17
6
The well-known Bitcoin exchange Mt.Gox last week suspended all Bitcoin withdrawals because of "technical issues", which today have been better described in this press release.
This looks like a serious problem, but is it actually true?
Has this issue been confirmed by third parties?
Has it really been known "for a while"?
What true impact can it have?
11
Here's a good interview by Gregory Maxwell himself who's a Bitcoin developer:
Oh there is a “problem” in the Bitcoin protocol, known since at least 2011 (see the link I gave). But for normal applications, not involving unconfirmed transactions, it shouldn’t cause any severe problems because wallets can handle it locally.
This has to do with systems, such as Mt.Gox, that rely on unconfirmed transactions. Normal Bitcoin apps don't rely on unconfirmed transactions.
The Transaction Malleability issue that Mt.Gox talks about has been around since 2011. It only effects transactions which are not included in a block. Once a block is hashed, you can't change the transactions within it because then the hash of the block would have to change as well.
For all other Bitcoin applications that rely on confirmed transactions, as they should, this is not an issue.
10
What malleability means is that you can't store the transaction ID that bitcoind returns from its sendtoaddress API call and expect that number to mean anything at all later.
Instead, if you want to keep track of a high volume of outgoing transactions, you have to wait for the transactions to be fully confirmed and immune to blockchain reorganizations, and then guess at which blockchain transactions correspond to which withdrawal or automatic payment events by matching the amount and destination address.
Some famous guy recommended using a combination of amount, address, and timestamp, but apparently transaction timestamps are not reliable either, so there really isn't a good, reliable way for Bitcoin apps to keep track of which transactions they sent out and why.
bitcoind itself tracks outputs, not transaction IDs, but it doesn't expose this information to API users. So if you want to send transactions and track them by the outputs, which is considered to be reliable, you need to write your own Bitcoin client, which is a lot like writing your own SQL server, except it's not as simple.
>> so there really isn't a good, reliable way for Bitcoin apps to keep track of which transactions they sent out and why
Wallet address are cheap. Exchanges could create one per transaction, send a small amount there, and use that as a discriminator.
That's a rather inelegant hack, and they'd have to constantly dump coins into this process as they are continually eaten up by miner fees. – Guesty Guest – 2014-02-11T23:00:47.587
2a good, reliable way for Bitcoin apps to keep track of which transactions they sent out and why is to keep track of the txid and vout of the first input to the transaction, rather than the txid. It's incorrect to say that bitcoind doesn't expose this information; it's all available via the raw transactions interface. – Chris Moore – 2014-02-12T01:52:05.173
6
Mt.Gox' escrow wallet service only checks transaction hash. If anybody changes transaction hash before transaction is included into block, service considers transaction invalid and returns coins back to the owner's virtual account. But transaction itself is not invalid, it is finally accepted and coins are sent to the owner.
It is primary bug in Mt.Gox's escrow service. They probably failed to detect exceptional situations in their wallets.
4Soon, people new to BitCoin will think that the word "MtGox" is a vulgarity. – Pacerier – 2014-02-11T02:56:39.723