While the collapse of FTX last year rocked the Bitcoin ecosystem, nine years ago a more severe outage damaged it even more. What does this tell us?
The fall of FTX, a crypto empire that defrauded investors, customers and employees up to $8 billionshook the ecosystem, with many worrying whether the ecosystem would survive.
However, it was not the first time that a failure of such magnitude had occurred in space. Unbeknownst to many cryptocurrency newcomers, in 2014 the world’s largest bitcoin exchange, Mt. management. The fall resulted in customers losing over 800,000 bitcoins – a level of concern that makes FTX seem like a blow in time.
Mt. Gox, based in Tokyo, whose domain (MtGox.com) was initially registered in 2007 to host an exchange site for the wildly popular game cards “Magic: The Gathering”, began operating as a rudimentary bitcoin exchange in late 2010. As business began to generate massive traffic , the owner sold the platform to Mark Karpelès.
Karpelès, an avid programmer and bitcoin enthusiast, beefed up the code of the web platform to handle an increased volume of bitcoin transactions and buy and sell orders. Ultimately, the failure of the exchange demonstrated that it had not done a sufficient job, either technically or in the management aspects of the business, as it attempted to fill the role of CEO of Mt. Gox with little experience.
On February 24, 2014, Mt. Gox suspended trading and went offline. Eventually, it emerged that the Mt. Gox infrastructure had been exploited by attackers multiple times over several years. The attackers had slowly stolen the exchange from its bitcoin by manipulating parts of the transaction data – a feature known as transaction malleability – leading Mt. Gox to believe that some withdrawals had not taken place, causing him to send the requested funds multiple times.
Earlier that month, Mt. Gox went offline for a few hours and his team issued a press release blame the bitcoin protocol itself to be flawed in its transaction monitoring mechanism. Upon receiving a withdrawal request, the exchange would watch the Bitcoin blockchain for a confirmation of the withdrawal transaction ID – a hash constructed from the transaction data. However, a transaction ID is not final until the transaction is confirmed on the blockchain, a feature that allows attackers to modify parts of the transaction – not counting inputs and outputs – and therefore alter its ID. The result? The Mt. Gox database would not show a successful withdrawal because the specific transaction ID the exchange was monitoring would never end up in a block, but the attacker would still receive the bitcoin because the modified transaction would be confirmed. (It bears repeating that this was a failing Mt. Gox, and not bitcoin protocol.)
While this accounting difference was, surprisingly, never spottedFebruary 24, 2014 an internal Mt. Gox document has been leaked, detailing the size of the hole he had really dug himself. The document stated that more than 800,000 bitcoins had been stolen, worth more than $430 million then and nearly $18 billion now; nine years later and customers are still waiting to get some of their bitcoin back.
At time of failure, Mt. Gox was estimated to be managing up to 70% of all bitcoins traded worldwide. For comparison, the fall of FTX represented a fraud of more than $8 billion, less than half the corresponding amount of bitcoin lost with Mt. Gox. The Sam Bankman-Fried trade was important, but he was not in the No. 1 position in the world at the time of the failure.
While the two exchanges differed in how they crashed, the backbone problem was the same: centralized exchanges represent single points of failure. In both cases, the CEOs let down their clients, who had given them custody of their bitcoin. For all exchanges, the risk of error, fraud or bankruptcy is an ever-present threat that should be treated as such. It’s never too late to step into your custody and take control of your bitcoin.