Bitcoin After Mt. Gox
J Thoendell stashed this in Cryptocurrency
744,000 Bitcoins comes to around $400 million, and would rank as one of the biggest robberies in history (if you don't like to count business and government robberies). It's about 6% of the total coins mined so far (an estimate that does not account for the doubtless substantial number that have been lost since mining began in 2009, or the even larger number thought to have been retained by Satoshi Nakamoto, Bitcoin's founder(s)). Ideally, if they can't eventually be returned to their rightful owners, the coins stolen from Mt. Gox will be identified and blacklisted on the blockchain so that they can never be spent. Only a concerted and responsible effort to address the theft, if there is one, will persuade people that Bitcoin still has potential as a real medium of exchange.
So how did the thieves, if there were thieves, get away with a heist of that size? At the moment it appears that they may have been able to exploit Mt. Gox's weak security and customer service practices—in particular, its reliance on a certain transaction ID (TXID) for internal verification; this weakness has been called "transaction malleability" in news reports. When the TXID was manipulated, it might have been possible for thieves to sneak Bitcoins out of Mt. Gox undetected—but it's important to note that the blockchain (the underlying ledger that guarantees all Bitcoin transactions) is unaffected by that flaw, since TXID is generated not to guarantee or record the underlying Bitcoin transaction, but simply as a marker for support services. It appears that Mt. Gox's custom wallet software may have made use of that housekeeping number to identify transactions in its own wallet system. That's why Mt. Gox alone appears to have been hacked—if, indeed, that is the explanation for the alleged losses. (David Z. Morris has a good, simple explanation of transaction malleability at CNN Money.)
But if all this is as it has been suggested in the press and on Reddit and various blogs, it would mean that Mt. Gox had no internal auditing controls at all to verify its own transactions.
Seems like someone is going to lose a lot of money.
I'm not sure how they can invalidate the coins if they've already been sold to other people?