Incident Response, TDR, Vulnerability Management

Transaction malleability Bitcoin flaw may have ruined Mt. Gox

On Sunday, after Mt. Gox CEO Mark Karpeles announced that hackers relieved the exchange of more than half a billion dollars in Bitcoins, the Tokyo-based company filed for bankruptcy in the U.S., citing “a flaw in the software algorithm that underlies Bitcoin” as the reason.

The flaw the documents are referring to is known as transaction malleability, Frode Nilsen, a developer with five years of experience working on banking applications with money transactions, told on Thursday in an ongoing email correspondence regarding Mt. Gox and Bitcoins.

Understanding exactly how transaction malleability works requires a fundamental understanding of how Bitcoin and digital currencies work – particularly the block chain, a sequential record of all transactions that is available for the world to see.

Basically, the transaction malleability flaw allows a person to quickly alter a real transaction before it is confirmed to the block chain. If that person can get the block chain to commit to the altered transaction first, then the real transaction will be treated as double-spending and eventually disappear. Then all the person has to do is report that the transaction did not complete, as evidenced by the lack of transaction in the block chain, and the coins would be sent – again.

This vulnerability could result in denial-of-service, which is what many exchanges, including Mt. Gox, reported experiencing in February. Fortunately, the issue is well on the radar of the Bitcoin user community.

“Bitcoin users are safe if the Bitcoin exchange has taken account for the flaw and implemented countermeasures for it,” Nilsen said. One such countermeasure is confirming transactions manually instead of using an automated system, although it is a slower process.

Nilsen added, “Once you know about it, it's pretty straight forward. The Mt. Gox developers obviously didn't know about it (if what they state is true), so that's why Mt. Gox got screwed, and, ultimately, its customers.”

In a previous correspondence, Nilsen pointed to a theory posted on, in which a user speculates that one million Bitcoins sent to Mt. Gox in 2011 were taken that year by hackers who gained access to the exchange's servers and executed fake trades – subsequently setting off the chain of events that led to today.

Nilsen said he believes there was a substantial theft of Bitcoins from Mt. Gox at one point.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.