Bitcoin Forum
December 18, 2017, 03:08:44 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Gross Incompetence - What Really Happened at MtGox  (Read 1149 times)
acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
March 01, 2014, 02:44:58 AM
 #1

I believe I know what happened at MtGox. (Spoiler alert) TL;DR: complete incompetence

While I was a supporter of MtGox, in this debacle I have lost not more than about $80 there, because I try to follow my own advice which is: don't ever store longer term more cash/coins in ANY online service than you can afford to lose. Some here must have seen me say this repeatedly in the past. Anyway, there is a lot of question and speculation about what really happened with MtGox. I think I've figured it out. I'll present my case and see if you agree with me.

Before I get started, check out this quote from 2011. It's unbelievably prescient. BTW Magical Tux is Mark Karpeles:

And this is the guy whom 90% of Bitcoin users trust their money to...  Roll Eyes

MagicalTux fucks up... AGAIN!  Grin

What will happen when they lose the income of 10 years?  Undecided

Go ahead, click the link. You'll see it's really from 2011. Now, what would make this guy predict something like that?

Exhibit A:

That quote comes from the following 2011 thread which I believe is the last piece of the puzzle:

someone fucked up and lost ALOT of money

You really need to read/skim the first 2 1/2 pages, which contains the above quote, to get a feel for what happened. The gist of it is that MtGox, possibly Mark Karpeles himself, implemented (badly) custom software for transacting directly on the network.

Now check out this quote on 2/10/14 from DeathAndTaxes whose opinion on the matter I deeply respect:

...

MtGox had other issues which resulted in payments failing, being delayed, and needing to be resent.  The attackers took advantage of this to "camouflage" their actions.  Your right if you send out payments to 50,000 users and 49,999 report no issue but one user over and over reports not getting paid well then "hmm maybe this user is running a scam" however if you send payments to 50,000 users and 30,000 of them report non-payment due to a variety of reasons (caused by Gox) then it becomes easier for the attacker to hide.

MtGox wrote their own client, and they did so horribly bad.   Their client isn't worthy of being used by a hobbyist experimenting on testnet but they used it in production for a systme involving millions of dollars of assets.  We have no idea how many things they got wrong but looking at the failed transaction we know at a minimum these things were wrong:

a) MtGox double spent their own coins.
b) MtGox paid insufficient fees on tx which were low priority meaning they would not be relayed to miners by most nodes.
c) MtGox created tx which violated the "anti-spam" rules which caused tx to be dropped (not relayed) by some nodes.
d) MtGox attempted to spend immature newly mined coins (newly mined coins can't be spent for 120 blocks).
e) MtGox used non-canonical signatures on transactions which were rejected by newer nodes.

and

f) MtGox failed to account for mutable hashes.


Now if MtGox had done a through e they wouldn't have lost any coins.  Yes users would be delayed.  Yes it would make them look foolish but had they at least done f right they would have not paid attackers twice.

On the other had if MtGox had done a through e right but messed up f, then your scenario in the OP would be correct.  Legit users would have seen no issue, attackers would have gotten double paid. ...

However MtGox managed to get a through f wrong so legit users were affected AND attackers were able to trick them into making double payments.   Worse the two issues compound on each other.  If the attackers were the only ones reporting non-payment then it is likely MtGox would have gotten suspicious relatively quickly however since this has been going on for the better part of a month and involves tens of thousands of transactions who knows how many times attackers were able to get away with a double payment.

...  I consider myself moderately knowledgeable about bitcoin, and I don't use a custom bitcoin client.  I use a custom backend which communicates with the reference client (i.e. bitcoind) for these exact reasons.   MtGox's attempt to build a custom client would be laughably bad if released as an open source alternative client with a warning to be used for testing only.  The fact that it was used as a closed source production client borders on criminal negligence.

The whole quote should be read, but at the least what I've highlighted in bold.

We need to jump back to the 2011 thread for a second. As far as I know that was the first indication of MtGox's horrible software implementation. The reason for the thread was it was discovered someone wrote a bad script making about 2,600 BTC permanently irretrievable (about 26K USD back then). In that thread Magical Tux appears to admit it was MtGox saying "<MagicalTux> that's a problem, but not the worst problem we ever faced ... just spent one week of BTC-only income".

So to this point we know as early as 2011 Mark Karpeles was aware his custom software resulted in losing 2,600 BTC. However, there is one more key line in that quote from Magical Tux to focus on: "<MagicalTux> all the broken withdraws have been re-issued".

All the broken withdraws have been re-issued. [sigh]

Let that sink in for a moment. Consider that Mark Karpeles had just realized and confessed to permanently losing 2,600 BTC. Regardless of current events how much would you trust him to competently deal with any problem withdrawals, with shaky software?

Now for the clincher. That thread has over 13,000 views. I don't even run an exchange and I know about the unreliability of transaction IDs, and MtGox was here before me. Isn't it reasonable to imagine an unprincipled person put two and two together and imagined that if MtGox was admittedly having withdrawal issuance/software problems, and was taking the course of action of re-issuing withdrawals, then what if, just what if they didn't know about transaction malleability?

The picture is starting to become clearer isn't it? 800,000 BTC is a LOT of bitcoins, but if there were ongoing withdrawal problems over many months even years, coupled with an influx of fresh users depositing BTC, and books were not reconciled in a way to make imbalances obvious, then, what do you get? Exactly what we see today.

This would explain why Mark Karpeles seems exceedingly reluctant to talk about what happened. It would explain his public statements which shift blame over to the core system itself. There is no telling what exactly happened to all those BTC, but tranasction malleability & theft or not he had lost at least 26K USD all by himself. As the prescient poster above predicted it was only a matter of time before he lost something much bigger.

1513609724
Hero Member
*
Offline Offline

Posts: 1513609724

View Profile Personal Message (Offline)

Ignore
1513609724
Reply with quote  #2

1513609724
Report to moderator
1513609724
Hero Member
*
Offline Offline

Posts: 1513609724

View Profile Personal Message (Offline)

Ignore
1513609724
Reply with quote  #2

1513609724
Report to moderator
1513609724
Hero Member
*
Offline Offline

Posts: 1513609724

View Profile Personal Message (Offline)

Ignore
1513609724
Reply with quote  #2

1513609724
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513609724
Hero Member
*
Offline Offline

Posts: 1513609724

View Profile Personal Message (Offline)

Ignore
1513609724
Reply with quote  #2

1513609724
Report to moderator
Catanonia
Member
**
Offline Offline

Activity: 118


View Profile
March 01, 2014, 02:51:04 AM
 #2

Good post and tbh, probably what happened. Bad coding and poor book keeping lead to a massive hole that was eventually discovered and attempted to be covered up, but too late.
acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
March 01, 2014, 01:00:09 PM
 #3

Nobody else has an opinion on my conclusion? Yea or nay?

An upvoted post at reddit currently has falkvinge.net concluding an inside job, which would be more tempting for regulators.

http://falkvinge.net/2014/02/28/the-gox-crater-crowd-detectives-reveal-billion-dollar-heist-as-inside-job/

Yet Falkvinge himself says one of his points doesn't make sense (under his scenario, but it does under mine).

Quote
May 2, 2013 – Empty Gox was sued by CoinLab for 75 million USD for breach of contract. For unknown reasons, Gox failed to fulfill obligations to provide server access, resulting in a startup-crushing financial liability for failing to deliver. (Rob Banagale)

(Interestingly, there’s a massive selloff of 750,000 coins at an average price of about 100, totalling $75M, just following this event, suggesting customer coins were fraudulently sold to cover Gox liabilities. However, such a move wouldn’t make sense from a funding perspective, as it doesn’t change the amount customers have deposited in the exchange – if there was $75M deposited already, that could be used directly without a selloff; if there wasn’t, it would not magically appear because Gox sold customers’ coins on their own exchange.)

However, such a massive selloff would make sense if outside thieves having successfully extracted that many coins were worried about MtGox folding from the CoinLab lawsuit and crashing the BTC price. At that time it mihgt have seemed better to sell for a sure $75M.

I believe this was actually the result of theft compounded with incompetence, with many of the coins being stolen, with possibly many others being unintentionally locked out (by horrible software).
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!