back to article Mt Gox's 'transaction malleability' claim rubbished by researchers

By now, we all know the Magic the Gathering Online Exchange says it came undone because of a gap in the Bitcoin protocol called “transaction malleability”. Now, two ETH Zurich researchers have rubbished that claim. In this paper at Arxiv, Christian Decker and Roger Wattenhofer analyse a year's worth of Bitcoin activity to …


This topic is closed for new posts.
  1. Winkypop Silver badge

    Zurich researchers, eh?

    Because nobody knows how to hide funds better than the Swiss.

    1. Anonymous Coward
      Anonymous Coward

      Re: Zurich researchers, eh?

      Because nobody knows how to hide funds better than the Swiss.

      The ETH happens to have an extremely good reputation in technology.

  2. Ole Juul

    Hello Mt Gox

    Your move.

  3. Ken Y-N

    "Only" [19.46% malleability attacks] were successful?

    I don't think Visa would claim that "only" one in five fraudulent card uses are undetected or Lloyds that "only" one in five bank robbers got away with the swag, and of course the other 4 out of 5 have disappeared empty-handed into the ether or alternatively came back the next four days to see which would be their lucky day.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Only" [19.46% malleability attacks] were successful?

      On the other hand might that be a low success rate compared to the average mugger. Not that I know, yiu understand, I'm just guessing.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Only" [19.46% malleability attacks] were successful?

        The almost 10% fraud rate is an amazingly high rate of [fraud] crime for a "banking" system, considering for example that large retailers usually estimate a 5% annual shrinkage loss. The statistic chosen therefore states that Bitcoin crime is almost twice the rate of retail /shoplifting crime.

        That is NOT a good statistic to quote.

        1. Ole Juul

          Re: "Only" [19.46% malleability attacks] were successful?

          "The statistic chosen therefore states that Bitcoin crime is almost twice the rate of retail /shoplifting crime."

          You and I probably read different articles, but the one under discussion here is about Mt Gox who is the one claiming the 'transaction malleability' problem as an excuse for 100% of their missing funds. The researchers are claiming that it could not have been that high. Note that this particular problem is not a Bitcoin issue.

          "That is NOT a good statistic to quote."

          Yes it is, because if true, it shows that Mt Gox is likely not telling the truth.

        2. ChrisPW

          Re: "Only" [19.46% malleability attacks] were successful?

          19.46% is NOT the success rate of the attack. That is the rate at which the modified transaction was accepted INSTEAD of the original one. The modified transaction was of the same value (it has to be or the encryption does not work), the same amount of "wealth" was transferred, it just has different ID numbers.

          The issue is down to how the exchange tracked transactions - they did not do so in a reliable enough manner, once they saw the original transaction fail they were issuing refunds without checking for a duplicate transaction going through. Other exchanges updated their software competently once the issue was noticed, MtGox didn't. MtGox have a long history of producing duff transactions that failed, rather than fixing the problem they bodged in an auto-refund system.

          MtGox and their rubbish software were the problem, there was not a large network-wide issue.

    2. Anonymous Coward
      Anonymous Coward

      If 19.46% of Fraud attempts were successful, then the ones that succeeded are still Fraud.

    3. Anonymous Coward
      Anonymous Coward

      Re: "Only" [19.46% malleability attacks] were successful?

      ... compared to the 100% claimed by MtGox !

      What the swiss did not investigate though is the insidious "line my pockets malleability attacks" which probably account for the remaining 80%....


  4. Tim Worstal

    That paper goes on to make a very interesting point. A further very interesting one rather.

    The vast majority of malleability attacks, or attempts at them, came *after* MtGox announced its troubles. That is, were driven by people hearing about it and seeing if it would work.

    The total number of malleability attacks *before* the MtGox announcement wasn't large enough to have been responsible for the losses at MtGox. Yes, all such attacks everywhere on all exchanges were smaller than the reported losses at MtGox.

    Which is really a rather interesting finding....

    1. James Micallef Silver badge

      Leaving the question "So where did the missing Bitcoin go?" open.

      Just one question I have from my limited knowledge of how BC works... but as I understand it every BC mined has a history in the blockchain, and in spite of a lot of forks in the blockchain due to how mining/transaction verifying works, the forks are folded back into the original blockchain once a transaction is confirmed... and the blockchains are all public. So bitcoins that weren't 'stolen' by the malleability attacks should be traceable, at least to an id if not to an actual person?

      1. Loyal Commenter Silver badge

        I have been wondering the same thing.

        Since the block chain is essentially a public ledger, if the addresses used by MtGox are known, then it should be possible to trace the bitcoins and see where they went. If indeed there were a vulnerability which lead to transactions essentially being doubled, this should be visible in this audit. If, however, it can be seen that the deposits to MtGox addresses, minus the withdrawals do not add up to the numbers they say they have, or if a large number of Bitcoins have been transferred to a single, or small number of addresses, it might indicate that someone there was siphonng off BTC into their own wallets.

        If this is the case, is it then possible to trace where those wallets are held via the IP addresses, or some other means?

      2. Charles Manning

        You can't tell where it went

        You can just tell that it is authentic.

        Criminals and money launderers would not use it as an anonymous cunnrency if you could tell where it came from or where it went.

  5. sysconfig

    It's somewhat interesting that those pointing out that almost 20% is still an outrageously high figure got downvoted. I'm not per se against Bitcoin. But I cannot believe that anybody, fanboi or not, thinks 20% is acceptable. On top of that it invalidates Bitcoin's claim of being oh so super secure.

    And to add insult to injury, it also points out that the big players (or former big players in case of MT Gox) in the bitcoin business may not be 100% honest, to put it mildly.

    The whole MT Gox situation is a huge blow for bitcoin, because it was their biggest public exchange.

    Those are facts, which even Bitcoin owners and traders can't dismiss.

    It's a pity though, because the bankers will celebrate this for some time to come.

    1. Loyal Commenter Silver badge

      I tihnk maybe it's because it's a figure of '20% of fraudulent transactions succeeeded', not '20% of transactions are fraudulent'. You'll probably find that with conventional payment processing, a significant proportion of transactions are fraudulent (0.1% of credit card transactions according to wikipedia), and of those 0.1%, they probably have a much higher than 20% chance of getting away with it.

    2. Gordon 10 Silver badge

      Comprehension fail.

      You and the rest of the commentards on here need to read the article more clearly.

      It ONLY talks about the number of attempted Malleability attacks vs those that were sucessful. It says NOTHING about what proportion of Total transactions they were. So it could be 20% of a very small number or a very big number.

      So in context its the same as saying 20% of attacks against an ATM are sucessful - it says nothing about the number of ATM transcations or the amount of cash involved.

      1. sysconfig

        Re: Comprehension fail.

        I didn't say that 20% of all transactions were fraudulent. So if you feel like being patronising, at least read what I wrote and not what you think I may have intended to write.

        I still think 20% success rate for fraudulent transactions is too high. And I did not say that banks and card providers do better, or worse. It was an isolated statement. The reference to the partying bankers was because the Mt Gox cockup is a blow for Bitcoin as a whole as seen by the public (you know, the lesser knowledgeable people; include me there, if you like). It's much the same as everybody complaining about banks in general after Barclay's (or any other bank of your choice) has screwed up yet again.

        For any payment method (or currency) to be successful and stable you need a large group of people and businesses using it. The lesser people know, the more they will be put off by negative headlines.

        But if we want to go there and draw a comparison between traditional banking and Bitcoin, the people on here who know more about Bitcoin may be able to answer this: Who do you turn to in order to get a refund?

        I've had a few fraudulent transactions against my credit cards over the years. Either the bank spotted them straight away, or I did spot on the statement -- and I always got them refunded. Does Bitcoin have a similar safety net?

        And does anybody have stats that confirm the success rate for fraudulent transactions in traditional banking?

        Genuine questions, which belong together if you want to compare success of fraud! To be honest I'm relatively indifferent when it comes to Bitcoin. For me personally Bitcoin is not an option because of its fluctuations and lack of shops where you can buy stuff with it. That may well change in the futute, albeit a bit further in the future after cockups like this one. That wasn't the subject though.

        1. Loyal Commenter Silver badge

          Re: Comprehension fail.

          The only reason the success rate was 20% is because MtGox were using a version of the Bitcoin wallet which they had branched from the 'official' reference version, in which this particular bug was fixed in 2011. Had they not been using shoddy software, the success rate would have been exactly 0%.

          This vulnerability was known - it was their sloppy processes that allowed it to persist for years, and this reflects badly on them, not on Bitcoin.

          Imagine if a vulnerability were found in VISA, and they announced that all POS terminals should be updated to avoid fraudulent transactions. If a POS manufacturer were found, three years down the line, to not have fixed this bug, and still allow fraudulent transactions to clear, who would be liable - the POS manufacturer, or VISA?

          In answer to your question about whether Bitcoin transactions can be reversed; the simple answer is no. Unlike credit card fraud, however, it is not possible for someone to copy your wallet, or operate an equivalent of a 'cardholder not present' scam. Your 'wallet' is, in fact, a cryptographic key which allows access to your balance on the block chain. If you were to allow that key to be stolen, either by having your computer hacked, or by other means, your wallet would be compromised, in the same way that if you had your actual wallet stolen, you would have no way of regaining its contents. Mitigations against this sort of thing consist of keeping funds in an 'offline' wallet, or a 'paper wallet' (essentially a print-out of the key as a 2D barcode) in a safe, and encrypting your wallet so that you need a password to access the key. These measures are all in your hands.

        2. Loyal Commenter Silver badge

          Re: Comprehension fail.

          To add to that, as far as I am aware, pretty much 100% of fraudulent credit card transactions are 'successful' in terms of the crooks getting the money and getting way with it. When they get caught, it is rare enough to make the news. In terms of 'losing' your money, the credit card companies essentially insure you against such losses. They do this by charging ~4% fees on something that happens 0.1% of the time (paid by the merchant). Taking their other costs into account, this is why they have big shiny office buildings and their executives have big houses.

          1. sysconfig

            Re: Comprehension fail.

            Have an upvote for each of your posts for the level of detail! Cheers mate.

            The insurance fee is indeed a very valid point, which we have come to accept (or at least live with) in return for the ability to get transactions reverted.

    3. Brian Miller 1

      check your "facts"

      I fail to see any facts in your statement. Here are some of my own.

      Fact: Mt. Gox was the 7th largest public exchange at the time of its troubles.

      Fact: Bitcoin protocol was not the issue. Mt. Gox re-wrote the open source BTC wallet code badly, enabling this exploit.

      Fact: You know very little about what you speak.

    4. I. Aproveofitspendingonspecificprojects


      I see you got one upvote and 4 down. Similar to bitcoin stats.

      Lessens shan't be leaned.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021