Report: Researchers claim Mt.Gox could only have lost 386 BTC to transaction malleability

In a research paper titled “Bitcoin Transaction Malleability and MtGox” posted to the arXiv archive yesterday, authors Christian Decker and Roger Wattenhofer determined that Mt.Gox could not have lost 850,000 bitcoins through a transaction malleability glitch in the site’s code. Instead, the researchers note that an attack of that scale has never taken place, and the attacks that actually have taken place at Mt.Gox were considerably smaller and far less effective.

[While] MtGox claimed to have lost 850,000 bitcoins due to malleability attacks, we merely observed a total of 302,000 bitcoins ever being involved in malleability attacks. Of these, only 1,811 bitcoins were in attacks before MtGox stopped users from withdrawing bitcoins. Even more, 78.64% of these attacks were ineffective.

The researchers then cast serious doubt on the narrative that Mt.Gox’s missing coins are strongly related to transaction malleability attacks.

As such, barely 386 bitcoins could have been stolen using malleability attacks from MtGox or from other businesses. Even if all of these attacks were targeted against MtGox, MtGox needs to explain the whereabouts of 849,600 bitcoins.

Mt.Gox announced last week that it had “found” roughly 200,000 missing coins in an “old format” wallet, and many have since speculated that flaws in the exchange’s cold storage system were to blame for the company’s woes. CEO Mark Karpeles has made several vaguely worded statements about the funds being “temporarily unavailable” rather than stolen, although many have interpreted this as wishful thinking rather than fact.

On Sunday, rumors began to surface on Twitter that Mt.Gox had located an additional 670,000 BTC in their system, and would soon be releasing funds to customers. While the initial tweet was dismissed by many as a little more than trolling, the new report seems to support the theory that coins were never actually stolen from Mt.Gox on a catastrophic scale.