I believe I know what happened at MtGox. (Spoiler alert) TL;DR:
complete incompetenceWhile I was a supporter of MtGox, in this debacle I have lost not more than about $80 there, because I try to follow my own advice which is: don't ever store longer term more cash/coins in ANY online service than you can afford to lose. Some here must have seen me say this repeatedly in the past. Anyway, there is a lot of question and speculation about what really happened with MtGox. I think I've figured it out. I'll present my case and see if you agree with me.
Before I get started, check out this quote from
2011. It's unbelievably prescient. BTW Magical Tux is Mark Karpeles:
And this is the guy whom 90% of Bitcoin users trust their money to...
MagicalTux fucks up... AGAIN!
What will happen when they lose the income of 10 years?
Go ahead, click the link. You'll see it's really from 2011. Now, what would make this guy predict something like that?
Exhibit A:
That quote comes from the following 2011 thread which I believe is the last piece of the puzzle:
someone fucked up and lost ALOT of moneyYou really need to read/skim the first 2 1/2 pages, which contains the above quote, to get a feel for what happened. The gist of it is that MtGox, possibly Mark Karpeles himself, implemented (badly) custom software for transacting directly on the network.
Now check out this quote on 2/10/14 from DeathAndTaxes whose opinion on the matter I deeply respect:
...
MtGox had other issues which resulted in payments failing, being delayed, and needing to be resent. The attackers took advantage of this to "camouflage" their actions. Your right if you send out payments to 50,000 users and 49,999 report no issue but one user over and over reports not getting paid well then "hmm maybe this user is running a scam" however if you send payments to 50,000 users and 30,000 of them report non-payment due to a variety of reasons (caused by Gox) then it becomes easier for the attacker to hide.
MtGox wrote their own client, and they did so horribly bad. Their client isn't worthy of being used by a hobbyist experimenting on testnet but they used it in production for a systme involving millions of dollars of assets. We have no idea how many things they got wrong but looking at the failed transaction we know at a minimum these things were wrong:
a) MtGox double spent their own coins.
b) MtGox paid insufficient fees on tx which were low priority meaning they would not be relayed to miners by most nodes.
c) MtGox created tx which violated the "anti-spam" rules which caused tx to be dropped (not relayed) by some nodes.
d) MtGox attempted to spend immature newly mined coins (newly mined coins can't be spent for 120 blocks).
e) MtGox used non-canonical signatures on transactions which were rejected by newer nodes.
and
f) MtGox failed to account for mutable hashes.
Now if MtGox had done a through e they wouldn't have lost any coins. Yes users would be delayed. Yes it would make them look foolish but had they at least done f right they would have not paid attackers twice.
On the other had if MtGox had done a through e right but messed up f, then your scenario in the OP would be correct. Legit users would have seen no issue, attackers would have gotten double paid. ...
However MtGox managed to get a through f wrong so legit users were affected AND attackers were able to trick them into making double payments. Worse the two issues compound on each other. If the attackers were the only ones reporting non-payment then it is likely MtGox would have gotten suspicious relatively quickly however since this has been going on for the better part of a month and involves tens of thousands of transactions who knows how many times attackers were able to get away with a double payment.
... I consider myself moderately knowledgeable about bitcoin, and I don't use a custom bitcoin client. I use a custom backend which communicates with the reference client (i.e. bitcoind) for these exact reasons. MtGox's attempt to build a custom client would be laughably bad if released as an open source alternative client with a warning to be used for testing only. The fact that it was used as a closed source production client borders on criminal negligence.
The whole quote should be read, but at the least what I've highlighted in bold.
We need to jump back to the 2011 thread for a second. As far as I know that was the first indication of MtGox's horrible software implementation. The reason for the thread was it was discovered someone wrote a bad script making about 2,600 BTC permanently irretrievable (about 26K USD back then). In that thread Magical Tux appears to admit it was MtGox saying "<MagicalTux> that's a problem, but not the worst problem we ever faced ... just spent one week of BTC-only income".
So to this point we know as early as 2011 Mark Karpeles was aware his custom software resulted in losing 2,600 BTC. However, there is one more key line
in that quote from Magical Tux to focus on: "<MagicalTux> all the broken withdraws have been re-issued".
All the broken withdraws have been re-issued. [sigh]
Let that sink in for a moment. Consider that Mark Karpeles had just realized and confessed to permanently losing 2,600 BTC. Regardless of current events how much would you trust him to competently deal with any problem withdrawals, with shaky software?
Now for the clincher. That thread has over 13,000 views. I don't even run an exchange and I know about the unreliability of transaction IDs, and MtGox was here before me. Isn't it reasonable to imagine an unprincipled person put two and two together and imagined that if MtGox was
admittedly having withdrawal issuance/software problems, and was taking the course of action of
re-issuing withdrawals, then what if, just what if they didn't know about transaction malleability?
The picture is starting to become clearer isn't it? 800,000 BTC is a LOT of bitcoins, but if there were ongoing withdrawal problems over many months even years, coupled with an influx of fresh users depositing BTC, and books were not reconciled in a way to make imbalances obvious, then, what do you get? Exactly what we see today.
This would explain why Mark Karpeles seems exceedingly reluctant to talk about what happened. It would explain his public statements which shift blame over to the core system itself. There is no telling what exactly happened to all those BTC, but tranasction malleability & theft or not he had lost at least 26K USD all by himself. As the prescient poster above predicted it was only a matter of time before he lost something much bigger.
