It is not even clear that the malleability problem is solvable. Besides the problem that there is innumerable ways to transform a transaction to give it a different hash without affecting scriptSig validity, it is simply unknown whether it is possible to algebraically transform an elliptic curve signature without invalidating it. If so, then no matter what you do to cover up the other holes, that gaping one is left open.
Transactions are malleable. Deal with it. If a transaction is observed on the network that has the same input outpoints and the same outputs, it is the same transaction, and mtgox should treat it as such. This is a simple check to do, and trivial to automate.
And instead of reporting only the hash to the user, they should record, report, and track the transaction itself. You should be able to go to your withdraws and see the actual transaction, including which inputs were used, and what the change address is. You can then go to any block chain service and verify for yourself if/when those same outpoints are spent in a modified transaction.
Eh well, it is Bitcoin's problem in that it's not meant to ever happen. Mt Gox's implementation is based on what is meant to happen in the network (transaction IDs can not change) rather than what does happen (signatures with weird padding are accepted). The network as of late version doesn't relay these either, I seem to remember reading, so it's a problem that's being intentionally reduced.
This is not a recently discovered "problem." This is how bitcoin has always worked. Even before the OpenSSL signature encoding malleability discovery, it was always known that you could add a NOP instruction to a scriptSig, for example, to change the txid without affecting the signature (as the scriptSig is not covered by the signature, for obvious reasons). From the very first day that Bitcoin was released, it was known to anybody who looked at the code that transaction ID's could be changed without affecting signatures.
From the references on the forum, it looks like the issue wasn't really discovered or considered until mid 2011. The developers comment on their active involvement in closing this up, so it's probably reasonable to expect that it's not intended or desirable.
It's Feb. 2014 the issue has been known since at least May 2011 In other words people have known about this for about 3 years. My vote is still on Mt.Gox incompetence.
That is concerning malleability of the DER encoding only. Note that there are other ways to modify a transaction which change the hash without affecting the signature validity, such as inserting NOP instructions into any of the scriptSig's. That is what I was referring to, and something which was quite obvious from the first release of bitcoind.
Isn't it the case with Bitcoin that the official implementation amounts to its specification? Maybe implementing the protocol themselves was a good idea from a theoretical standpoint but in reality amounts to over-engineering? I certainly don't know enough about this stuff so I could be naive of course.
Mt. Gox could solve the issue without a change to the Bitcoin protocol by tracking the entire transaction and not just the hash.
But instead of fixing their own problem they make it sound like Bitcoin itself is broken.
Why would they do this? Cui bono?
If Mt. Gox has been scammed out of a large amount of Bitcoin, they may not own enough to fill withdrawal requests. If this is true, then a steep decline in the price of Bitcoin could allow them to cover the gap.
So a guy who calls himself "Magical Tux" and describes himself as "PHP Developer working on some weird stuff, like a mail server (POP3/IMAP4/SMTP) written in PHP" was not able to build a reliable worldwide exchange?
Yeah, like that guy that they call "The Zuck" who is a PHP developer working on some weird stuff, like a face book written in PHP, was not able to build a reliable worldwide social network?
Get over yourself, MagicalTux is not alone any more, and they're working hard on being a reliable exchange, the most reliable one out there as far as I am aware.
Well, there are a few points were your counter-example breaks down.
For one, one could use social networking site, even a relatively unknown one, without much to lose. It's not like people wired $1000 dollars to Facebook when it started.
So, yes, I could trust a random guy with some bs social site. With my money? Not so much.
>Get over yourself, MagicalTux is not alone any more, and they're working hard on being a reliable exchange, the most reliable one out there as far as I am aware.
If true, that just speaks very poorly of the state of bitcoin exchanges:
"""Or let's take that historic hack of Mt. Gox, which temporarily dropped the exchange rate to $0.01 per BTC, and involved a large Bitcoin heist. What they didn't tell you, was that several vulnerabilities in the Mt. Gox website and API were reported a while before the hack, and that the Mt. Gox staff more or less waved them away, completely ignoring their severity. This included MySQL injection vulnerabilities, just to put things into perspective a little. One of these vulnerabilities was almost certainly the attack vector that was used for the heist."""
I was confused about this whole thing. I honestly thought that MagicalTux was the only name he gave, and that'd be troubling for someone running a financial institute.
But his name is Mark Karpeles, its plastered all over the website, registration, and even his twitter account.
I suggest that the gp's post is very much an ad hominem attack. It suggests, but does not offer proof that Magical Tux is an inferior programmer not capable of building quality software by playing on the fact that some people consider PHP a toy, broken and inferior programming language. It asserts that PHP programmers are always inferior programmers - an assertion that does not hold true. So it uses an unrelated info-bit (PHP-Programmer) to attack Magical Tux qualities as programmer of a bitcoin exchange.
Please note that I'm not asserting anything about the qualities of the programmers of MtGox or the code quality running the exchange. It might quite well be shitty and bug-ridden, but that quality is totally unrelated to PHP.
>It suggests, but does not offer proof that Magical Tux is an inferior programmer not capable of building quality software by playing on the fact that some people consider PHP a toy, broken and inferior programming language.
No, I suggest that some random web developer, with no experience in finances, and without a big financial player behind him, should not really be trusted with people's hard earned money.
Counter to what you say, I could not care less if he did this in Scala or Racket instead of PHP -- I merely quoted the one-liner he gives about himself. He could have written Haskell in there and I would still have the same objections:
Who is he? What has he done before in the financial world? Why should people trust his skills at setting up a money exchange?
Note that, in my argument, I don't even care if he's a good programmer or not. He might outdo Rick Hickey and Simon Peyton Jones put together. What I'm asking is: why should we trust him? Ability to set up a good and safe money exchange AND not be a crook != ability to program.
The argument you're making now is a very different one from the one you were making in your original post. In your original post you call attention to his nickname (which is totally unrelated to competence, a lot of competent people have weird nicknames and a lot of incompetent people don't have any) and his one-line self-description which only tells us that he working on some weird stuff written in PHP. This is all of the argument that you made - you attacked his person and character, not anything he said or any of his qualities related to the incident. To sum up your post in a quip "Oh, look, PHP programmer at work, LOL, what did you expect?"
Now you're making a different and more nuanced argument which boils down to "why should we trust him, even if he's competent." That's a reasonable question to ask - but the question of trust is a fundamentally different question from the question of competence. I might trust someone incompetent to be well-meaning and someone competent and capable might be completely untrustworthy. It might even be true that he's incapable and untrustworthy, but still - that's not the argument you made.
The fundamental problem with the older bitcoin exchanges is that they all started out when nobody in the financial world even cared about bitcoin: No technical knowledge, no investors, ... so basically trust had to be earned from 0 on. One point speaking for Mt.Gox is that they are still in business while other exchanges folded. Somebody seems to trust them.
>To sum up your post in a quip "Oh, look, PHP programmer at work, LOL, what did you expect?"
Ever noticed how those are entirely your words?
I merely pointed out at his experience -- not picked on the particular language he uses. In fact I've supported PHP in other HN threads.
The language was only mentioned because HE used it in his bio blurb.
What I wanted to point in that blurb was: random web developer (ie. not a person with known expertise in financial software and money exchanges) and a silly nickname (ie. not really the short of mature behavior that inspires confidence in a major venture such as a financial service).
Contrary to the purely theoritical notion that such a nickname is "totally unrelated to competence" (which might be perfectly reasonable in theory), I'd say that in the real world it speaks volumes about maturity and self-perception. If my banker was calling himself "Crazy-Ass Joe" or "Mr Fancypants" I'd be similarly worried.
>One point speaking for Mt.Gox is that they are still in business while other exchanges folded. Somebody seems to trust them.
Well, to paraphrase P. T. Barnum, there is one person trusting them born every minute.
You should have probably said this in the first place instead of drawing the attention to his choice of nickname and self-description. This here was a much more reasonable argument.
Or, since MtGox was known to create transactions with encodings that became non-standard in 0.8, maybe someone was charitably rewriting these transactions so they could be relayed by the network. I don't think there's public knowledge yet as to what happened, including whether it was deliberate or malicious.
It seems to me the trivial solution (ok, "hack") for this problem is to construct a new bitcoin address for every withdrawal that is used as a staging ground and one-time "identity" for the transaction. So like, rather than MtGox sending a hundred bitcoin to a user's address, and then having to sort-of-fail to detect the transaction as it gets mutated, it sends the money to a temporary address and then empties the temporary address into the user's target address.
Now, any transaction coming from that temporary address (which can also be told to the user as "expect the money to come from this address", which might be separately useful for purposes other than transaction proofing) can be considered to be the transaction in question: the computed hash of the transaction is irrelevant.
Of course, I should not be able to solve this problem after two minutes of thinking about it; so: anyone mind teaching me what I'm missing? I can't imagine I could come up with a solution this simple so quickly to a problem that is apparently so well known and so problematic to such an established player in this space ;P.
The issue isn't really that difficult to solve, it's just that their software was doing accounting badly and losing track of what was spent where when the malformed transaction was spent rather than the one they believed they created.
An attacker can rely on this (the transaction ID from their perspective never confirmed) and ask them to resend the funds. The attacker doubles their money and suddenly Gox has outputs they think aren't spent, but really have been in a transaction ID they don't know is their own. When they roll these "unspent" outputs into new transactions they fail to broadcast, and then we are in the situation we are in today with a number of backlogged transactions.
Fortunately for them if any money has been stolen using this, they probably have the ID of the person in question.
Your system would work as a hack, but for somebody as big as Gox they would have a significant impact on the blockchain size for no good reason.
MtGox made the right decision in shutting off withdraws and not implementing hacks. It's important for this problem to be solved once and for all.
MtGox made a very bad decision in its choice of wording in this press release. It shouldn't have framed this as a "design flaw." The only reason this happened was because of MtGox's custom software. No one else was affected. By definition, that's not a design flaw.
Uhm, no, this is definitely a design flaw. It violates the principle of least surprise for no reason other than "we didn't think of it at the time". That's pretty much the definition of a design flaw.
You don't need to create a new address - just identify transactions by the inputs it consumes and outputs it generates. Since these parts are signed they won't change.
Of course that's much harder, both in terms of algorithmic and code complexity, than just remembering a hash.
Since you can hash a canonical representation of the unchanging parts, and then use that as the (same-sized) key instead of the native txid, it's not that much harder.
And, it doesn't require global agreement to deploy such a workaround.
You could do it that way. Inputs, Outputs and Signatures don't change though. So just keep track of that. With each confirmation the tx-id becomes less and less malleable. At some point then store the tx-id.
There are few times in my adult life I've felt like crying actual tears, but this is one of them.
Four times since that first comment, the bitcoin price has recovered to $1,000, then dipped back down again. Four times I didn't sell.
The silver lining is that Gox's explanation is correct on a technical level. There is every reason to believe this explanation to be true. This isn't (just) me being hopeful; this is because if you investigate whether it's true, you'll find out it is true.) For further details see https://news.ycombinator.com/item?id=7203544
Since I've only been able to withdraw 3.4 bitcoin, I'm at the mercy of Gox. It's entirely possible that I'll wind up with less than $1,000, from $11,000. An expensive life lesson, but at least it's recoverable.
EDIT: I apologize if this comment didn't contribute anything. I sometimes use HN for moral support. I'm just shocked at what's happened.
EDIT2: This surely shouldn't be the top comment... it's important to get information out to people in a crisis situation like this. This was just me being sad and gathering information from those more experienced. Thank you though.
You clearly do not have the heart for asset speculation. I am not trying to be mean here, but the emotional reactions you show in these comments and the fact that they utterly destroy your ability to stick to the rational decisions you've made, is comprimising your investment decisions.
So there's two paths from here: Either this is the experience that hardens you and makes you stop thinking "oh shit, I just lost two months' salary in six hours" (this happens all the time when you have a significant amount invested in a volatile asset), or you realize that things won't change and you can't live with the risk of losing your investment.
If you choose the latter option, you will also need to stop kicking yourself if three years from now, the asset you sold has trippled in value. In fact, you should stop kicking yourself right now. The problem here is your emotional reaction, not Bitcoin's volatility. I know how you feel; I've been up and down $30,000 this year over the course of a few weeks in the stock market, but second-guessing yourself only serves to waste your attention. Make a plan, know the consequences and stick to it.
Thank you for your insight. How do you decide when to sell? I had four opportunities and let them all pass by, because I was hoping "this time I'll recover my initial investment." That's greed, of course, but how do you make a plan and stick to it in these circumstances? Do you decide ahead of time that you're willing to walk away with a 20% loss, rather than wait a year and see what happens?
First off, you are a short-term speculator. This is a subject I don't know very much about. For all practical purposes, you are gambling. The answer to your "should I see what happens" question is equivalent to "should I roll the dice with what's left of my money"? You don't have an investment thesis, i.e. a theory of what will happen next. If you did, your decisions would be easier (although you would still be exposed to risk).
But in general terms: Don't invest more money than you can stand to lose. Have an investment thesis. As long as this thesis holds, don't sell and don't even check the value of the asset you are holding. Don't invest in volatile assets with money that you will need in the near future (within five years or so).
Forget the price at which you bought your asset. Always keeping this in mind leaves you horrendously exposed to the "sunk cost fallacy". Ask yourself instead: If I had nothing invested, would I buy at this price? If the answer is no, that is a strong indication that you should just take the loss, or even sell if the price has increased.
You could also have a plan beforehand, i.e. sell if it's down more than 30% or if it's up more than 60%. And if you make such a plan, you need to stick to it.
Taking a 20% loss on an asset like Bitcoin, which has appreciated >10,000% in a few years is really not a big deal. This is the king of volatile assets. If you are consciously investing in such an asset, you should be able to shrug at either a 50% loss or a 100% gain. Most people would (perhaps rightly) call you crazy for keeping a significant part of your investment portfolio in such an asset.
I'm talking out my ass here, being personally allergic to asset speculation, but I'd like to make a suggestion purely on the basis of psychology and rational decision making.
I think you're too hung up on the fact that you used to have $X in BTC and now you have $Y. Instead, just start from the premise that you have $Y. Your goal isn't to recover your old $X, it is to grow your $Y as much as possible.
What is currently the best investment you see available to you? Is it Bitcoin, or any other cryptocurrency? Are you better off with cash or a low risk CD? Maybe a mutual or index fund, or is there a country whose debt is currently going for a good price?
Once you know where you're going, it's a lot easier to get there. If you think Bitcoin has the most potential at a level of risk you're willing to accept, leave your money there. If you think something else has a better combination of risk and reward, move your money there.
(Essentially: when you are behind you believe that you can quit while you're ahead, but when you are ahead you feel confident and prefer to press your luck)
In general, if you are investing some place that makes you feel anxious or emotional about the consequences, it's far too volatile and you should cut your investment down.
The best way to escape from this situation is to make an exact plan and stick to it. Would you rather walk away now, or risk a worse loss later? Then, at what value will you cash out? I understand you are attached to your initial investment cost, but really 100% is the valuation now, since the rest is sunk costs.
Decide how you like, but firmly - take the emotion out of your decision making.
The only solution to this problem is exactly that one. Make the plan BEFORE EVEN BUYING the assets AND commit to it, as tightly as possible. If you can get a machine or an unemotional third party to execute the plan, even better.
Else you'll be stuck in an infinite loop of second guessing yourself and what-ifs that do not contribute to either your financial stability or your sanity.
If the plan sucked, you can revisit it on a later round, and if not completely sure about your plan, you can do mini runs of it to test, but the important part is to stick to deadlines/commitments so the anguish stops.
Ultimate Goal: Produce 300k+ from 7k. Insanely unlikely, I know. But if things unfold like I'm hoping, this will nearly close out my mortgage; a life-changing event for a family man such as myself.
Disclaimer: Don't play with money you cannot afford to lose. I have 7k that I can burn on crypto. I won't be happy to lose it all suddenly, but it won't put me in the poor house or ruin my daughter's college fund. My true family funds are in e-trade.com collecting dividends 'n such.
Overriding-rule: Never be 100% fiat or 100% coins. Be ready to make a buy or sell at any moment.
Back in Nov 2013 I put in 1k and the market promptly crashed afterwards so I have 26 litecoins(at $40 each) I can't sell for a long while. I knew my luck from experience on e-trade, so this didn't phase me - it always starts this way. The next 1k I sent into crypto-coin world is at btc-e.com where I day-trade. At first I bought and sold quickly, simply making 4 to 5 dollars. Just getting use to how btc-e.com works and its transaction speed. Then I started to make bigger and more long-term bets as I observed the big swings. It appeared to me after a few months of watching that Litecoin biggest swings are between $18 - $29. So when MtGox had its recent issues and "Russia banned bitcoin" pulled the price down, I bought in. I'll make about $600 when Litecoin reaches $29 again. But on the other hand, if the price of bitcoin goes below $500, I will put in 1k for the 3rd time. If bitcoin falls below to single digit numbers[1], then I'll buy 3k more. This brings me to my limit of having 7k in the crypto-coin world. I will now sit back and wait.
If we ever see $1,000/BTC after the events I describe above, I will sell everything I have - producing at least 300k. I'm done. Or, BTC will simply fall into oblivion and I've lost 7k. I'm "fine" with that, but I'll always make sure to have copies of my private-keys for the rest of my life... just in case.
Well, whatever you want to call it "plan"/"strategy"/"hope"/"insane dreaming". About this time last year, if I executed on my "plan" I'd have reached my goal in Nov 2013. Bottom line is I think bitcoin still has a disaster or 2 or 3 ahead of it that'll tank the price; only to recover a month or 2 later. With all this MtGox drama happening + "Russia banning bitcoin", I'm poised to move. Also, this list[1] was front-page of HN at one time. If #9 actually happens, combined with a disaster that makes the price tank - say, MtGox shutting down & "USA bans Bitcoin!!", then I'd be set.
I know my "plan" depends on 2 unlikely events. Probably won't happen, but this is bitcoin we're talking about. Nobody knows what will happen yet. This is my "plan" based on the craziness I see of bitcoin. Nothing really that special; buy low & sell high. Call me crazy but I say coins still has a few huge swings coming up in 2014. MtGox is already causing one right now. Even if these extremes don't happen, I got 1k that I'm day trading with under smaller swings that I'll at least earn back the 2k I've put in so far if not more.
No, you are still learning the lesson, it's not been learned at all.
You are being illogical about your investment. Go back to the moment you bought the Bitcoin. You apparently thought they were worth $1000 per Bitcoin at that moment, there is nothing wrong with that.
That you invested in Bitcoin means you expected them to rise, do you remember how much you expected them to rise? In what timespan? Does the price going down for now affect that estimation? In what way? Why would you sell your Bitcoin?
There's answers to all those questions that go in every direction, but they lie in the future, so the only thing you can do is make a reasonable prediction, and hope it was realistic enough.
Some people think Bitcoin will go to $10k, some people think Bitcoin will prove useless and die out. Decide in which camp you are.
About MtGox: If MtGox would somehow mess up bad enough that your money/btc is not safe there, that would hit the BTC so bad that its value would at least half, if not more, at every exchange. Trying to withdraw your bitcoin now is madness, you're just risking getting it stuck.
Be careful with your panicking. I myself am too afraid to go long on Bitcoin, if I had I'd have over 10x my original investment now, instead I just speculate and profit from panic sellers, it's fun and pretty low risk. I sell whenever Bitcoin is stable, and buy whenever there's panic.
I don't believe in Bitcoin being worth $1000 right now, but I do believe that the technology and ideas are solid enough, that whenever there's a panic the price will recuperate fairly quickly as people realize not actually all that much changed.
Did you not understand what you were getting into? Did you imagine it would rise forever? Did you think that an unregulated exchange in a foreign country designed for a different purpose was a safe bet? Did you ignore the rising tide of complaints about Gox?
Why did you use MtGox. You should of done research before investing that much money. If you'd done rudimentary research, you would of immediately seen that MtGox was a very risky exchange to use... even just for very short term transactions. I'm lost as to why anyone actually still used MtGox over the last 6 months or so.
Secondly if you can't stomach the swings in Bitcoin, it's not the speculatory investment for you. You need to have a plan and stick to it. Buy and hold for 5 years is a reasonable plan.
I'm sorry if this isn't sympathetic, but you need to learn from your mistake.
Having gotten in when they were so (relatively) "cheap", it's hard to imagine pay > $1000/each. I certainly can't complain, as I bought $10k BTC at $7/ea and sold 'em when it hit $30 (c. June 2011), but I sure wish I had held onto 'em!
I suppose it is viscerally obvious to you at this point, but putting money into something like Bitcoin should be considered one step up from putting it all on 31 and letting it ride: don't do it with money you consider important.
I don't get why people who don't trust banks go and deposit money to the first BS "service" that's a guy and his dog, implemented in 2 weeks, full of holes and bugs, and with nothing much as financial assurances and security that you'll even get your money out.
Because banks are "the Man", while bitcoin is "one weird trick .. bankers hate it!" Social proof by negative.
The crypto also triggers a geeky faith in technology. Because the crypto is sound, it's just the way it's being used is problematic. And the institutions around it are very flaky, but geeks hate institutional politics and dream of eliminating it by technological fiat.
Who said they don't trust banks? I think what you are really asking is, "Why would people who see a get-rich-quick opportunity put their money in such an operation?"
Don't panic, the way I see it, is that this is another temporary crash in the price of bitcoin, caused by bad news. Once the mtGox problem is out of the way, bitcoin may resume it's rise. May is the operative word there, of course, but I think it's likely.
Don't expect sympathy from us. It's not like you did a load of hard work and then got taken advantage of. Depending how you look at it you put a bunch of money either into a gamble, or betting on your own judgement (which, if bitcoin loses its value, will have proven to be wrong).
Well technically this is a "technical issue" but lets not fool ourselves to believe that Mtgox is holding out withdrawals just to be on the safe side. If they are doing this then it means they were subject to an attack involving this bug. How much did this attack hurt MTgox financially?
However, it must have really messed up their internal accounting. The problem isn't that they don't have the money - the problem is that they don't know which of the outputs that they own have been used, and which haven't. They have to fix the bug, parse the blockchain, consolidate that with their internal records of ownership, figure out which pending withdrawals have been fulfilled, which haven't, which have been paid twice...
There's a lot of things to do there, and they all need to be fixed before they can tell if a new withdrawal is legit.
"The problem isn't that they don't have the money"
They didn't address that in their statement. They may not even know themselves yet how much they were taken for. With the high number of transactions that were failing in the days leading up to the withdrawal halt it's pretty clear someone was exploiting this to double withdraw something was almost certainly taken the question is how much and can they recover.
<gmaxwell> The Gox press release seems a little ‘spun’ to me. They portray characteristics of the Bitcoin system well known since at least 2011 (which even have their own wiki page ) as something new.
These characteristics are annoying but don’t inhibit basic operation. They are slowly being fixed – but fixing them completely will likely take years as they require changing all wallet software. Correctly-written wallet software can cope with the consequences, and I cannot understand why they would gate their withdraws on external changes.
So the problem is that they are not tracking inputs and outputs, but relying on the transaction ID. This transaction ID can be changed while keeping the signatures valid. The inputs and outputs will _not_ be changed.
It sounds like they need to just watch for duplicate transactions as the protocol is built to prevent those.
So what's the use of tx id's at all then? I mean practically speaking, since they're mutable? I'm thinking of an analogy here but I can't. It's like a git commit hash, but you're "allowed" to append some whitespace to the end of a file so you can keep mutating the hash but it's the "same" commit.
I don't really see a use for tx ids if they keep the spec as-is then or am I missing something?
This is what MtGox should of done over 6 months ago:
- Given $100k or however much it costs to 1-2 top quality devs to write a new exchange from the ground up. Very basic functionality, focus on efficiency and reliability.
- Take MtGox.com offline for a few hours
- Port all user accounts over to the new system
- Launch MtGox v2.
It blows my mind the total level of incompetence, wasted opportunity and lack of common sense MtGox have shown. Literally sitting on a money making factory and they didn't get their shit together for such a long period of time.
They do not deserve all the forgivness the market gives them, they are past the stage of a "bad apple" now and need to die for Bitcoin to move forwards.
I wonder how many other bugs the protocol has. I bet it's not the only one. Maybe i should scan the issues list on github and sell every time a issue is opened...
There's not that many, this particular one has been known for some time. Most seem to be legacy issues (OP_RETURN used to return true when it should be false) or quite reasonable misunderstandings (the lock limit for the BIP50 chain fork was tested, but not fully).
And even if they didn't notice it right away. It takes a lot of effort to race an unconfirmed transaction and let the coins get respend (double the actual withdraw in your address). Especially when mtgox let's you verify your account with your official documentation.
Additionally with the fees generated just today they would cover 500 Bitcoins in losses just from one day revenue.
Unlikely. They should have noticed that they had to do some transactions repeatedly, probably after being contacted by people who exploited the "flaw". This doesn't scale well.
It seems people in the chatroom and on reddit don't buy this. Blaming their inability to withdraw money for customers on the Bitcoin protocol? And somehow all other exchanges are doing fine? Super suspicious.
Given that a core developer (Gregory Maxwell) has backed up the explanation that it's an implementation issue, you'd have to be fairly stupid to believe otherwise based on the mindless musings or other reddit users.
This information is very public, to the point where people have collected detailed information about the bad transactions going out and noting that they also agree with that story.
How is the article any more credible than reddit or chatrooms? If by chatrooms he is referring to IRC, then there are hundreds of credible people/rooms there, some that I would trust far more than Mt. Gox directly.. Reddit is the same, it's just another forum of communication.
A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur.
If that is true, it probably affects all alt-coins since they all fork back to btc.
However I bet it's just a matter of getting more confirms since attackers could be using fraudulent nodes to try to fool the network.
MtGox knew about this problem at least 3 months ago already. All of a sudden it's a protocol problem now.
I say this as someone who personally had BTC withdrawals fail 3 months ago when they explained to me on IRC that they couldn't find a bunch of transactions with the TX ids they were looking for and had to rebroadcast them.
It is not even clear that the malleability problem is solvable. Besides the problem that there is innumerable ways to transform a transaction to give it a different hash without affecting scriptSig validity, it is simply unknown whether it is possible to algebraically transform an elliptic curve signature without invalidating it. If so, then no matter what you do to cover up the other holes, that gaping one is left open.
Transactions are malleable. Deal with it. If a transaction is observed on the network that has the same input outpoints and the same outputs, it is the same transaction, and mtgox should treat it as such. This is a simple check to do, and trivial to automate.
And instead of reporting only the hash to the user, they should record, report, and track the transaction itself. You should be able to go to your withdraws and see the actual transaction, including which inputs were used, and what the change address is. You can then go to any block chain service and verify for yourself if/when those same outpoints are spent in a modified transaction.
This is MtGox's problem, not bitcoin's.