MtGox: The analysis
Wednesday 26 February 2014
I’ve waited awhile until the most relevant information has come to light before making this post.
The events over the last couple of weeks at the MtGox have been nothing short of disgraceful. In summary, MtGox, once the world’s largest bitcoin exchange has frozen withdrawals and gone bust.
Although MtGox have not called in the administrators, it has now been confirmed by Mark Karpeles, CEO of MtGox, that MtGox is in fact insolvent to the tune of over 750,000 bitcoins; a staggering amount to say the least.
What happened, exactly?
It appears that MtGox has been continually drained of bitcoins over a period of time due to the way that MtGox confirms transactions. When a bitcoin transaction is initiated at MtGox, the exchange tries to confirm the transaction on the Blockchain by looking up the transaction id. Due to transaction ids being malleable, people exploited this “feature” by creating false transaction ids to fool MtGox.
When MtGox fails to find the original transaction id on the blockchain, it assumes the transaction failed and will then automatically resend the transaction. In this manner, hackers were able to make multiple bitcoin withdrawals from MtGox.
The obvious question is: Why didn’t MtGox discover this problem? It appears that MtGox did not know how many bitcoins were being withdrawn at any point in time.
The next question is: Where is MtGox’s reserves of bitcoins that should be stored in cold wallets? This aspect of MtGox is murky and is not well explained. However, there are two theories:
- MtGox inadvertently drained their cold wallets by continually topping up the hot wallet. This scenario is difficult to believe as it would require someone to continually pay out bitcoins from cold storage without questioning why. It would amount to gross negligence and incredible incompetence on a scale that is impossible to believe.
- The second theory is that MtGox’s cold wallet is still intact but hidden away. Customers who deposited money at MtGox were credited with bitcoins within MtGox’s internal system, also known as an off Blockchain transaction. These “fake” bitcoins are not the same as real bitcoins on the blockchain. Over time, MtGox amassed a deficit of over 750,000 bitcoins which it owed to customers, however, MtGox did not have sufficient bitcoin reserves to back up these bitcoin purchases because real bitcoins were continually drained from MtGox.
Personally, I’m leaning towards scenario two, as scenario one is implausible. Once MtGox discovered the real amount of bitcoins it owed to customers, I believe, they went into damage control.
Bitcoin withdrawals were halted on February 7, 2014 to prevent further withdrawals. MtGox claimed that the exchange needed to be static to enable the proper analysis of transactions. This caused bitcoin prices to plummet from $700 to $600.
During this period, MtGox kept allowing the bitcoins to be traded on MtGox itself, which is hardly a static environment at all. The explanations of why they allowed this to happen are unclear but MtGox bitcoin prices immediately started to fall on the exchange. There was no incoming money, no bitcoin withdrawals were allowed and cash withdrawals also did not work. People sold their bitcoins on MtGox in panic, fearing the worst – that MtGox was in fact insolvent. Remember, people were actually selling “fake” bitcoins that were sitting on MtGox’s internal system and not bitcoins that were on the public Blockchain.
A more nefarious explanation of why this was allowed was that MtGox intentionally created panic so that it could buy up the cheap MtGox bitcoins that were being dumped to reduce their overall liabilities from 750,000 bitcoins to something much less.
In fact, the supposed leaked internal memo, also posted here, described this as one of the strategies that MtGox pursued:
1. Immediately reduce liabilities as much as possible with partners
With actual assets using arbitrage/ injecting new coins to erase them from the books. Informing and asking selected Bitcoin main players to ask for their help. The MtGox price is low, making it possible to erase a significant portion of the debt, but it needs to be done quickly. Injections in coin are most useful (enough to run the exchange) but some cash is also needed to not run a fractional reserve.
In essence, what is being proposed is to allow certain large investors to buy MtGox coins at below market price to get rid of MtGox’s liability to those customers. This environment was created because the normal exits for MtGox customers were closed off by MtGox itself.
This situation was allowed to continue until trading was finally disabled on Tuesday at around 11AM Japan time – a total period of 19 days. The price of one MtGox bitcoin had dropped to US $135 by then. It appears that strategy one at MtGox: to erase bitcoins owed to customers had failed. Presumably, there were insufficient financial backers willing to support MtGox in this manner and MtGox itself did not have sufficient bitcoins to cover the liability.
Where is MtGox’s cold storage?
The outstanding question that remains is; where are MtGox’s reserves of bitcoins? It is very possible that MtGox’s bitcoin reserves have been moved, as part of management’s “damage control” efforts. As everything is recorded on the Blockchain, it should not be too difficult to track down where these amounts have been transferred to.
If this has in fact occurred, I believe that Mark Karpeles and his senior management team could be facing some tough questions over the next few weeks from law enforcement.
As at February 26, Mark Karpeles appeared to confirm that MtGox's bitcoin reserves are still intact on an internet chat with Jon Fisher:
"Well, technically speaking it's not "lost" just yet, just temporarily unavailable"
Impact on bitcoin
Although MtGox was at one time, the world’s largest bitcoin exchange, at the time of its demise it had lost most of its market share and only had around 20% of global trading volumes in January 2014. The demise of MtGox does not equate to the demise of bitcoin although many bitcoin investors have been affected.
It is unfortunate that MtGox was unable to overcome its technological problems in relation to automatically resending failed transactions for malformed transaction ids. This was compounded by the fact that they appeared to have no system for reconciling the total amount of bitcoins they owed to their customers after transferring out bitcoins to customers. Furthermore, they failed to check whether the original transaction had in fact gone through by simply transferring coins in the original transaction to another address (to confirm the original transaction had in fact failed).
What occurred after February 7 was nothing less than shocking. MtGox’s own strategy paper delineated clear attempts to take advantage of their own customers by trying to erase MtGox’s liability towards those clients in a closed off exchange where all normal exits were shutdown.
The key lesson from MtGox is that it is unwise to trust a third party with your bitcoins or money. As soon as you make a bitcoin purchase, it is highly advisable to transfer the purchased bitcoins to a wallet that you control and to check the transaction on the public Blockchain itself.
In researching this post, I came across an exchange called BTC-E, which is one of the largest exchanges in bitcoin. The creators of BTC-E are completely anonymous. Further, just like MtGox, all bitcoins purchased on BTC-E are off Blockchain until transferred to your own wallet and onto the public Blockchain. If BTC-E were to fail, there will be even less recourse compared to MtGox.
In relation to the bitcoin protocol itself, we discovered that the protocol remained robust throughout the transaction id issue and multiple denial of service attacks. However, we also learnt that transaction ids can be tampered with and that further checks are required before automatically resending bitcoins. All these are expensive lessons for the early adopters of bitcoin.
However, on a more positive note, bitcoin prices are already recovering from a low of $430 to around $550 per bitcoin, which is about $150 below the market price when MtGox disabled bitcoin withdrawals.
By Lloyd Chin
Preview image courtesy: fdecomite, FLickr
comments powered by Disqus