GOXXED IT

Mt. Gox was to prove a vital Bitcoin exchange that played an outsized role in the cryptocurrency’s early success and price rallies, accounting for as much as 70% of all BTC trading globally. It was also to prove extremely accident-prone, however, losing massive amounts of BTC on multiple occasions due to a combination of incompetence and misfortune.

In defence of the exchange, there was no Bitcoin custody framework in place when it was getting up to speed in 2011. As a non-reversible network, Bitcoin’s design meant that anyone, be they a regular user or major exchange, was never more than a misclick away from making an irredeemable mistake. On October 29th, 2011, Mt. Gox made one such mistake by sending coins to invalid addresses, effectively taking more than 2,609 bitcoins out of circulation for good.

Goxxed It

In later years, “goxxed” was to become a verb used to describe Bitcoin mistakes of a magnitude characterised by Mt. Gox. And one of the first memorable goxxed moments came when the exchange created 23 unspendable bitcoin transactions in one fell swoop. “someone fucked up and lost ALOT of money” ran the title of the Bitcointalk thread created by “genjix” (Bitcoin developer Amir Taaki) that spotted the anomaly. “They’re gone. No chance of retrieval,” observed “BTCurious” bluntly. It didn’t take long before the source of the transaction had been traced back to Mt. Gox.

Despite Bitcoin wallet addresses using a seemingly arbitrary string of letters and numbers, they are not random in the sense that you cannot simply enter any old characters into the Send field and transfer BTC into the void. In other words, it took a special kind of fail for Mt. Gox to send bitcoin that could not be claimed by its recipients.

The failure came down to a scripting error in the transaction outputs which required a public key that hashed to an empty string (a 0-byte hash), which no valid public key can satisfy. As thread creator “genjix”  explained on the forum after posting the raw script: “It’s a transaction that was sent into nowhere. Obviously someone was…creating a custom [client] and messed up.”

While it’s easy to take aim at Mt. Gox for the error, the incident can be traced back to a quirk in the Bitcoin protocol. At the time, the official Bitcoin client would normally prevent a user from sending to an invalid address with a bad checksum or impossible format. If someone bypassed the client’s checks and created a custom transaction, however, nodes and miners would accept it as long as the script was syntactically valid. And that’s how Mt. Gox came to lose 2,609 BTC.

While the sum lost due in Bitcoin terms was huge, the dollar value was more manageable – around $8,000, which accounted for approximately a week’s revenue. It was a setback, but Mt. Gox made the affected customers right and took the L.

The incident illustrated the limitations in existing Bitcoin client designs, with CEO Mark Karpelès later admitting that he had written the faulty code that generated the transactions in an attempt to work around limitations in the standard Bitcoin client. Bitcoin clients would get better in the coming years, but in retrospect the incident was one of several red flags that suggested Mt. Gox was not being run with the rigor one would expect of the world’s largest Bitcoin platform. Worse was to come.