Bitcoin Transaction Malleability Flaw Resolved

The software running the Bitcoin network was updated to resolve the transaction malleability issue that took down popular exchange Mt. Gox.

The so-called transaction malleability software issue blamed for the dissolution of Bitcoin exchange Mt. Gox has been patched.

Also, the Bitcoin-QT reference client was also rebranded to Bitcoin Core, in order to clear confusion users might have had between the Bitcoin network and software. Bitcoin Core 0.9.0 was made available yesterday that included new features as well as security updates.

Transaction malleability is technically not a flaw in the software, according to a number of experts, including those inside Mt Gox. Users had the ability to change the transaction identifier accompanying any Bitcoin transaction under certain conditions.

Mt. Gox’s demise was a perfect storm of software issues and policy failures that caused the Japanese company to lose hundreds of millions of dollars worth of the digital currency.

The problems began when users complained to Mt. Gox that transactions and funds were being conducted under altered identifiers. A report in the Guardian said hackers had managed to edit the identifiers and then lodge a complaint with Mt. Gox, which would then initiate the transaction a second time, sending more currency to the thief.

According to release notes posted on Github, the transaction malleability issue was addressed by tightening transaction rules preventing “mutated transactions” from being relayed or mined. Bug fixes also addressed incorrect balances being reported for mutated transactions, among other fixes.

The hack and subsequent demise of Mt. Gox negatively affected the value of the electronic currency, which hovered not too long ago at more than $1,000 per Bitcoin; as of today, Bitcoin Exchange lists one Bitcoin at $591.99.

According to sources quoted by the Guardian, the transaction malleability issue was compounded by lax accounting at Mt. Gox, forcing the exchange to go under. The Guardian said a document released by entrepreneur Ryan Selkis also hurried Mt. Gox to the end.

“MtGox has allegedly never conducted a single audit of its customer deposits,” Selkis is quoted, “and it is believed that [Gox CEO Mark] Karpeles may have been the only one within the company to have knowledge of how to actually tap the exchange’s cold storage. It remains unclear exactly how this type of storage leak could have happened over a multi-year period without any knowledge on the part of the executives at MtGox.”

As Bitcoin became a full-fledged phenomenon, hackers took notice too. Malware attacks surfaced targeting Bitcoin wallets credentials on a number of platforms including Mac OS X. The OS X CoinThief Trojan, for example, masqueraded as a phony Bitcoin ticker app on a number of popular download sites.

Another attack involved a phony Bitcoin utility called Bitcoin Alarm which was purportedly a tool for alerting Bitcoin owners of shifts in the currency’s value.

And prior to Mt. Gox, the Sheep Market suffered a $106 million loss when hackers walked off with 96,000 Bitcoins. Attackers hijacked the marketplace’s domain name system (DNS) servers and routed incoming traffic through a set of servers under their control. This allowed them to spoof member accounts and steal the currency.

Suggested articles