Over the past several weeks, I too have been following the unfolding story of the latest Gox problems, from the outside. I was one of the earliest critics of Mt.Gox, calling on people to abandon the exchange in April of 2013 during one of their previous (of several) self-induced meltdowns
In April of 2013 I said:
“Magic The Gathering Online Exchange is a systemic risk to bitcoin, a death trap for traders and a business run by the clueless.” https://bitcointalk.org/index.php?topic=172991.msg1801451#msg1801451
That same week, I participated in a podcast for LetsTalkBitcoin where we advised customers of Gox to leave and never trust that exchange again with their funds.
April 2013 was also the last time I did business with Mt.Gox, moving all my funds to blockchain.info which allowed me to maintain control of my keys without the possibility of theft from or by the site operator.
Since then I have made repeated public statements advising people to avoid Gox and commenting on their latest mess (USD withdrawals, lag, DDoS etc).
Approximately two weeks ago, Gox claimed that Transaction Malleability “a bug in bitcoin”, which was known since 2011, was forcing them to suspend withdrawals. I publicly excoriated Gox’s incompetent and clownish management and disputed their claim that their problems were due to a “bug in bitcoin”.
A few days later, a bot started using Tx-Mal as a broad DoS attack against all exchanges, aiming to uncover if other exchanges were vulnerable. In response, some exchanges temporarily suspended withdrawals to investigate their implementations and confirm they were robust. I was part of the team helping to coordinate between the other exchanges to ensure that they could quickly resume operations which they did no more than 48 hours later. Some exchanges were in fact completely unaffected, revealing as false Gox’s claims that this was a bug in bitcoin.
Blockchain.info staff jumped in to help from the very first moment, even though blockchain.info’s wallet and block explorer were not affected by Tx-Mal. While I offered coordination and assistance with the media response, blockchain.info staff developed a new API on blockchain.info to present a partial transaction ID (NTXID) solution developed by core developer “”sipa”, based on the immutable inputs of at transaction. We offered that on blockchain.info as an independent location to look up and verify transactions with by ntxid. During this time, Mark Karpeles was active on the forums and developer boards and appeared to be implementing fixes to Gox software to address Tx-Mal. This solution helped many exchanges accelerate their technical fixes to their infrastructure and between this and other industry efforts, all the other exchanges resumed normal operations in less than 48hrs. I am very proud of the role blockchain.info team played in providing technical asisstance to many across the bitcoin industry at a time of crisis.
As I watched Karpeles post updates on public channels (like #bitcoin-dev on IRC) about the NTXID solution, I became more optimistic that a technical solution to Gox’s code problems was imminent. As we started seeing Gox transactions posted on the public blockchain ledger, as reported on reddit and other sites, it appeared to me as if Gox might recover from their latest mess. During this entire time, I had no information about Gox’s financial state other than what Mark Karpeles posted publicly. I don’t know Mark Karpeles personally and I don’t think I have ever met him or communicated with him directly.
At this point I felt bittersweet: I wanted Gox to recover and allow customers to retrieve their funds as quickly as possible. Yet, I knew and had publicly expressed, that the underlying problem would not be fixed: Proven management incompetence, expressed by a variety of massive failures, and their failure to hire a competent security and management team. My primary concern was for the funds of customers trapped on Gox and therefore I kept hoping for the best: a way for people to get out of this horribly mismanaged business.
In interviews, throughout last week, I stated that while I had serious misgivings about the competence of Mt.Gox executives and especially Karpeles, I had not seen any indication of bad faith or fraud in the past two years. Furthermore, Gox had stated publicly that they kept the majority of funds in “cold storage”, so I believed that even if the exchange had been defrauded because of their poor implementation of withdrawals-based-on-transaction-ID, the damage would be limited to the “hot wallet”.
Yesterday afternoon at approximately 3pm PST, Monday February 24th, I heard unconfirmed reports that Gox was in crisis mode and their funds were mostly, if not entirely, gone. This was the first hint I had of any solvency issues. Less than 30 minutes later, I found a public blog post with a lot more detail here:
Based on this blog, it appears their “cold storage” was not in fact “cold” – which is either a stunning misrepresentation of their security or an outright lie. “Cold storage” does not “leak”. The idea that the funds were stolen, unnoticed, from cold storage, due to Transaction Malleability, strains the credulity of even the most gullible observers.
As I write this, Tuesday Feb 25th at 9:00am PST, I still have no official confirmation and I know nothing beyond what is in that article, but I fear the worst. Everything I see makes me believe that Gox will never recover and that the funds are most likely lost.
I am devastated by the impact this will have on customers of Gox and I am angry at the irresponsible behavior of Mt. Gox and especially Mark Karpeles that will damage the lives of many people.
Even though I read the blog posting about Gox’s problems sooner than most, I did not sell any bitcoin and will not sell any in the coming weeks. I continue to be committed to bitcoin’s future and I am confident that the bitcoin industry and community will add Gox, along-side SilkRoad, as a lesson and move towards the future, stronger.
Last night, I took action to help rebuild some of the trust that this community desperately needs after reports of a massive breach of trust. I spent the evening and into the late night at the offices of Coinbase, reviewing their funds security with my own eyes. They invited me and I volunteered, even though they are a competitor and I have no professional relationship with the company, because they felt that an independent review would quickly put customers at ease. My statement on Coinbase:
We will face a storm of negative media, conflating Gox with bitcoin and hurting the bitcoin community in the short term. First and foremost, we must all be thinking of the people affected by the loss of funds in Gox and I extend my heartfelt sympathy to them all. We must honestly and directly address the concerns of all users and interested parties, emphasizing the difference between a decentralized trusted system (bitcoin) and the failures of a single company that did not use the trust mechanisms offered by bitcoin’s blockchain technology.
Gox represents a the failure of a poorly managed exchange that had full centralized control of customer funds, in custodial accounts, off the bitcoin blockchain. By keeping the funds off the blockchain, Gox removed the protections of transparency and end-user control and replicated the model of a centralized bank without any of the controls and oversight such institutions require.
There is a better way: bitcoin companies can maintain customer funds on the bitcoin blockchain with full transparency and accountability. We can offer client-side key-management solutions that put full control in the hands of the customers and remove them from the control of custodians, be they exchanges, markets or web-wallets. If a bitcoin company keeps custodial access to customer funds (holds their keys), then they can and must offer cryptographic-proof of solvency through the blockchain.
I will continue to work tirelessly with the rest of the industry to build trustworthy, transparent, decentralized and cryptographically provable solutions that protect customer funds and allow them to retain full control.
We must all draw hard lessons from this experience and use them to make our community stronger. A few individuals cannot nullify the positive and inspiring work of thousands.
I continue to believe in this community, full of hope, innovation and creativity and acting in good faith to promote this incredibly important technology that can improve the lives of billions.
Andreas M. Antonopoulos