10 questions on the Mt. Gox implosion
Did a spaghetti-like code help bring down the Bitcoin exchange?
By Tim Hornyak and Jeremy Kirk | Published: 05:14, 06 March 2014
How do half a billion dollars vanish into thin air? That seems to be what happened at popular Bitcoin exchange Mt. Gox, which made a a bankruptcy protection filing in Japan last week.
The staggering, unprecedented loss of about 850,000 bitcoins, worth roughly US$474 million, has prompted investors, government officials and journalists to scrutinize the Tokyo-based exchange, but clear facts are few. It seems that no one knew exactly what was going on inside Mt. Gox, even CEO Mark Karpeles, who apologized at a press conference for "weaknesses in the system."
The case remains murky but we've taken a stab at answering some of your questions based on what we know so far.
What is Mt. Gox, anyway?
Mt. Gox started as a market for trading cards used in the "Magic: The Gathering" fantasy game, but diversified in 2010 into an exchange for bitcoin, a little-known virtual currency launched a year prior. It rapidly became the dominant bitcoin exchange due to a lack of competitors, and was run by CEO Mark Karpeles, a Frenchman. The site had 1 million customers as of December 2013, according to a document posted on the web last week that purported to be a leaked business plan.
How did it go from bonanza to bust?
Success seems to have bred complacency at the highest levels of Mt. Gox. In June 2011, about $8.75 million in bitcoin was stolen from the exchange through an online attack using stolen passwords. Any security improvements implemented since then were obviously not up to scratch if the latest loss is the result of a massive heist. Anecdotal accounts have suggested a corporate culture that tended toward laissez-faire rather than strict diligence.
Why did Mt. Gox file for bankruptcy?
Mt. Gox filed for bankruptcy protection in Tokyo District Court on Feb. 28, saying it couldn't account for 750,000 of its customers' bitcoins and 100,000 of its own, worth as much as $474 million. The company also can't account for $27.3 million in cash customer deposits.
How do you lose 850,000 bitcoins?
That, of course, is the million-dollar (or bitcoin) question. The coins may be missing due to a long-known security flaw called transaction malleability that can in some cases enable fraudulent withdrawals. Some observers and investors, however, are accusing the company of fraud, even alleging the collapse was an orchestrated scheme. Other commentators have said Mt. Gox had the best intentions but was just poorly managed.
Can you run a company that badly?
Seems like it. A company source who spoke on condition of anonymity told us the code was such a mess it was like "spaghetti," bugs were routinely ignored and that there was no regime in place to first test changes to the code before implementing them. Karpeles had a firm grip on the programming reins and refused to let developers fix the code, said the source, who also questioned whether there really was a "cold storage," an offline vault that bitcoin exchanges are supposed to have. According to the leaked business plan, Mt. Gox had a leak in its online hot wallet, which "wiped out" the cold storage, and theft had been happening for years.
What triggered Mt. Gox's collapse?
Mt. Gox long had problems processing international wire transfers for people who wanted to cash out their bitcoins. On Feb. 7, it halted bitcoin withdrawals while investigating a security flaw called transaction malleability. Bitcoin software experts said Mt. Gox's highly customized code may have exacerbated that issue. Other bitcoin exchanges also temporarily suspended trading. With no explanation, Mt. Gox's website went blank on Feb. 25. It filed for bankruptcy three days later, with Karpeles accepting blame with a bow, a Japanese custom acknowledging failure.
Does this mean other exchanges are vulnerable to the malleability flaw too?
Transaction malleability, which allows for transaction IDs to be renamed, has been known in the Bitcoin community since 2011. Yet other exchanges have also been affected. On Feb. 11, for instance, Bitstamp suspended withdrawals blaming a transaction malleability attack, but said it had fixed the problem four days later. The Bitcoin Foundation, an industry trade group, said last month that it is working with core developers to solve the issue.
Can the missing bitcoins be traced?
Bitcoin transactions are recorded in a public ledger called the "blockchain," which shows movements from one bitcoin address to another. There is no identifying information attached to a bitcoin address showing who is transferring the coins, but it is possible through crowd-sourced data to see what particular addresses a company has previously used to transfer bitcoins. But due to a lack of custom software tools to analyze the blockchain, tracing a chain of transactions can be like following a set of muddy footprints in the rain.
Will depositors get their money or bitcoins back?
At least one class-action suit has been filed in the U.S., with another planned in the U.K. Mt. Gox has said "we need to investigate a huge amount of transaction reports in order to establish the truth." Due to bitcoin's complexity, an investigation could take a long time, and international lawsuits are unlikely to proceed quickly. Mt. Gox claims it has US$63.6 million in liabilities. The leaked document describing its supposed future business plans suggests the company may have just slightly over half that figure in assets.
What does this mean for the future of Bitcoin?
Mt. Gox's viability has long been questioned by users. But the bitcoin community, stung by past thefts and frauds, is largely looking forward, saying it will have little impact on the long-term prospects for the virtual currency. The price of bitcoin has been relatively stable amid the Mt. Gox collapse and is now around $660. The total market capitalization of all bitcoin is roughly $8.3 billion.