Threat Management, Vulnerability Management

Experts suggest transaction malleability did not ruin Mt. Gox

Transaction malleability did not lead to the fall of Mt. Gox, the former world's biggest Bitcoin exchange, according to a couple of researchers with the Distributed Computing Group at the Swiss Federal Institute of Technology in Zürich (ETH Zürich).

In a paper released on Wednesday, “Bitcoin Transaction Malleability and MtGox,” Christian Decker and Roger Wattenhoffer studied Bitcoin transactions they compiled, including double spending and transaction malleability instances, dating back to January 2013.

Taking into account that incidents could have transpired prior to that date, the researchers discovered that 302,000 Bitcoins were involved in transaction malleability attacks. Of that number, only 1,811 Bitcoins were in attacks prior to Mt. Gox stopping withdrawals, and less than 25 percent of those attacks were successful.

In the end, the researchers came to the conclusion that roughly 386 Bitcoins could have been stolen as a result of malleability attacks targeting Bitcoin exchanges.

Tokyo-based Mt. Gox filed for bankruptcy protection in Japan on Feb. 28 and in the U.S. on March 10, at the time citing “a flaw in the software algorithm that underlies Bitcoin” as the reason hackers were able to pilfer 850,000 of the popular cryptocurrency, or about half a billion dollars.

That flaw is transaction malleability, which, broken down very simply, is a variation of a double-spending issue that involves making a transaction, and then quickly modifying it and making it again. If the modified transaction is confirmed first, the real transaction ends up disappearing, is later reported as having never gone through, and the coins are sent again.

“Transaction malleability certainly has to be considered when implementing a Bitcoin client, no matter for what purpose, but especially when it's not your own Bitcoins you're handling,” Decker told SCMagazine.com in an email correspondence.

Mt. Gox announced last week that it had recovered about 200,000 Bitcoins in an obsolete, old-format wallet, but that still does not explain what happened to the other 650,000 Bitcoins, going by what the researchers discovered.

Some in the community have opined that crypto funds were stolen some time back.

“It is worth noting that none of the publicly available clients is vulnerable to malleability, only custom implementations that do not track transactions correctly are at risk,” Decker said. “Furthermore, to avoid any future trouble with custom implementations, the Bitcoin developers are currently removing sources of malleability in the protocol.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.