LETS TALK BITCOIN

Episode 85 MtGox and Malleability

Participants:

Adam B. Levine (AL) - Host
Andreas M. Antonopoulos (AA) Co-host
Stephanie Murphy (SM) Co-host



The following program is for informational purposes only. Cryptocurrency is a new science
so do your homework before putting money on the line.

Today is February 18
th
2014. Welcome to Episode 85 of Lets Talk Bitcoin, a twice weekly
show about the ideas, people and projects building the digital economy and the future of
money.

My name is Adam B. Levine and Im the editor-in-chief at the LTB network and today, its all
about MtGox, one of the earliest, longest running, and for many years, the biggest exchange
in the world of Bitcoin thats had another of its yearly panics. Theres a lot of ground to
cover here so were going to jump right in. *0:43+


________________________________________________



AL: For todays episode of Lets Talk Bitcoin, were actually going to reintroduce ourselves.
Lets Talk Bitcoin is a show about the ideas, people and projects building the digital
economy and the future of money. Thats kind of a fancy way of saying that we think that
cryptocurrency is a fundamentally game-changing technology and that Bitcoin is kind of at
the forefront of that. My name is Adam B. Levine and Im the editor-in-chief of Lets Talk
Bitcoin and Im one of the hosts on the show. *1:10+

SM: Im Stephanie Murphy. Im a radio host and a voiceover artist and a former research
biochemist. Ive been using Bitcoin since 2011. Im really excited about Bitcoin because I
think it helps bring human freedom to the world. [1:25]

AA: Hi, Im Andreas Antonopoulos. I am a security expert and specialize in distributed
systems. Ive been working in that field for almost two decades now and Bitcoin is
something that has captured my imagination and has become my main passion, my main
focus and my work for the last two years. [1:47]

AL: For the last nine months or so, I guess its probably closer to ten months now since 25
th

April, weve been doing this show twice a week and not always with everybody on the show
but the point has been to have the high level conversation that people who are interested in
cryptocurrencies and interested in the future thats being created here, to have those
conversations and to really talk about the things that might be more complicated than a
new user could come to terms with easily but, for people who have been in the space for a
while, these are really the important things that we need to talk about. Is MtGox finally on
its last legs? Is this latest problem that theyve had, which resulted in the freezing of both
fiat currency withdrawals and Bitcoin withdrawals is this finally the straw that breaks the
camels back and leads to the demise of MtGox? *2:36+

SM: Just to be clear, there was a separate problem that prevented them from processing
dollar withdrawals, which they really havent been very transparent about but what they do
say is that its a regulatory issue or a banking problem which is why they cant get fiat
money to their customers when they try to withdraw it from the exchange. The Bitcoin
withdrawal processing problem was new just this week and actually, by all indications, they
werent too transparent about it until people started complaining very loudly. There was
one guy who actually protested and flew to MtGox headquarters in Tokyo and just waited
for some of the higher-ups at the company to come to work so he could talk to them and
posted about it on Reddit. Really funny but its not funny if you have bitcoins or fiat stuck in
the exchange and you cant get them out and youre probably kind of freaking out. *3:26+

AA: I dont really think this is a different problem though. Its the same problem. Its the
same problem for the USD withdrawals, its the same problem for the Bitcoin withdrawals,
its the same problem for the denial of service and latency problems back in April, its the
same problems before that, its the same problems during the denial of service attack. The
problem is clownish and incompetent management from the top, a sloppy development
process for the software development, incompetent communication that is rare and usually
self-serving and intended to shift the blame elsewhere, defensive and again, this is the same
problem. The problem is clownish and incompetent management from the top that has
persisted after three years without any discernible improvement in the quality of people
hired or the management quality to actually treat customers who have serious money in
this exchange respectfully, honestly and directly and to admit issues when they occur, clarify
whats being done to fix them, fix them quickly and this causes these cycles where people
dont trust Gox because Gox doesnt tell us what theyre doing. When they do say
something, its self-serving, defensive and aims to deflect the blame and that creates
paranoia so customers think Oh my god, maybe the money isnt really there and maybe
thats why theyre saying this. That starts a panic and a run on the bank and weve seen this
unfold five times and every single time, its been the same basic mistakes made again and
again and again. Guess what? You can fix the software and you can fix the latency
problems and you can fix the DDOS problems but you cant fix incompetent management.
You cant until the people who are in management figure out that theres a difference
between being a visionary pioneer, and all kudos and applause to them for being that, and
actually running a business in a professional and consistent manner which theyre clearly
unable to do. You cant fix that. *5:46+

AL: I dont necessarily disagree with you on this and I certainly agree that MtGox has had
plenty of opportunities to fix this but I also have had conversations with people who actually
work with Gox, or who work for Gox, and the thought there is that theyre kind of trapped in
an impossible situation. In the past, theyve sort of said this, theyve said Well, were
victims of our own success. Thats one part of it but the other part is that they do have to
interface with real world partners who, a lot of times, like for example, if they complain
about their bank and the bank is the only one that will work with them in Japan, then the
bank just slows down. It actually can make the problem worse by talking about it. If you
were in that same situation Andreas, and just having difficulty scaling, what is the game
plan? Do you just pack up or do you just keep hiring people because theyve done that?
[6:31]

AA: I think the most important thing is to be honest, direct and prolific in the
communications and consistent in the communications. I think thats been the biggest
failing. Its the circling of the wagons and going quiet at a time when problems will
inevitably come out and that going quiet then leads to panic and paranoia about what the
root cause is because, in all of these cases, the main problem has been a lack of
communication, or communication that is weaselly instead of being direct and again, seeks
to deflect blame instead of admitting problems. Problems are going to happen; of course
theyre going to happen, especially in these large, rapidly scaling Bitcoin businesses. Were
all having problems all the time. This is a very difficult, competitive, very rapidly escalating
market and its difficult to manage a business in this environment but its not the problems,
its how you deal with them and whether you deal with them in an open manner, thats
respectful towards your customers and they will forgive the problems as long as you
communicate clearly with them and youre direct and honest. They will not forgive and will
continuously lose trust if you repeatedly avoid communicating, or communicating in a way
thats more about deflecting blame than clarifying the situation. I dont blame Gox for
incorrectly implementing transaction hashes. I blame Gox for a press release that then
attempted to throw Bitcoin under the bus in order to pretend that somehow this wasnt
their implementation problem. [8:12]

SM: Explain what that was, for people who arent caught up with that. *8:16+

AL: Actually, lets back up for a second here. The whole problem here is called transaction
malleability, right? Lets actually take a step back and talk about that and then, Id also like
to talk about the US dollar problems theyve had in the past too. *8:28+

AA: Lets talk about transaction malleability. Ill try with an analogy, I think, which... its
obviously not 100% accurate like no analogy is but it may help clarify the issue. If you show
up at a department store with a receipt for a pair of shoes and you want a refund, the
department store is not going to trust that receipt. Theyre going to look at the receipt,
theyre going to crosscheck it against their own internal records and the reason theyre
going to do that is because, a lot of the time, people go and buy $20 pair of shoes and theyll
come back the next day for a refund with a photoshopped receipt which shows it was $200
pair of shoes. If your customer service employees are not properly trained and they dont
check against the records, theyre going to give out $200 in refunds to get a product back
that you only paid $20 for. Or, a customer will show up at one department store branch and
get a refund and then drive a few miles down the road and go to another branch and get
another refund and then drive a few miles down the road to another branch and get
another refund, all with photoshopped or photocopied receipts. The issue here is that the
receipt itself is not authoritative. The receipt can be tampered with and it can be tampered
with very creatively. You can add digits to the amount, you can photocopy it, you can make
different copies for different items and you can fake the item. You could do that with
delivery receipts from shipping companies, you could pretend that something that should
have been delivered hasnt been delivered by creating a fake tracking request that doesnt
match the internal companys tracking request. What companies in the real world do is
they establish security procedures. What they do is they try to verify the information that
you present against an authoritative record. In Bitcoin, transactions are fingerprinted with a
hash but until that transaction is confirmed into the blockchain, until its embedded in a
block and backed by proof-of-work computation, its not authoritative. Its just like a paper
receipt that the customer brings into a customer service department for a refund. You cant
trust it. It may look like your store receipt but someone could easily have created a
duplicate. Until you can verify that against the authoritative ledger, and in Bitcoin the
authoritative ledger is the blockchain, the decentralized asset ledger backed by proof-of-
work computation and trusted because of proof-of-work computation. Transaction
fingerprints are authoritative only once that transaction has been confirmed and before
that, they are malleable. The reason they are malleable is because the transaction itself is
not a fixed record. Its not simply a three line receipt where you say From A to B, amount
X. Thats not how Bitcoin transactions work. Within the Bitcoin transaction, you have the
spending of previous outputs from a previous transaction and then you have a scriptable
language that creates an encumbrance for the next recipient. Essentially, it ties a value to a
specific public key through the use of a scripting language and that scripting language is
evaluated as an equation. As long as that equation validates, thats a valid transaction that
will get relayed but there are infinite ways that you can write that equation and there are
infinite ways that you can express the previous inputs such that each one of these variations
will still be the same inputs, the same outputs and the same amounts but theyll be subtly
different, enough to create a different fingerprint. Let me give you another analogy. In the
Bitcoin network, if you try to spend 2 Bitcoin, or if you try to spend 02 Bitcoin, or if you try
to spend 002.00 Bitcoin, the network will evaluate all of that as 2 bitcoins. Thats called
padding and you can do that with both positive and negative numbers, you can add zeros
to the beginning or the end of the number in such a way that they wont change the way
that the transaction is validated. To change the way the transaction is validated, you would
have to change every single Bitcoin node to validate transactions differently and youd also
have to make the system much less flexible. Youd have to force it into a fixed structure
which then makes it impossible to innovate. The same thing for the recipient of the
transaction thats expressed as a script which, if youve seen in the script section of
Blockchain.info or another block explorer youll see it as OP DUP OP Hash 160 Check Verify
Check Signature and this little script, basically, says Heres a public key, heres the function
that you need to evaluate to confirm the person presenting this for redemption has the
correct public key. Its an equation and you can write an equation different ways. Think of
an equation which is 4+5=9. The important thing is that it validates as 9, but you can write it
as 4+5, you can write it as 4+4+1, you can write it as 182, you can write it as square root of
81. All of those will evaluate to 9; all of those are valid. All of those are fundamentally
different in appearance and will result in a different signature. Transaction malleability is,
basically, the fact that we have a scripting language in a variable length encoded transaction
that is flexible enough to express a very broad variety of transaction times and to be
extensible. Thats critical to having a system that can allow innovation without having to
change every single client every single time. Instead, you just have the rules by which things
are evaluated. The problem with that means that until that transaction is essentially
photocopied, stamped and embedded into the blockchain, in an immutable fashion, its
fingerprint can be changed or others can be created that are identical in every way, except
for the fingerprint. This is something weve known since 2011. This is something that was
published on the wiki, which ironically is owned by the MtGox owner, in January 2013. This
is something that was specifically identified as a weakness in MtGoxs implementation
about four months ago. There were several posts, both by core developers and others,
writing how a bot could be created to inject malleable records that would fool anyone who
relied on transaction hashes in order to do withdrawal verification and that this particular
attack could be used against MtGoxs specific implementation to defraud them of money.
They were, not just warned that this was a problem, they were warned that this was a
problem that their implementation was vulnerable to and that could result in them getting
defrauded. They ignored those warnings and then, when it happened, they turned around
and blamed Bitcoin for not fixing transaction malleability which cant be fixed because its
not a bug. It is an inherent characteristic of the fact that we have a variable length
transaction scripting language at the core of Bitcoin. Thats not fixable. We dont want to
fix that because that is how you get flexibility in the protocol. Its relying on that hash
before its confirmed thats the problem. Thats exactly what Gox was doing. In fact, now
we see that in lesser ways, in ways that had nothing to do with withdrawals but had to do
with basic accounting, several other implementations also relied on that. They werent as
vulnerable. They werent as exploited but they were disrupted. This went from being an
edge case to a common practice and then a flood. Everyone who had bugs was affected and
all of the bugs are now getting exposed by this. [17:04]


_______________________________________________


ADVERT:

This is Chris Joseph bringing you news on Nxt, the first true second generation
cryptocurrency for February 18
th
2014. More and more software clients are appearing for
Nxt. Aside from the basic NRS client that is installed with the server, we now have a new
open sourced web-based client, a native Mac client, .Nxt and Nxt Solaris for Windows and
two cross platform clients called ClientNxt and Offspring. Several of these clients also
support the decentralized exchange which is still being tested on a test net. All of these
clients were created by members of the Nxt community and you can find all of them at
www.Nxtclient.org. For more information, head to www.Nxtcrypto.org or www.MyNxt.org
and stay tuned for more news on Nxt in the next Lets Talk Bitcoin broadcast.


_______________________________________________


AL: Lets talk about what actually happened at MtGox with regards to this how that
actually happened, how people were attacking. Correct me if Im wrong here Andreas but I
understand that that was a really good explanation, by the way, of the technical side of this.
I believe, in practice, how this happened was that people would submit withdrawal requests
from MtGox, trying to take out Bitcoin and then, essentially, would have miner units or
colluding miner units that would be watching for transactions coming in to those addresses
that they were withdrawing from and as soon as it would see that transaction broadcast by
MtGox on the network, it would essentially reprocess it and put out another version, a bad
version, that would compete for spreading all across the network. If the good one spread
across the network, the correct one for MtGox, then theres no real way that MtGox would
have even been able to tell that an attack was attempted but if the bad version won, then
the person then goes back to MtGox and says See, this transaction didnt happen, send me
money again. Is that it? [19:08]

AA: Pretty much, although I doubt there were colluding miners. You dont really need
colluding miners in this particular case. What you need is, you need to watch MtGox and
their attempt to propagate a transaction for which your address is a recipient and then, as
quickly as possible, not only duplicate and modify that but then propagate the modified
version through many, many, many more nodes much faster than Gox is propagating. You
can do that by prepositioning connections to many, many more nodes. Its not necessary to
be connected to as many nodes as possible because it doesnt matter which of the two gets
confirmed first, if what youre checking is that the inputs are spent or not and youre
checking after confirmation into the block because you cant modify anything other than the
signature. You dont really need to be fully connected and you dont need to have a race to
propagate because weve let it all settle out through the mining process and block
confirmation. In this case, because there was a faulty implementation, there was an
advantage to propagating transactions faster for the attacker and so, therefore, all they had
to do was set up nodes in such a way as to over-communicate and over-connect to the
network so they could propagate much faster, probably propagating at too many of the
mining pools as quickly as possible. As a result, in some cases, they won the race; they got
the modified transaction in, then they show up back at Gox and they say Look, the hash
you gave me as a receipt, which you think is authoritative, has not gone through. At that
point, Gox should say Well, lets check the block and see if the inputs are spent and find
that the inputs have been spent and say Well no, a transaction did go through, it just has a
different signature but here it is, it was spent and it was sent to your account. Instead, they
accepted the lack of a tracking number as proof of non-withdrawal and then reissued the
withdrawals. [21:11]

AL: Again, this gets back to that analogy you used at the beginning which is go in with a
photocopied receipt and they had zero way to check if it was a real receipt or a bad receipt
and so, because they dont want to lose any more face, they just refund it because what are
they going to do, not refund it? [21:23]

AA: Essentially, at that point, they need to check that receipt and make sure that the other
branch of the same department store hasnt already cashed it in. *21:30+

AL: Theres no way for them to do that in their current system? [21:32]

AA: There is a way to do it but their code didnt and worse, it also processed the repeat
withdrawals automatically. In fact, if it didnt see the hash of the transaction be confirmed
after a while, it would simply automate a second attempt because occasionally, transactions
dont go through for whatever reason so they would reissue it. Theres another
implementation flaw there because before reissuing a transaction, or trying to cancel a
transaction, ever in the Bitcoin network, the best practice is to initiate a purposeful and self-
initiated double-spend where basically, what you do is you say Im going to propagate first
a transaction that definitively spends those inputs, just in case, even though it seems like it
hasnt gone through. In the time it took since I looked and since I sent the new one, maybe
it does go through, maybe the state of the network changes. What Im going to do is force
reconciliation. The way you force reconciliation is you issue a double-spend against the
original transaction and then you wait until that double-spend goes through. Essentially,
what you do is you spend those outputs, that youre not sure whether the transaction went
through or not. You spend those outputs deliberately to one of your own addresses. Once
thats embedded in the blockchain and those outputs are spent, that cannot be undone, so
you use the blockchain by injecting a transaction thats a purposeful double-spend to create
a reconciliation; to force a spending of those outputs so that the other transaction cannot
go through once the double-spend you sent is being confirmed and then you can be assured
that that transaction cannot go through. Then it is cancelled. Its cancelled because you
inserted an authoritative one that cancelled it; that supersedes it. Thats the correct best
practice. Instead, in this particular case, they reissued these and not just depending on the
fact that they couldnt see the hash out there but also not checking the inputs and also,
finally, not doing the forced double-spend that would guarantee that those inputs could not
be spent in the intervening time - three different implementation shortcuts, back to back, all
automated and giving very, very easy opportunity to be defrauded. [23:46]

AL: I have no idea how to do a forced double-spend. Im not convinced I ever need to know
that. Is this something that an average user or even an advanced user would want to or
would need to know? Is it just something for institutions like MtGox? [23:58]

AA: This is something that a wallet does automatically if its trying to cancel a transaction
and its something that a large scale wallet management system or a key management
system like an exchange has to do because an exchange thats issuing hundreds and
hundreds of transactions, will occasionally see some of them not propagate correctly. You
cant just say Well, if I havent seen it in one block, then its not going through. What if it
goes through in two blocks and, in the meantime, you assume that moneys there but then
it goes through? You cant just say Well, let me wait until it doesnt go through because
there is no statute of limitations. It could go through a day later. Someone could keep it
aside and then rebroadcast it later and make it go through. There is no time limit on it,
right? Wallet formed transaction, once propagated, can go through even if it didnt go
through the first time. What you have to do is you have to force the issue and the way you
force the issue is, essentially, spending the money to yourself. For a simple user, what that
means is if you send something to somewhere and it doesnt go through, and then you
would then try to send the same amount to one of your own addresses and that would
consume the same input and if that goes through, then you are guaranteed that the other
transaction cant later be replayed. Most wallets handle this automatically. [25:09]

SM: Do you put a larger transaction fee on the transaction to consume the inputs? [25:14]

AA: Thats a great question. Exactly. You can do that so you can increase the transaction
fee to ensure that your transaction is prioritized before the one that you want to cancel so
that your forced double-spend is prioritized at a higher priority. You could do that. In fact,
you can even pre-create a transaction, kind of like a Hail Mary transaction. Lets say you
have an amount in a wallet and you want to make sure that no one can steal that amount
from that wallet, from specific outputs in a specific (income reduced specific) address. You
can create a transaction with a high fee that spends that to an address that youve never
used before, thats yours and then you can just keep that on standby and essentially, have a
script that watches the network and if, at any point, you see an unauthorized spend, which
means that someone stole your keys, you can make a last ditch effort to very rapidly
propagate your double-spend and hope it beats it into the blockchain and then spends your
transaction back to you before the transaction that is stealing your money spends it
elsewhere. Really, the ultimate arbiter of truth is confirmed transactions in blocks on the
trusted decentralized ledger. That is the authoritative ledger. Getting a transaction into
that ledger is not a time-bound function, so if you want to ensure that a transaction is not
going into that ledger, you have to create a competing transaction that precludes it from
going into the ledger by forcing a double-spend. [26:41]

SM: Obviously, other exchanges have had the problem of getting big and having to deal
with that and Im curious if we could point out some examples of exchanges that have
handled it well with good communication to their customers because I cant really think of
any off the top of my head but maybe its because they were so smooth about handling
their problems that I just didnt even realize they were having problems. *27:03+

AA: As far as we know, at this time, Coinbase has not suspended withdrawals. I made one
today. It went through in two seconds and therefore, their implementation is correct. Their
system is quite obviously not being confused by transaction malleability bots injecting a
flood of these, though we know their implementation is correct because this flood is
affecting everyone and so if they are able to swim against this flood, that means they
implemented it correctly in the first place or they fixed it before anybody noticed anything
was going on. I didnt see any of the ways at all or hear of any. [27:35]

SM: Right. Its effectively been testing everybody with this flood of transaction malleability
attacks. [27:40]

AA: Oh its a stress test. I think its important to realize the difference between what
happened to Gox and what happened to the other exchanges. Ill go back to my
department store and the photocopied receipts. Someone finds a department store thats
sloppy in its refund procedures and they go in and they basically start robbing them, start
defrauding them out of money until, after a week of doing this, (and maybe they tell some
friends so they go and do it as well) the cash till at that department store branch runs out
and they notice theres a problem because they cant reconcile at the end of the week.
They immediately go out and they announce that the receipt printing company is at fault
(laughing) by making their receipts impossible to photocopy and then they go into a frantic
effort to retrain all their employees so they dont fall for that fraud again but, the very next
day when that hits the news, people show up with shoeboxes full of receipts by the tens of
thousands at every department store across the city trying to pull off the same scam. Thats
the bot flood. If you work in one of these department stores, even if you think youve got
your policy and process down pat and that your system is fine, you still have a line out the
door of these fraudulent boxfuls of fake photocopied receipts that are flooding your system.
Now, you need to take extra care and do everything slowly because you know people are
actively trying to exploit it, so you scrutinize every receipt much harder and now, thats
delaying all of the legitimate customers that are in line. At some point, these other stores
say We think weve got it OK and in some cases we dont because our account system is
getting confused but were not giving out refunds. Dont worry, were not losing money.
Were just getting our accounting system confused or our staff are getting confused or
whatever, so were going to shut down refunds for a few days and thats going to affect
legitimate customers because they cant get their withdrawals either. Were going to
retrain everyone and come back and continue processing. No money is lost, nothing is
wrong. The flood will continue until gradually it recedes because its ineffective and its a
nuisance and, as Ive said publicly, by this time next week, all of the exchanges will have
correct implementations. The reason for that is because they dont have a choice. [30:03]

AL: Exactly. It forces the issue like nothing else. [30:06]

AA: Exactly and this is the beauty of it. What is the ultimate conclusion of this exercise?
Lets see what happens. One exchange got impacted a bit harder and they issued
withdrawals and probably got defrauded, however, I think I should make it clear I have no
indication or even any reason to think that MtGox has solvency problems because they only
keep a small, tiny percentage of their funds on reserve for paying for withdrawals. It would
very quickly become apparent if that was being drained, that was unusual and it wouldnt
touch their reserve funds. This is not a solvency problem. MtGox did not get robbed for all
the money they have because thats not possible to happen. They have, at least, that many
procedures in place to avoid it. They probably took a small hit but, at the same time, I think
what happens next was rather interesting. This became a widespread attack, it started
hitting everyone and the industry came together in a very collaborative fashion. I was on
IRC channels and phone calls and Skype calls and exchanging encrypted messages with
exchange operators, with core developers, with members of the team from Blockchain.info,
even exchanges that werent affected, merchant payment processors that werent affect
companies like Blockchain.info that werent affected, were all pitching in, were all getting
their best and brightest to jump in and help out and figure out what the problem is, help
with development implementation details, explain, ask, clarify, whatever. The entire
industry came together and, very quickly, put out consistent, clear and honest
communications, press releases that revealed the issue but explained exactly what its
impact was and then everybody worked together to solve the problem and help all of the
exchanges get back on their feet as quickly as possible so they could resume withdrawals.
Now, a week later, were going to have a system thats more robust. A characteristic of an
anti-fragile system is that when it is tested under stress, it not only is resilient but it actually
increases in resilience by making that previous attack obsolete. Thats exactly what weve
seen. Weve seen strength in community, weve seen collaboration, weve seen some of the
emergency response protocols and contact numbers go into effect that had been
established from previous issues, we saw an industry coming together and we saw a
problem being resolved without any funds getting lost, without the blockchains trust basis
being violated, without the core network protocol being damaged in any way and with only
a slight delay, which was quite literally a denial of service. It denied service to those
customers who legitimately needed withdrawals and it probably will cost them a few days.
After all of that has shaken loose, were going to have a stronger network. I think thats a
great message to go forward with. [33:11]

AL: I think that the resilience of the network and the continued growth that weve seen...
every time we have one of these stresses, like you said, it really just further reinforces that
there really isnt anything yet thats hit us that the concept and the community cant absorb
and then react to in pretty quick fashion. One of the things thats specific about this
transaction malleability problem is that it deals with pre-first confirmation transactions.
Transactions that have not been included in any block and are just propagating through the
network. This reminded me of something that I saw a couple of days ago. One of my
favorite wallets on the Android platform is called Mycelium and its from a company out of
Germany, or it might be Austria Andreas Petersson of the Bitcoin Report is involved with
them. They rolled out a LocalBitcoins type feature for their Android app a couple of days
ago. One of the things that it includes in it is a feature called Transaction Confidence
Graphs. Basically, what these do is it tracks how the transaction spreads through the
network because the Mycelium network is pretty well connected in just like an exchange is
because you want to be able to propagate messages quickly and its efficient to do that.
You can also learn things from it. Basically, they have a graph that goes from 0% confidence
up to 100% confidence in about 30 seconds, most of the time. Even though you dont have
that first confirmation, the fact that the transaction has already propagated throughout the
network, makes it very, very, very likely that that is the transaction that will be propagated
instead of anything thats racing against it. Do you think that that actually helps? Clearly, it
wouldnt have helped in this situation because it was just about a competing transaction.
[34:48]

AA: No, it will have helped in this situation too because youre not just worried about a
competing transaction specifically, youre worried about a competing transaction that
double-spends those funds to a different destination. Transaction malleability doesnt allow
you to do that. It allows you to fake a transaction that looks different but is, in fact, the
same, whereas the issue of double-spend youre trying to prevent, is a transaction that
looks the same but is, in fact, different. If I pay for my coffee and get a receipt for that and
the competing transaction is also paying for my coffee but getting a different number
receipt from that, as long as nobody is looking at the receipt numbers, it doesnt really
matter because the coffee got paid for. What youre looking for is if I pay for my coffee and,
at the same time, I pay for something else to a different destination address and then try to
compete, or to race that transaction out so that my coffee never gets paid. If you see
propagation of the original transaction, then you dont need to worry too much about that,
especially for something like a coffee because the chance then of another one, competing
one, going out is pretty low. In this case of transaction malleability, the two competing
transactions both pay for the cup of coffee. The only difference is they have a different
receipt number and that only confuses systems that are looking at the receipt number as
something meaningful. [36:13]

AL: This actually would have helped then? What do you think of tools like this and what do
you think of the idea that you actually can have some level of variable certainty (certainty
with big air quotes around it), by using this type of tracking propagation, even pre the first
block inclusion? [36:29]

AA: Thats one of the great misunderstandings in Bitcoin - this idea that in order for a
transaction to be valid in the Bitcoin network, it must be confirmed after 10 minutes or
worse, it must be confirmed 6 times after 60 minutes, as if 6 is a magic number. Really what
this is is a risk reward ratio its a risk probability issue. A single transaction that is properly
signed, well formed and has the necessary fees, once propagated, has a very high chance of
being included in the next block, no matter what happens. If you dont see any other
transactions racing against it to double-spend it, which you can also track, you can not only
track the confidence of this one going in but you could also track for other transactions
competing to spend the same outputs. That gives you a lot of confidence even before
anything is confirmed because if you understand... part of Bitcoin is not only knowing that
miners will include these transactions but knowing that a good transaction, a well formed
transaction will be included because you understand how the miners process the
transactions. That is sufficient for a cup of coffee propagation, which takes seconds, in 8-
10 seconds youve got sufficient propagation. In fact, if you just look at the transactions and
see that the outputs havent been spent and the signature is good, you can sell a cup of
coffee based on that because you can propagate that transaction successfully and it is
extremely unlikely that someone will be able to double-spend that and its not worth doing
for a cup of coffee. Its no more risky than someone doing a dine and dash, picking up the
cup of coffee from the counter and running out the store before you realize that their credit
card authorization just bounced. Thats why you can buy a cup of coffee without signing
your credit card slip because its a risk merchants are willing to take. Would you sell a
Lamborghini based on that risk? Probably not. [38:36]


_________________________________________________


ADVERT:

KryptoKit is the worlds first Chrome browser Bitcoin wallet. Its the easiest, fastest Bitcoin
wallet payment system with a simple one click install, it takes just seconds to get your wallet
set up and because KryptoKit finds the address and payment for you, theres no more
fussing around or tab switching. KryptoKit is more than just a wallet. It comes with a pre-
loaded PGP encrypted social network, newsfeeds from Reddit and Google and up to date
charts from exchanges. Finally, KryptoKit directory allows you to make two click payments
with any of the BitPay merchants. Once you install KryptoKit, you wont need anything else.
For more information, or to download KryptoKit, visit www.KryptoKit.com. [39:23]


ADVERT:

Would you like to buy Bitcoin? Cash Into Coins provides the fastest, easiest and safest way
to buy Bitcoin in the United States. Simply place an order online, deposit cash at any
supported bank and relax. Cash Into Coins will verify your deposit and send out your Bitcoin
within 24 hours. Join tens of thousands of people who have purchased from Cash Into
Coins. What are you waiting for? Buy your Bitcoin today. Go to www.cashintocoins.com.
[40:02]


_______________________________________________


AA: There is no such thing as a confirmed 100% transaction. Its only a matter of degrees.
One confirmation makes it much, much more certain, two confirmations is enough to sell a
high-priced item, three is enough because the probability of three blocks being rolled back
in a fork is miniscule. You can see, for example, that a one block fork happens perhaps a
couple of times a day but certainly several times a week. A two block fork happens
extremely rarely. A three block fork is almost unheard of and by the time you get to six
blocks, what that says is that the probability of that being unwound is so low that you could
settle enormous transactions on it. It keeps going. The genesis block has 280,000
confirmations and the probability of someone providing enough proof-of-work difficulty
computation to unroll the genesis block is inversely proportionate to that amount of
difficulty. Essentially, there is no such thing as fully confirmed, theres only more, and more,
and more, and more certainty as time goes by and as more proof-of-work and more
difficulty is piled on top. As a retailer, as someone who is doing transactions in Bitcoin, what
you have to decide is what is the value of the item I am selling? How soon after sale is that
item going to be delivered at which point my commitment to selling it has happened and I
cant not ship it? Therefore, how much risk am I willing to take? Then, you calculate how
many confirmations that means and for a cup of coffee its zero, for a computer it might be
two, or a flat screen TV or maybe three at most because youre not going to ship it in twenty
minutes. No one has that shipping down so fast, or at least almost no one. You can take the
small risk that it wont be double-spent by looking at the network. By the time you reach six
confirmations, you could probably buy an aircraft carrier, if youre worried about it. *42:11+

AL: Thats been what weve had to this point but I think that this tool adds an extra layer in
there where you dont necessarily have to make that choice about not trusting... not waiting
for the first confirmation because youre OK if you potentially lose $5. It seems like this...
weve never had a layer of tools before but now its like the layer of tools... it used to go
from zero transactions or from one transaction at the minimum level of This is actually
probably going to happen up to, like you said, 280,000 confirmations. With each
confirmation you add, it gets exponentially harder to undo whats come before, right?
[42:46]

AA: Exactly. This is not a new tool. For example, Blockchain.info has had a feature for
tracking the propagating of transactions across the network probably more than a year and
a half or two years. Ive seen it before. Before confirmation and tracking the propagation
across all the nodes in the network, you can interrogate them and see what propagation is
happening. A lot of systems do that. A lot of systems use propagation as a proxy to
eventual confirmation, which means that it gives them a degree of certainty that as long as
you see the good transaction propagating and you dont see a bad transaction propagating,
then you assume that eventual confirmation will happen because you know how the miners
operate and you know how their algorithm will include transactions into the queue. You
can even track which position in the queue it is. You can see how high priority the
transaction has based on understanding how transactions are selected to be put into a
block. [43:45]

AL: We got way off course here and I really appreciate this conversation. Thank you
Andreas for explaining all of that to us. That was really interesting. Tying this back into
MtGox we actually did this maybe five or six months ago and asked if anybody was using
MtGox, at this point, because it was one of my first exchanges and, six months ago, I said
No, I wasnt using it and that remains true now. Are either of you guys... its such a pariah,
as far as Im concerned. *44:09+

SM: No, its been over a year since Ive used MtGox. *44:12+

AA: Hell no. [44:13]

SM: I dont know why anyone still uses them actually. *44:16+

AL: It has name recognition. That really does seem like thats it. Once you get started in a
field like this, momentum takes you a long way. [44:22]

AA: Exactly. The name recognition continuously works in two ways. The first one is the
noobies get directed to MtGox because thats the exchange that many people know.
Worse, it creates these ridiculous headlines where you have these idiot journalists who
cant tell the difference between MtGox, the centralized single point of failure exchange
with less than 20% of the volume of transactions and Bitcoin, the decentralized resilient
network. They post these headlines like Bitcoin withdrawals halted, price plummets.
Well, no. MtGox withdrawals have halted, MtGox price plummets, volume weighted
average price doesnt plummet and the rest of us are going on with our lives. You get these
incredibly bad misunderstandings where people conflate MtGox with Bitcoin and thats very
damaging to the reputation. Not only does Gox benefit from being associated with Bitcoin
and getting the new customers but then, it also damages the reputation of Bitcoin by being
associated with Bitcoin. [45:26]

AL: In six months, you said that they were 20% of volume right now. What do we think?
10%, 5%, gone completely or are they going to come back? [45:35]

SM: 0% I think. [45:37]

AA: Im not that optimistic. I think probably in a month or so, theyre going to figure out
how to implement this stuff. One of the issues they have is their software development
methodology is sloppy so its going to take them a while to implement this. Weve seen that
theyre generally slow in implementation. Theyre probably going to take longer than the
other exchanges but I expect that maybe two, three, four weeks from now, theyre going to
figure out how to do withdrawals again. People are going to realize they are solvent, theyre
going to release their Bitcoin in one big run but eventually, theyre going to get more
comfortable again, noobies are going to flood in and Gox is going to continue to exist a year
from now. [46:12]

SM: They stopped processing fiat withdrawals or am I wrong about that? [46:17]

AA: For dollars. [46:18]

SM: Yeah, for dollars. Are they just not getting US customers? It still seems like people in
the US are... [46:26]

AA: No, no. I think theyre not getting traders, or day traders but if you wire dollars into
Gox and convert it into Bitcoin and withdraw the Bitcoin, it works fine. If your primary goal
is to do buy and hold, rather than day trade Bitcoin, you dont really need to withdraw fiat.
Its still used as an on-ramp. It cant be used as an off-ramp for Bitcoin but it can be used as
an on-ramp. As an on-ramp, because of its location in Japan and because its not subject to
some of the same restrictions you see here, I would say its still going to be used and its still
going to be a valuable tool. I just know that the problem doesnt get solved. They may fix
the Bitcoin withdrawal issues but they will not fix the incompetent management and
communications issues. As soon as this is fixed and noobies flood in again, get ready for the
next Goxing because its going to happen again. Fortunately, each time they Gox us, it has
less and less impact on Bitcoin because they have less and less volume to disrupt. Thats the
good news. Gox isnt going anywhere, I dont think. *47:31+

SM: Were going to summon George Bush and say Gox me once, shame on you. Gox me
twice... well you cant Gox me again... (laughter) [47:40]

AA: Apparently, you can Gox people at least five times because those who fail to learn the
lessons of history will be taught them again and again, until they do. [47:51]

AL: Thats really it. Its the lessons of history and how we have to learn all these things.
You look at a situation like we have with MtGox and in the normal financial environment, if
thats where we were, this would have been a complete crisis that wouldnt have really had
a good resolution or it might have resulted in a bail-out under some circumstances. Here,
the problem just shakes itself out. Its scary for a little bit but, youre right, I barely even
registered this one. Last year, when Gox had a problem, I was legitimately concerned and
this time, it just doesnt matter that much. *48:22+

AA: If you look at the price fluctuation and again, instead of taking the idiot journalist
perspective of looking at the lowest volume exchange as an arbiter of price, if you do price
discovery on the average volume weighted average across exchanges, Gox caused a short
panic which then recovered and now were below where we were a week and a half ago but
the price has stabilized again in the mid-600s and I would expect, gradually, as the other
exchanges come back online and start processing withdrawals, the story will be once again
the same, despite all the naysayers, despite all the proclamations of the doom and
imminent death and already happened death of Bitcoin, somehow Bitcoin survives. As
Bitcoin survives, people turn around and look at that and go Huh, maybe we need to look
into this Bitcoin thing because it seems to survive a lot. Maybe they have the right message.
It is the honeybadger of money. [49:27]

AL: One of the interesting market-based solutions that I saw come out in the last couple of
days to deal with this trauma at MtGox is, the price of Bitcoin has plummeted there. Its
plummeted at MtGox specifically and thats interesting because a couple of weeks ago, a
couple of months ago, MtGox for the longest time has maintained a pretty substantial
premium just because its been so difficult to get dollars out. Therefore, the dollars are
worth less which means you have to pay more but now that situation has flipped. Its
interesting to see, I believe his name is Josh Jones (let me double check that), yeah, Josh
Jones, who is the founder of Dreamhost, the Los Angeles Bitcoin meet-up, Chunkhost and a
bunch of other things, basically, repurposed one of his exchange websites, that he
apparently had been working on for a while, to be a Bitcoin to Bitcoin exchange, except in
this case, its MtGox Bitcoin to real Bitcoin. You can transfer Bitcoin within the MtGox
system, you just cant transfer it out of the MtGox system. People who want to get cheap
Bitcoin and believe that MtGox isnt insolvent and it will get solved, can buy Bitcoin for $450
right now, compared to $650 on other exchanges. [50:40]

SM: Thats brilliant. *50:41+

AL: They still have to bear that risk. Absolutely, I love this because it lets people swap out
of positions that theyre scared about and theyre happy about it because Hey, I got some
of my money back and now I dont have to worry about it anymore and speculators get to
go in and do this. What do you guys think about this? [50:53]

SM: Yeah, its a great way to actually... it almost reminds me of one of those markets where
people bet on whos going to win elections and things like that, or the outcome of different
events and the price of a Gox Bitcoin really reflects peoples confidence that theyre
eventually going to come through. I just think its really an interesting mechanism of
market-based price discovery. [51:14]

AA: The bottom line is that price plummets is just another way of saying great discount.
If you have confidence that this will, even if you have some confidence, that this will
eventually resolve itself, then that discount represents the risk premium based on Gox
Bitcoin, as a risk discount that others are willing to offer in order to get out of that situation,
those less confident. I love the fact that not only... the original idea is brilliant in having one
buyer willing to trade is interesting enough but creating a full exchange that allows others to
take the same risk premium decision and get discounted Bitcoin, thereby converting that
risk eventually into quite an extraordinary reward. If this does resolve itself and these
people are able to (and honestly, I think it will and I probably should be trading a bit of
this)... if this does resolve itself, these people are going to get a tremendous discount on
their Bitcoin and that risk is going to translate into a very nice reward. What it shows,
among other things, is fungibility because these Bitcoins are fungible, you can essentially...
when Gox creates two different classes of Bitcoin, one which has a risk discount and one
the open blockchain traded one which doesnt have a risk discount, then those become two
different asset classes that people can trade between, with different risk characteristics.
Thats brilliant! *52:46+


_________________________________________


CREDITS:

Thanks for listening to Episode 85 of Lets Talk Bitcoin.

The Problem with MtGox was produced by Adam B. Levine and featured Andreas
M. Antonopoulos, Stephanie Murphy and Adam B. Levine
Music was provided for this episode by Jared Rubens and General Fuzz

Questions or comments? Email adam@letstalkbitcoin.com.

[53:10]


_________________________________________



AL: Lets Talk Bitcoin is transforming into the LTB Network over the next few months and, as
part of that transition, were adding many new shows to cover the world of cryptocurrency
from a different perspective or a very specific part of this growing and vibrant community.
From Paul Boyers Mad Money Machine, to Bitcoins And Gravy, to The Sex & Science
Hour youll get them all on the same LTB podcast feed as always, without changing a
thing. That said, weve expanded from two hours per week to six hours per week and next
month, it will be even more. You can now subscribe to just your favorites at
www.letstalkbitcoin.com. Click the shows button for all full subscription options. Of
course, please rate the shows. However you listen, whether on Stitcher, iTunes or
somewhere else entirely, your reviews help others find our show. Thanks for listening.
[53:58]