Last night MtGox released a statement saying there is a flaw in the Bitcoin protocol that users can exploit to withdraw the same balance multiple times.
We are not affected by this exploit as our systems take account of the design feature and have properly implemented clients and processes.
Below we dispel rumours about the broken protocol and shed some light on MtGox’s situation and how it impacts us.
What’s happening at MtGox?
As of a few months ago MtGox halted fiat withdrawals. This is reportedly due to issues they have with their banks. A few days ago they announced a halt on bitcoin withdrawals. Last night they announced there was an issue with the Bitcoin protocol and they couldn’t recommence withdrawals because of this issue.
The issue broken down
MtGox claims there is a flaw in the protocol, which is allowing users to make withdrawals multiple times. What they are referring to is known as “transaction malleability”. This is where someone can manipulate a valid Bitcoin transaction slightly to make its signature still valid, but have an entirely different hash. The new transaction can be included in mined blocks.
MtGox uses only the transaction hash to uniquely identify transactions. This means they may see a transaction as “unconfirmed” even though it is confirmed in the blockchain. If checked properly they would see another transaction with identical inputs and outputs but a different hash ID.
Have a look at blockchain.info’s response here.
This issue has been well known for over a year, and only affects exchanges that identify transactions this way. Basically such exchanges have been tracking transactions using an identifier that is not designed for transaction confirmation.
Does this impact CoinJar?
We have had many queries about whether MtGox’s failure to release bitcoins does currently or will in the future, affect us.
The short answer is no. Our customer support and transaction re-broadcast procedures are not vulnerable to attacks based on “transaction malleability”. We do not “resend” transactions automatically based on the confirmation status identified by transaction hash.
This means we won’t stop trading, we won’t have to shut off withdrawals and we are not vulnerable to exploitation.
To reiterate: we do not store or source our bitcoins from MtGox and we are not affected by the exploit they are dealing with.
Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 minutes to learn more: www.coinjar.com/uk/risk-summary.
Cryptoassets traded on CoinJar UK Limited are largely unregulated in the UK, and you are unable to access the Financial Service Compensation Scheme or the Financial Ombudsman Service. We use third party banking, safekeeping and payment providers, and the failure of any of these providers could also lead to a loss of your assets. We recommend you obtain financial advice before making a decision to use your credit card to purchase cryptoassets or to invest in cryptoassets. Capital Gains Tax may be payable on profits.
CoinJar’s digital currency exchange services are operated in Australia by CoinJar Australia Pty Ltd ACN 648 570 807, a registered digital currency exchange provider with AUSTRAC; and in the United Kingdom by CoinJar UK Limited (company number 8905988), registered by the Financial Conduct Authority as a Cryptoasset Exchange Provider and Custodian Wallet Provider in the United Kingdom under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (Firm Reference No. 928767).