Last night MtGox released a statement saying there is a flaw in the Bitcoin protocol that users can exploit to withdraw the same balance multiple times.
We are not affected by this exploit as our systems take account of the design feature and have properly implemented clients and processes.
Below we dispel rumours about the broken protocol and shed some light on MtGox’s situation and how it impacts us.
What’s happening at MtGox?
As of a few months ago MtGox halted fiat withdrawals. This is reportedly due to issues they have with their banks. A few days ago they announced a halt on bitcoin withdrawals. Last night they announced there was an issue with the Bitcoin protocol and they couldn’t recommence withdrawals because of this issue.
The issue broken down
MtGox claims there is a flaw in the protocol, which is allowing users to make withdrawals multiple times. What they are referring to is known as “transaction malleability”. This is where someone can manipulate a valid Bitcoin transaction slightly to make its signature still valid, but have an entirely different hash. The new transaction can be included in mined blocks.
MtGox uses only the transaction hash to uniquely identify transactions. This means they may see a transaction as “unconfirmed” even though it is confirmed in the blockchain. If checked properly they would see another transaction with identical inputs and outputs but a different hash ID.
Have a look at blockchain.info’s response here.
This issue has been well known for over a year, and only affects exchanges that identify transactions this way. Basically such exchanges have been tracking transactions using an identifier that is not designed for transaction confirmation.
Does this impact CoinJar?
We have had many queries about whether MtGox’s failure to release bitcoins does currently or will in the future, affect us.
The short answer is no. Our customer support and transaction re-broadcast procedures are not vulnerable to attacks based on “transaction malleability”. We do not “resend” transactions automatically based on the confirmation status identified by transaction hash.
This means we won’t stop trading, we won’t have to shut off withdrawals and we are not vulnerable to exploitation.
To reiterate: we do not store or source our bitcoins from MtGox and we are not affected by the exploit they are dealing with.