Mt. Gox, the world’s biggest Bitcoin exchange, has now filed for bankruptcy.
The repercussions of its alleged loss of $350m in bitcoins are massive for the digital currency, with people’s faith in it being quite severely shaken by the announcement.
But how did it happen?
It’s all because of something called a "transaction malleability" flaw.
Before we explain how the flaw came about, let’s talk about how hackers could take advantage of it.
Whenever you send or receive bitcoins, you are taking part in a transaction. All these transactions are sent off to be processed by bitcoin miners, and once completed appear confirmed on the blockchain, basically a virtual publicly ledger that keeps track of all transactions.
When a transaction completes, it produces what’s called a hash, which is like a confirmation code specific to that transaction.
One of the things that makes the hash distinct is that it is created from a variety of factors, one of which is the user’s digital signature – a critical piece of the hash, because it proves the transaction originated from that user.
However, the digital signature is meant to be in a particular format.
We’ll tell you why in a second, but there wasn’t always something in place to confirm that format was correct, and so incorrectly formatted signatures were still accepted in creating the hash.
Because the signature was now different, the hash was completely different too: just like if you replaced eggs with, say, tar, in a cake mix, you’d get a pretty different cake.
Now, anybody who stored fiat funds in Mt. Gox could request to withdraw that stored cash as bitcoins at any time, and Mt. Gox would send them.
Remember; anytime you send or receive bitcoins, you take part in a transaction. Therefore every instance in which Mt. Gox sent bitcoins to people, it appeared as a transaction that needed to be mined, before appearing publicly on the blockchain once it had been completed.
Hackers with money in Mt. Gox were doing the same thing, but taking advantage of the transaction malleability flaw to insert an incorrectly formatted digital signature in place of the real one, producing a hash that was completely unrelated to the transaction.
This made it appear on blockchain as if the transaction had never taken place, and the hacker could therefore request to have the money sent again from Mt. Gox.
This process was repeated a countless number of times, and resulted in Mt. Gox losing hundreds of thousands of bitcoins.
So where did the flaw come from?
The flaw originated in a Bitcoin reference client, a piece of software people can use when building their own services around the cryptocurrency.
The reference client was basically failing to make sure that the digital signature was correctly formatted. This was solved in the latest version of the client.
So why is Mt. Gox suffering while others aren’t?
This seems to be because its CEO, Mark Karpeles, admitted that the exchange had failed to keep up with all the updates being churned out by the Bitcoin Foundation, and so the fault was still present on the exchange.
Also, not all exchanges rely on the reference client to build their own software.
