CTO of DOSarrest answers FAQ on MT Gox bitcoin loss


By Jag Bains

1) What could ‘malleability related theft’ mean here?

The malleability issue has been known about and well documented since 2011. It can be safeguarded against in- wallet software, but perhaps not easily for Mt. Gox’s customized system.

It allows a transaction ID to be modified which skews the information between the Blockchain and the trading wallet. An attacker could move funds, modify the transaction ID creating a discrepancy between the two records. Then, if they claim they never received the funds, there is no publicly official record to prove otherwise in the Blockchain.

2) What is meant by ‘the cold storage has been wiped out due to a leak in the hot wallet’?

“Cold storage” aims to store funds on hardware (e.g Disks, USB keys) completely disconnected from the “hot” wallet, and any network to protect those funds from being accessed in the event of a network security breach.

The “Hot” wallet would facilitate the bulk of daily transactions between traders and should only represent a smaller fraction of the total funds stored. To access “Cold” stored funds, there should be physical human interaction, as these should be locked away in a physically secure and disconnected facility, much like a traditional bank vault storing gold.

Since these two systems should be separated and access to Cold storage finely policed, it doesn’t make sense that an unforeseen software problem in the hot wallet could affect the cold storage. We are seeing Bitcoin exchanges guarding against this sort of exposure by storing the majority of their total funds in cold storage with just enough readily available on the trading platform, or Hot wallet.

3) Do either or both these statements explain the disappearance of the money in your mind?

Not entirely.

4) How could this have happened without anyone figuring it out? Would there have been warning flags- internally and/or externally?

There should have been warning flags if total funds were steadily depleting, but it would rely on their own internal accounting and auditing systems. There should be daily and weekly limits enforced on traders to protect their own accounts.

The nature of the bitcoin system is completely unregulated and unmonitored by any third party. Any amount of money can be transferred between any parties, over any number of transactions, and it’s incredibly difficult to track them.

5) Could the BTC just have been lost — a USB drive, for instance– and the malleability explanation given as a distraction?

It’s certainly possible that systems were physically compromised; disk corruption, loss or destruction can all be entertained. But for each speculation there are any number of safeguards that can be employed to mitigate these potential problems… backups, offsite storage.

6) If this money was stolen, what are the chances of it already being ‘real’ money?

It’s still not too easy to convert large sums of Bitcoin to traditional currency. There are a number of trading houses popping up, but many of these require a fair amount of personal information to identify the individual behind the account. Unusually large trades on these fronts would probably go noticed by operators.

It’s entirely possible to store any sum of coins personally or in an online wallet for any period of time without anybody really ever knowing. The transaction system employed by Bitcoin is built to facilitate anonymous transactions. The wallet identifier which is given out can be changed with each transaction… making it impossible to know who transferred money to whom.

About the author

Jag Bains is CTO of DOSarrest.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s