The market players agree that story behind the collapse of MtGox is almost unbelievable. How could a huge business not notice that assets worth millions of dollars had simply vanished?
It all happened due to a flaw in Bitcoin itself, compounded by MtGox’s implementation of the protocol and its bizarre internal practices. A situation was created where a hacker could convince the company to hand over money without even realizing what it was doing.


The trouble starts with an issue with Bitcoin known as “transaction malleability”. When a Bitcoin transaction is carried out, the account sending the money has to digitally sign the following information: the amount of Bitcoin sent, who it’s coming from, and where it’s going to. As a result of this operation, a unique transaction ID is generated from all of the data in the transaction.
However, some of the information required to generate the transaction ID came from the unsigned, insecure part of the transaction. This is why it appeared possible to alter the transaction ID without the sender’s permission. Although the crucial payment information was still securely signed, it could cause problems down the line if the sender was expecting the transaction to be performed under a particular ID.
In our case, it turns out that the website was expecting transactions to show up in the public ledger under the specific transaction ID it had recorded. If such transactions never showed up (because their ID were edited), the thief could complain that the transaction had failed, and the system automatically retried, sending out more Bitcoins.
As such, the transaction malleability is a flaw in the coins themselves, and it wasn’t the fault of the exchange that transactions could be renamed in that way. However, this flaw has been known about for the last three years and rendered harmless with software that could accurately report balances and transactions.
However, simply allowing some cyber currency to be stolen due to a bad implementation of the Bitcoin protocol would not be enough to crash MtGox. That collapse would also require serious lapses in how the exchange audited its accounts and how the company dealt with the financial trouble. And here the investigation paints a picture of an almost unbelievably lax approach to accounting.
It turned out that MtGox has allegedly never conducted a single audit of its customer deposits. Moreover, it seems that its CEO may have been the only one to have knowledge of how to actually tap the company’s cold storage. It is still not clear how this type of storage leak could have happened over a multi-year period without any knowledge on the part of the executives at the exchange.
It is also unknown how long MtGox had been operating without enough funds to pay every depositor. Taking into account that the transaction malleability issue was found in 2011, the thefts were likely to start around then.
The real trouble for the Bitcoin exchange began last summer, when the company suspended withdrawals in US dollars entirely for 2 weeks. Exchange users started pulling their money and Bitcoins out of the company, which eventually led to the company not having the Bitcoins to return deposits. At the time, MtGox held only 2,000 Bitcoin, while customer deposits totaled over 600,000. It was the moment when the company suspended Bitcoin and cash withdrawals. Few weeks later, MtGox CEO resigned from the Bitcoin Foundation, MtGox closed its website and filed for bankruptcy.