Ya right, hahaha)
The purpose of a cold wallet is security and the hot wallet(s) don't have access.
The "crisis document" is clearly a lie, or am I missing something about the cold wallet?

A hot wallet empties a cold wallet if you refill the hot wallet from the cold wallet every time it gets low. If the rule is "when the hot wallet is low, refill it from the cold wallet" and you keep applying that rule, a leak in the hot wallet drains the cold wallet eventually.

How do you get a leak in the how wallet? Easy. You have a rule like: "if the customer complains that their withdrawal didn't process, and it has been at least 24 hours, check the transaction ID in our database. If it didn't confirm, process another withdrawal from the hot wallet."

Do you have to be a complete idiot with no audits and no controls to allow defects like these to cause you lose 99% of customer funds over years? The answer to that question is left as an exercise for the reader.

Bitcoin operators, whether they be exchanges, wallet services or payment providers, play a critical custodial role over the bitcoin they hold as assets for their customers.  Acting as a custodian should require a high-bar, including appropriate security safeguards that are independently audited and tested on a regular basis, adequate balance sheets and reserves as commercial entities, transparent and accountable customer disclosures, and clear policies to not use customer assets for proprietary trading or for margin loans in leveraged trading.  It does not appear to any of us that MtGox followed any these essential requirements as a financial services provider.

[moni3z]

Karpales rolled his own wallet(s) using the Bitcoin raw protocol and of course is totally inept at everything so fucked it up. If he had just used the regular bitcoin client but kept it offline, or used Armory offline wallet there would be no problems. Read his personal blog sometime. He makes insecure crypto libraries using Php and then immediately uses them in production without even realizing he's created a big bag of shit.

[LarryLiu]

It happens when the cold storage is warm. If the cold wallet passphrase or the private keys were not printed on paper and were accessible to a networked computer in any fashion then it would not be considered as a cold wallet to me.

[Frankie]

It happens when the cold storage is warm. If the cold wallet passphrase or the private keys were not printed on paper and were accessible to a networked computer in any fashion then it would not be considered as a cold wallet to me.

I suppose that could be. It's not really a cold wallet if scripts from networked machines automatically pay "hotter" wallets when they run low.

[thelema93]

Assume for a moment Gox might be telling the truth (Ya right, hahaha)
The purpose of a cold wallet is security and the hot wallet(s) don't have access.
The "crisis document" is clearly a lie, or am I missing something about the cold wallet?

Something hot leaked out of Mark Krapeles pants after he drank too much cold coffee

[thelema93]

Karpales rolled his own wallet(s) using the Bitcoin raw protocol and of course is totally inept at everything so fucked it up. If he had just used the regular bitcoin client but kept it offline, or used Armory offline wallet there would be no problems. Read his personal blog sometime. He makes insecure crypto libraries using Php and then immediately uses them in production without even realizing he's created a big bag of shit.

I'm wondering if that's how maybe he got hacked? he puts all his code on github for everyone to see!

[enno]

Read his personal blog sometime.

I'd love to. Where is it?

[LarryLiu]

It happens when the cold storage is warm. If the cold wallet passphrase or the private keys were not printed on paper and were accessible to a networked computer in any fashion then it would not be considered as a cold wallet to me.

I suppose that could be. It's not really a cold wallet if scripts from networked machines automatically pay "hotter" wallets when they run low.

Exactly, the keyword "automatically" demands programmatic access to the secrets, that effectively makes it just another hot wallet.