By Jerry Whitehead III, re-posted by Jeffrey Lyon
Why the oft-maligned feature in Bitcoin transactions is less concerning than other security issues.
Anyone who has been following the online crypto currency known as Bitcoin (or especially those who have invested in them) are no doubt aware of the precipitous downfall and complete implosion of one of the largest Bitcoin exchanges on the market: Mt. Gox.
Originally started as a place for fans of the popular card game Magic: The Gathering (Mt. Gox stands for Magic The Gathering Online eXchange), site founder Jed McCaleb became interested in the relatively new Bitcoin currency in 2010 and shifted the site’s focus and purpose entirely toward Bitcoin. After it grew beyond his expectations and capabilities, McCaleb sold 88% of Mt. Gox (retaining 12%) to Mark Karpeles, who turned Mt. Gox into such a leader in the Bitcoin exchange space that by spring of 2013, Mt. Gox was handling approximately 70% of the world’s exchanges.
But Mt. Gox’s reign at the top of the Bitcoin world proved to be short lived. After a series of increasingly catastrophic and public failures, Mt. Gox suspended trading on February 7, 2014 and issued a press release and claimed that the reason they were suspending trading was due to an issue called “transaction malleability”, which was new terminology to many at the time.
“A bug in the Bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of BTC to a Bitcoin wallet did not occur when in fact it did occur,” the statement read. “Since the transaction appears as if it has not proceeded correctly, the Bitcoins may be resent. MtGox is working with the Bitcoin core development team and others to mitigate this issue.”
Unfortunately for many Mt. Gox users, trading never resumed, and millions of their collective dollars in Bitcoin were lost forever. Karpeles resigned, Mt. Gox filed for bankruptcy, and 850,000 Bitcoins (worth nearly a half a billion dollars at the time) vanished.
Many would view this timeline and suppose that this mysterious transaction malleability issue was at the root of Mt. Gox’s failings. But a more in-depth look reveals that while transaction malleability does present some valid security concerns for Bitcoin users and exchanges, it’s not the culprit for Mt. Gox’s failures and was instead used as a scapegoat by a company who realized the writing was on the wall for them.
First, let’s take an extremely overly simplified look at how a Bitcoin transaction takes place. Each time any amount of Bitcoin changes hands, it creates a bit of data that is broadcast to the network, which is accessible and displays the data information for all transactions. All transactions require verification by the network to make sure they are legitimate, since one of the founding principles of Bitcoin was to have a consistent and measured increase in the amount of Bitcoin created.
There is a very small window of time while this transaction data is being verified, however, where it can be altered. This ability to have transactions changed is called transaction malleability, and there are legitimate reasons why it was purposefully placed into the Bitcoin code. However, as with anything, people soon found nefarious ways to exploit this transaction malleability for their own gain. One of the most common ways (and the one that Mt. Gox specifically claimed was the reason for their troubles) would be for someone to quickly change the data to make it seem as though they never received the Bitcoins from the transaction, causing the sender to resend.
On the surface, this would appear to be a serious and valid security concern for Mt. Gox or any Bitcoin exchange. And people within the Bitcoin community admit that this feature has indeed probably cost exchanges lost money in duped Bitcoin transactions. But couldn’t it happen on a large scale, as Mt. Gox warned? After all, could some skilled and enterprising hacker take advantage of transaction malleability on a wide scale and scam people out of numerous Bitcoin? Yes and no. While it could happen and probably has happened on a much smaller scale, for any exchange to lose a large amount of Bitcoin (and much less than the 850,000 that Mt. Gox lost), it would be readily apparent and gigantic, bright, waving red flags would be flown up immediately.
The real problem was with how Mt. Gox dealt with these fraudulent claims of transactions that “never went through”. When users would send in these claims to the exchange’s help center, Mt. Gox would (most likely in an effort to retain customer loyalty and avoid negative publicity) simply credit the users the Bitcoin right away. This would work if the transaction indeed did not go through, but that could have been verified had they taken the time necessary to investigate the transaction ID data, which again is easily accessible.
But even with the amount of Bitcoin they “double dealt” to fraudulent claims as a result of transaction malleability, Mt. Gox had deeper, systemic problems that many in the Bitcoin community saw months in advance of their closure and eventual bankruptcy. Transaction malleability was an issue for ALL Bitcoin exchanges, but many had the foresight to deal with it appropriately. As chief Bitcoin Foundation scientist Gavin Andresen said, “Transaction malleability has been known about since 2011…This is something that cannot be corrected overnight. Therefore, any company dealing with Bitcoin transactions and have coded their own wallet software should responsibly prepare for this possibility and include in their software a way to validate transaction ID’s. Otherwise, it can result in Bitcoin loss and headache for everyone involved.”
Transaction malleability first came upon our radar as a result of the attacks related to this exploit. In early February 2014, hackers sent floods of fake transactions onto the Bitcoin network. While various Bitcoin experts and exchange CEOs quickly informed everyone that users’ Bitcoin were not at threat of vanishing as a result of these types attacks, they did acknowledge that it is a problem. As Andresen said, however, it’s not something that can be fixed “overnight”, so we’ll be interested to see what (if any) steps the Bitcoin community takes to safeguard against future transaction malleability related security issues.
Regardless, transaction malleability played only one small part in the collapse of Mt. Gox, which attempted to pin the blame solely on the shoulders of this well-known exploit.
