Following a very dramatic halt of all withdrawals last week, Mt. Gox has delivered an update on getting money out of the exchange, and for now, it’s not exactly looking good for the consumer.
“A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur,” the statement reads. “Since the transaction appears as if it has not proceeded correctly, the bitcoins may be resent.”
Gox says the bug has been “largely ignored”, known to at least some of the core bitcoin developers.
This defect, known as “transaction malleability” makes it possible for a third party to alter the hash of any freshly issued transaction without invalidating the signature, hence resulting in a similar transaction under a different hash.
According to Gox, if the wrong-doer is quick enough (has a small amount of mining power or a connection to a number of mining pools), he can cause hash alteration to be logged in the blockchain.
Possible solution
Mt. Gox proposes using a different hash for transaction-tracking purposes.
While the network will continue to use the current hash for the purpose of inclusion in each block’s Merkle Tree, the new hash’s purpose will be to track a given transaction and can be computed and indexed by hashing the exact signed string via SHA256 (in the same way transactions are currently hashed).
This new transaction hash will allow signing parties to keep track of any transaction they have signed and can easily be computed, even for past transactions.
Gox is warning all other exchanges and services sending to third parties to be wary of requests of transactions not going through, and notes they are working hand-in-hand with the bitcoin core development team to approve and standardize the new hashing method.
At that point, withdrawals shall resume. Of course, there’s no telling just how long the wait will be for Gox customers, but it’s certainly good the exchange is taking this head-on. More updates to follow as they become available, as always.
(Read the whole press release)
Community Responses
As one would come to expect, the community isn’t taking Mt. Gox’s claims very well.
“It’s a big in their handling of payments, not in Bitcoin,” said software developer Oleg Andreev on Twitter. A number of others echoed the sentiments, expressing disappointment in Mt. Gox for spinning the issue.
Bitcoin news website CryptoCoinsNews spoke to bitcoin core developer Greg Maxwell who said “The Gox press release seems a little ‘spun’ to me. They portray characteristics of the Bitcoin system well known since at least 2011 (which even have their own wiki page ) as something new.”
Maxwell confirms Gox should be able to account for this issue by modifying their internal systems, and says that “it’s never been a particularly large concern.”
“This wouldn’t make the top ten list of dangers in the Bitcoin technology.”
Meanwhile on Reddit.com, users are calling for the removal of Mark Kerpeles (CEO of Mt. Gox) from the Bitcoin Foundation board, citing that he’s essentially thrown bitcoin “under the bus” to cover up his company’s shortfalls.
Given the magnitude of Gox’s claims, you can almost certainly bet there will be retorts from other big entities in the bitcoin community. Stay tuned.
Update: read the statement from Gavin Andresen of the Bitcoin Foundation on the matter.
