Topic: MtGox blames Bitcoin protocol problem for BTC withdrawal issue - page 6. (Read 15226 times)

What are they looking at then?

mcxNOW (BTC/Alt exchange) statement about the Mtgox press release. "...stupidity on mtgox part..."

http://www.reddit.com/r/Bitcoin/comments/1xih5d/mcxnow_btcalt_exchange_statement_about_the_mtgox/

Mt. Gox Blames Bitcoin – Core Developer Greg Maxwell Responds

http://www.cryptocoinsnews.com/2014/02/10/mt-gox-blames-bitcoin-core-developer-greg-maxwell-responds/

Exactly, and that's yet another level of their hypocrisy.

Well they don't tackle it because they don't need to. Their transactions are correctly formed, and are readily accepted by the nodes and miners without modification. To force the network to accept modified transaction would take some effort now, because current version of bitcoin node would not retransmit non-canonical transaction. This is actually what made this attack on MtGox possible - and not the speedy link to the miners, or significant mining power of the exploiters. And that's another implied lie in their statement. MtGox issued not-quite-correct transactions to start with, they were rejected by the nodes, and then replayed by the hackers with fixed format. Now I hope you get a better picture of how filthy their lies are.

UPDATE: In the event there are indeed any rejected transactions, they are very rare and far apart, can be easily investigated and dealt with appropriately.

Such a bullshit. Malleability exists and is a pain. I can however not draw the line between this and stopping withdrawals.

Performing such an attack is non-trivial and unlikely common for the entire customer base. Even if some customer are attacking Gox like described, they should be able to spot and deal with them, without the need to generally stop withdrawals.

Added: Maybe they were incompetent enough not to spot the attack for a longer time, automatically resubmitting same withdrawals again and again until they discovered that they are bankrupt.

Simply they don't look only at hash to confirm transaction was sent. Same thing Gox now needs to implement

Seems so, more or less

Following this analogy how do other exchanges tackle this problem?

Just so I'm 100% clear on the development of this situation:

1. Over one year ago a (minor?) issue with the protocol was identified and some general information was added to the bitcoin wiki. http://en.bitcoin.it/wiki/Transaction_Malleability‎, a publicly viewable resource.

2. Engineers at Mt Gox, historically the most significant - and for a long time the largest - bitcoin exchange in the world, either were not aware of this information (on the public wiki? really), disregarded the issue, and/or failed to implement a solution on their end to prevent or at least monitor and warn of this kind of activity taking place between their backend and their customers.

(edit: From my understanding of their statement, it would seem that the attacker would start a support ticket, and inform Gox that their funds are not recieved. Gox would investigate on their end, only to find that their records show this is true, when in fact, it is not true, and the attacker already has the funds. It would then be sent again. This seems like the kind of thing that could be avoided by careful training of support staff.)

3. An attacker or group(s) of attackers realize that a vulnerability exists with some exchanges, or, at least just Mt Gox. Presumably they "extract" some funds without Mt Gox realizing right away.

4. Mt Gox audits their wallet balances and finds a discrepancy.

5. Mt Gox continues its hold on withdrawals, until the issue, known for over 12 months, is resolved with great urgency by the devs.

How very curious indeed!

Fine, thx to you and underhood. So basically the only problem is with senders who believe in complaints of receivers upon a forgeable fact. Whereas if they take public available information into consideration, the sender arrive at a fully deterministic conclusion about whether the BTC arrived or not and therefore if the receiver's complaint is valid. Well, no big deal at all I would say.

No. Everything is just the same

Let say bitcoin transaction is like a banknote. You can write something on a banknote but the note itself is still valid. When gox sending a banknote to its customer, they take a picture of the note, and use the picture of the note as an evidence of delivery. Some customer, however, write something on the note when they get it from gox, and claim they have not received the note. Since the note looks different from the photo, gox can't recognize it and wrongly believes that the note is not delivered, and send another note to the customer (so the customer gets double paid by exploiting the gox's bug). Since gox believe the original said note is not spent, they try to send it to a different customer. Of course this won't work and led to all those bitcoin withdraw problem we have seen.

So gox now proposes to use a different method to track the banknote. Instead of taking a photo, they propose to use the unique serial number on every note for tracking propose.

Bitcoin is still the bitcoin we know yesterday

No ... Bitcoin is safe. What i think however is Bitcoin foundation should also make press release to calm down this fear. People not really understanding Bitcoin could easily missinterpret it the same way as "dafqok" did.

Surely, with out even needing to modify the bitcoin client or protocol an easy solution would have been to monitor the inputs of a transaction when a user withdraws. Then, if a user ever claims they didn't receive the funds, mtgox can just check the inputs and follow them through the block chain. Assuming the date, receivers address and withdrawal amount are the same, and only the transaction id differs, you could quite easily determine if the user received their funds or not - and even identify the new transaction id.

You seem to totally be missing the point here.  This does not affect mt gox deposits at all.

This is *withdrawals* from mt gox....under their current system they track withdrawals that they sent to users via the transaction hash.  Which is apparently a f***** way to track them.  So they should track the withdrawals via the input/output/amount instead.

It's impossible that two withdrawals would have the same inputs/outputs; provided that mt gox use change addresses.

No

Not really, because:

• people don't regenerate the address before each deposit
• people will have the address copy-pasted in their wallet address book and reuse it even if the exchange regenerates it each time
• doesn't solve a deposit followed by multiple withdrawals in smaller amounts

For the address to be significant, it needs to be handled under the hood by the exchange, as a dust/signature.

There is a bug found/known where transaction hash can change. Attacker cannot change the transaction only the hash. This way transaction goes trough and to sender it seems it didn't.
There is workaround where you simply look at transaction with same inputs and outputs in block-chain (ignoring hash)

Truth seems to be that Bitcoin protocol is simply flawed ... thankfully only in very non critical way (you cannot alter transaction only fool sender for some time and only if he doesn't implement additional checks).

proof issue is known: https://en.bitcoin.it/wiki/Transaction_Malleability

Does all that mean, the dream of 100% uncompromisable P2P transfer is over? Does it mean an additional check by a quasi central authority is needed to augment security? I would appreciate an answer in layman terms.