We’re a few weeks removed from the event that began the collapse of Mt. Gox, the Japan-based bitcoin exchange. This dramatic death of one of the first bitcoin exchanges was spurred by a report by bitcoin entrepreneur Ryan Selkis, revealing a leaked document detailing excessive bitcoin theft that happened on Mt. Gox’s watch. Unfortunately, this was probably the most press Bitcoin has ever gotten. It was catastrophic for Bitcoin, causing its price to crash, and perhaps worse yet, raising concern about the security of using bitcoins.
As one can read in the report (and elsewhere), Mt. Gox blamed these thefts on what they called a “flaw” in Bitcoin’s software. This “flaw” is a feature of Bitcoin’s software known as transaction malleability, in which the unique address associated with each transaction of bitcoins can in fact be altered. The thefts occurred when a Mt. Gox user would alter an address they used with Mt. Gox for a transaction, and complain to Mt. Gox when their new, altered address had no bitcoins sent through it. Mt. Gox used these addresses as essentially their only form of accounting, so they had no choice but to repeat the transaction at the new address. As a result, the thieves had double the bitcoins at Mt. Gox’s expense.
If you think something smells here, you’re not alone. Members of the Bitcoin community lashed out at Mt. Gox, pointing out that Bitcoin has been aware of transaction malleability, and has chosen not to address it. Transaction malleability has a number of potential constructive properties, which include any sort of operation where multiple users have to collaborate on transactions (crowdfunding, for instance). While that doesn’t change the fact that it was used for nefarious purposes in the Mt. Gox scandal, why did Mt. Gox have no accounting measures beyond the transaction addresses? Certainly a rhetorical question at best, but it begins to detail the lessons the Bitcoin community can learn from Mt. Gox.
While Bitcoin is a sophisticated software, it should not fall squarely on the shoulders of the Bitcoin programmers to ensure the safety of use of Bitcoin. That would be akin to asking the U.S. Federal Reserve to ensure that bank robberies and identity theft never occurred – the banks themselves are generally the organizations that provide security for our dollars. What I’m getting at is that Mt. Gox shouldn’t have blamed Bitcoin itself for their own oversight, and their own failure to secure the funds of their users. While Bitcoin still lacks the regulation that other currencies do, Bitcoin exchanges such as Mt. Gox are the organizations that we look to for the security of our bitcoins. We wouldn’t blame the nature of the U.S. Dollar itself if our bank account got robbed – we’d blame the bank that was supposed to protect our funds.
As Mt. Gox files for bankruptcy, we obviously can’t say the loss of 744,000 bitcoins was a good thing. However, Bitcoin is in its infancy, and we can, at the very least, accept that the responsibility for security when using Bitcoin falls on we the users. The fall of Mt. Gox is a bump in the road for Bitcoin, but it will spur other Bitcoin exchanges to bolster their security measures, and it will compel users to be far more cautious when conducting bitcoin transactions. Mt. Gox was ultimately good for Bitcoin because of what the public stands to learn through its collapse. And, of course, because any press is good press.