joepie91's Ramblings

home RSS

Why Mt. Gox is full of shit

10 Feb 2014

According to Mt. Gox, they discovered a critical flaw in the design of Bitcoin, allowing people to 'steal' Bitcoins by changing the ID of a BTC withdrawal transaction after-the-fact, claiming to customer support that they never received it, and having them resend it. This would be a possibility, because the Bitcoin protocol does not 'sign' the transaction ID, and it could thus be spoofed. They go on playing the 'white knight', strongly implying that they've been the first to find said flaw, and are in talks with developers to get it fixed.

Except that's a big crock of shit.

The issue with spoofing a transaction ID does indeed exist, and is known as transaction malleability. However this is not, as Mt. Gox claims, a "new finding" - it has been known and documented for years. Consequently, the official Bitcoin daemon (bitcoind) does not rely on a transaction ID to determine if a transaction succeeded, and people writing their own implementation have been warned about this for those same years.

So why does Mt. Gox experience this issue? They run a custom Bitcoin daemon, with a custom implementation of the Bitcoin protocol. Their implementation, against all advice, does rely on the transaction ID, which makes this attack possible. They have actually been warned about it months ago by gmaxwell, and have apparently decided to ignore this warning.

In other words, this is not a vulnerability in the Bitcoin protocol, but an implementation error in Mt. Gox' custom Bitcoin software.

So, why does Mt. Gox claim that it's a problem with the Bitcoin protocol? This appears to be part of Mt. Gox' long tradition to deflect the blame to something or somebody else, while ignoring warnings from competent developers. Mt. Gox has been showing constant incompetence, in just about every aspect of their operation, and doesn't ever seem ready to own up to it.

But let's come up with some concrete examples of this, huh?

Remember when Mt. Gox suffered serious trading engine lag due to a DDoS, even though they were behind Prolexic DDoS mitigation, which is notorious for its capability to deal with huge attacks? Mt. Gox never told the real story behind this: they failed to block direct access to the original server IP that Prolexic was tunneling to, which meant that a simple scan of the (small) IP range owned by Tibanne Co., the (then) parent company of Mt. Gox and Kalyhost, would very quickly reveal the real Mt. Gox server.

Since there was no protection here, and the entirety of Mt. Gox, including their website and trading engine, ran on the same server, it was trivial to slow down their entire trading engine, bypassing Prolexic entirely. This was a trivial configuration error, that any competent system administrator would have caught and dealt with in an instant. But not Mt. Gox.

Or let's take that historic hack of Mt. Gox, which temporarily dropped the exchange rate to $0.01 per BTC, and involved a large Bitcoin heist. What they didn't tell you, was that several vulnerabilities in the Mt. Gox website and API were reported a while before the hack, and that the Mt. Gox staff more or less waved them away, completely ignoring their severity. This included MySQL injection vulnerabilities, just to put things into perspective a little. One of these vulnerabilities was almost certainly the attack vector that was used for the heist.

Or, on a more personal note, that time I lost $50 from my Mt. Gox account, shortly before the above large hack occurred. Apparently that was "my own fault for getting my account compromised", even though I was using a random 20-character KeePass-generated password, several other people reported a similar account compromise, and none of my other accounts were compromised. To this day, Mt. Gox has failed to acknowledge their role in this compromise, and has failed to refund me.

These are just a few examples of the past incompetence and lack of responsibility on the part of Mt. Gox; and now they are shifting the blame for their own faulty implementation to the Bitcoin protocol, possibly causing significant misinformation amongst the general public, just to avoid having to admit that they did something wrong.

The time to stop using Mt. Gox has been long overdue. Move your business to a more serious exchange, one that is willing to admit their failures, should they occur. One that has the best interests of the entire Bitcoin ecosystem in mind, rather than their own bottom line.