Last Sunday, the largest BitCoin exchange, MtGox, was broken into. Reported details are complicated and possibly unreliable, but a fair amount is known. Trading is suspended while the exchange's source code is checked for vulnerabilities. All MtGox accounts are being put through a verification process and mandatory password reset. According to MtGox's support page, a compromised account with 500k coins did a massive sell-off, clearing the order book and driving the price down to 0.01; MtGox has announced that trades around this time will be rolled back. A database of hashed usernames, email addresses, and passwords was leaked on or before June 17 (several hashes from the leaked database were posted on a forum). There is also a report that a cross-site request forgery vulnerability existed, and was being used to steal from users, probably for weeks. There are also highly plausible reports of a SQL injection vulnerability. MtGox has claimed that only $1000 worth of coins were lost, but this is unclear; the large sell-off may have been an attempt to work around the withdrawal rate limit, by making the rate-limiter use an incorrect exchange rate. Analysis of the blockchain seems to suggest that MtGox does still control its coins, or at least a large number of coins.

In the best-case scenario, MtGox reopens for business in a couple days, some traders who would have profited from the sell-off will be angry, and the Bitcoin economy, such as it is, continues as before. In the worst case, MtGox is insolvent, either because they lost more coins as a result of this attack or an earlier attack than they've acknowledged, or because the coming run on the exchange exposes an undisclosed fractional reserve policy.

Meanwhile, TradeHill, the second-largest exchange, is trading at 13.2 USD/BTC with greatly increased volume, compared to 17.5 before this all started. The EFF has stopped accepting BitCoins, in response to these events, and donated their Bitcoin holdings to the Bitcoin faucet. Botnet herders have started hunting for Bitcoin wallets, and allinvain (real name unknown) reported losing 25kBTC from an unencrypted wallet that way.

And I, with a significant amount of both US dollars and Bitcoins frozen on MtGox, am having a very hard time focusing on cell phone app development.

19

7 comments, sorted by Click to highlight new comments since: Today at 5:25 PM
New Comment

The EFF quietly stopped accepting bitcoins weeks ago, not in response to these events. What they did recently was finalize and announce that decision. Maybe recent events pushed them over the edge, but I doubt even that.

(repeatedly edited)

Look on the bright side: something like this had to happen eventually. If the attack doesn't kill BitCoin, which given that TradeHill is still operating seems unlikely, it will make it stronger as people tighten security and figure out how to avoid future attacks.

Probably the BTC community should have a team of good guy hackers continually attempting to attack the system. If they succeed, the hackers then describe the attack and tell the community how to tighten security to prevent that kind of attack in the future.

And I, with a significant amount of both US dollars and Bitcoins frozen on MtGox, am having a very hard time focusing on cell phone app development.

Look on the bright side - at least you didn't invest all of your savings into Bitcoin, as I understand one LWer has.

Look on the bright side - at least you didn't invest all of your savings into Bitcoin, as I understand one LWer has.

Actually, that was me. I sold a fair bit of it before all this happened, but most of that is now frozen dollars on MtGox. Between the withdrawals I'd already made, and coins I had on my own computer rather than the exchange which I've sold on TradeHill, I'll have taken a 7% loss if MtGox goes under and steals my USD balance there. If I get the USD I have on MtGox, but BTC goes to zero, I'll have made a 170% profit. If MtGox comes back and I manage to liquidate at the current TradeHill price, I'll have made a 430% profit. So even in the worst case, I still won't regret having bought in, although I'll certainly regret not having been more careful where I kept my assets.

uh yeah....don't put anything more than pocket money on a website that doesn't do security audits.

Oh my. I was thinking of jmcarthur, so I guess either I got your name wrong or there were actually two such LWers.