Sunday, March 2, 2014

[securelist] The Future of Bitcoin After the Mt. Gox Incident

No doubt it’s been a crazy week for anyone even remotely interested in Bitcoin. Mt. Gox, once the largest Bitcoin marketplace out there, has shut down, putting a bitter end to an almost month-long situation in which all withdrawals were halted because of “technical issues”.


Mt. Gox BTC price evolution in February 2014, source: Clark Moody
As customers were unable to move their funds out from Mt. Gox, the world’s most famous exchange essentially became isolated from the rest of the Bitcoin ecosystem, making the Bitcoin price traded on Mt. Gox plummet to as low as $100 for 1 BTC before the exchange went completely offline.
In our forecast for 2014, we’ve stated that attacks on Bitcoin, specifically attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year. These attackswill be especially popular with the fraudsters as their cost-to-income ratio is very favorable.
While the Mt. Gox incident might be the most significant in Bitcoin history to-date, as it is rumored to be worth 744,408 Bitcoins, or more than $300 million at current BTC prices, the only question that remains unanswered is what actually caused it.
TX Malleability, short for transaction malleability, is a known issue within the Bitcoin protocol. Under specific circumstances it can enable an attacker to issue different signatures (or TX IDs) for the same transaction, essentially making it appear as the transaction didn’t happen. This can allow a malicious customer of an exchange to request multiple Bitcoin withdrawals of the same coins by claiming the transactions never went through.
This type of TX Malleability attack was the official reason cited by Mt. Gox when they decided to halt the withdrawals, making it seem as though they have become victims of a cyber-heist, but the possibility of this incident being an inside job can’t be ruled out.
The transaction malleability attack doesn't necessarily involve an insider, although someone with direct access to the transaction system can do it much more easily. It is of course possible that the attack was done entirely from the outside, although in such a case Mt. Gox should have the full information on the person responsible for the attack, simply because they'd be re-requesting the funds over and over, citing network errors and the fact that the withdrawal hasn’t been received.
The only thing left to do right now is to wait for law enforcement agencies to finish their investigation into the incident and hope that Mt. Gox and other parties involved are co-operating with LEAs to identify the ones responsible and try to recover the damages.

As for what this means for the future of Bitcoin - this week showed us once again, and more than ever, that the Bitcoin ecosystem truly needs companies that understand security. Being a decentralized currency, no authority will impose security standards and regulations, so it’s up to us, Bitcoin enthusiasts and the whole crypto-currency community, to raise the bar: by choosing to only work with Bitcoin companies that have an immaculate track record, a good understanding of the technology involved and especially the security required, but most importantly the willingness to always keep innovating, to always keep going that extra mile to gain customers’ trust. Let’s make this happen and Bitcoin will be just fine!

No comments:

Post a Comment