valiron



Offline



Activity: 311

Merit: 250







Sr. MemberActivity: 311Merit: 250 Re: The MtGox Debacle Explained February 09, 2014, 11:51:07 PM #21 Quote from: thecomputerscientist on February 09, 2014, 10:22:55 PM Quote from: aahzmundus on February 09, 2014, 10:19:00 PM How could the transaction be changed without needing to be re-signed? I lack the technical knowledge to understand how what you describe is possible.



You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.



You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.

I don't think I buy your explanation without providing more details.



Can you provided more details?



What is the new version of the bitcoin client that caused the problem?



When the version was released and when the problems started at MtGox?



What are the changes on the format that were problematic?



I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).



I don't think I buy your explanation without providing more details.Can you provided more details?What is the new version of the bitcoin client that caused the problem?When the version was released and when the problems started at MtGox?What are the changes on the format that were problematic?I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).

If you want to be a moderator, report many posts with accuracy. You will be noticed. Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here. Advertised sites are not edorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.

rograz



Offline



Activity: 575

Merit: 500







Hero MemberActivity: 575Merit: 500 Re: The MtGox Debacle Explained February 10, 2014, 12:24:29 AM #22 So I guess buying "goxbtc" just got a lot more risky, even if they sort this out you might end up with nothing.

flower1024



Offline



Activity: 1428

Merit: 1000







LegendaryActivity: 1428Merit: 1000 Re: The MtGox Debacle Explained February 10, 2014, 12:38:29 AM #23 Quote from: valiron on February 09, 2014, 11:51:07 PM Quote from: thecomputerscientist on February 09, 2014, 10:22:55 PM Quote from: aahzmundus on February 09, 2014, 10:19:00 PM How could the transaction be changed without needing to be re-signed? I lack the technical knowledge to understand how what you describe is possible.



You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.



You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.

I don't think I buy your explanation without providing more details.



Can you provided more details?



What is the new version of the bitcoin client that caused the problem?



When the version was released and when the problems started at MtGox?



What are the changes on the format that were problematic?



I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).





I don't think I buy your explanation without providing more details.Can you provided more details?What is the new version of the bitcoin client that caused the problem?When the version was released and when the problems started at MtGox?What are the changes on the format that were problematic?I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).

sadly its true.

just read the reddit: gmaxwell explains it well sadly its true.just read the reddit: gmaxwell explains it well

il--ya



Offline



Activity: 47

Merit: 0







NewbieActivity: 47Merit: 0 Re: The MtGox Debacle Explained February 10, 2014, 12:49:31 AM #25 Quote from: thecomputerscientist on February 09, 2014, 06:56:19 PM

2) Bitcoin Foundation could setup some public servers that always run the latest official version of the bitcoin client. Exchanges should then be able to verify that the transaction is legitimate



I guess any self-respecting exchange is already running their own instance of the latest bitcoind for that purpose.



But MtGox is not a self-respecting exchange, that is the problem.



The funny bit is.. they keep sending transactions with spend inputs! Right now! With withdrawals blocked and problem, as you claim, being identified. I guess any self-respecting exchange is already running their own instance of the latest bitcoind for that purpose.But MtGox is not a self-respecting exchange, that is the problem.The funny bit is.. they keep sending transactions with spend inputs! Right now! With withdrawals blocked and problem, as you claim, being identified.

valiron



Offline



Activity: 311

Merit: 250







Sr. MemberActivity: 311Merit: 250 Re: The MtGox Debacle Explained February 10, 2014, 01:37:47 AM #27 Quote from: flower1024 on February 10, 2014, 12:38:29 AM Quote from: valiron on February 09, 2014, 11:51:07 PM Quote from: thecomputerscientist on February 09, 2014, 10:22:55 PM Quote from: aahzmundus on February 09, 2014, 10:19:00 PM How could the transaction be changed without needing to be re-signed? I lack the technical knowledge to understand how what you describe is possible.



You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.



You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.

I don't think I buy your explanation without providing more details.



Can you provided more details?



What is the new version of the bitcoin client that caused the problem?



When the version was released and when the problems started at MtGox?



What are the changes on the format that were problematic?



I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).





I don't think I buy your explanation without providing more details.Can you provided more details?What is the new version of the bitcoin client that caused the problem?When the version was released and when the problems started at MtGox?What are the changes on the format that were problematic?I understand that if your theory is correct, there should be initially stuck transactions that finally went through in the blockchain (the modified hacker's version). Can you provide examples of these transactions? (that appeared first in the list of stuck transactions and then went through).

sadly its true.

just read the reddit: gmaxwell explains it well

sadly its true.just read the reddit: gmaxwell explains it well

Then someone could surely answer these questions. No?



Could you provide a link to the reddit post? Then someone could surely answer these questions. No?Could you provide a link to the reddit post?

samson



Offline



Activity: 1778

Merit: 1018







LegendaryActivity: 1778Merit: 1018 Re: The MtGox Debacle Explained February 10, 2014, 02:22:18 AM #29 Quote from: thecomputerscientist on February 09, 2014, 06:56:19 PM



TL;DR version:



1) The withdrawal problems at MtGox are technical.

2) It is likely that a hacker exploit has taken place.

3) Any damage is likely to be limited.

4) Other exchanges need a heads up and could also be vulnerable.

5) MtGox is going through all erroneous transactions and will update all balances. This is the reason why BTC withdrawals are frozen.

6) Countermeasures need to be taken (for all exchanges)



BTC Withdrawal Problems

------------------------

A couple of weeks ago (around January 26-28) I noticed that things at MtGox were not the way it supposed to be. Normally, withdrawing BTC is an instant process. This time my withdrawals went stuck. MtGox provides an API so that transactions that didn't get through were available for public scrutiny:

I took my stuck transactions which were available in raw format and try to rebroadcast them manually. (MtGox no longer publishes the raw format; they are now redacted for a very good reason.) To my surprise it complained that some of the transaction inputs were already spent. Furthermore, this happened to many of my friends as well. I investigated their transactions as well and tried to rebroadcast them manually, but without luck due to complaints of double spending.

My immediate (now wrong) conclusion was that MtGox F-d up big time and couldn't handle a simple concurrency problem. If several people are withdrawing BTC at the same time it is important to ensure that this is counted as an atomic operation so that coins from the wallet pool are not double spent. It turns out that it was much more interesting than I've first anticipated. Another (wrong) conspiracy theory of mine that MtGox did this intentionally to cover up the fact that they were running low on BTC as they use "fractional reserve bitcoin".



Exchanges and Custom Wallet Software

--------------------------------------

Most exchanges have completely custom bitcoin software. Either they are heavily modified source code of the official client, or everything is written from scratch. To my best knowledge MtGox has written their client completely from scratch. Some people critize them for that, but the standard client is not scalable to an exchange with a million of customers. You must modify the original source so at least the wallet part is going through a more suitable database, and also the built-in security only works for a single customer.

The cons with writing your own custom bitcoin client are of course that you would from time to time become out of sync with the official client. It turns out that this is very problematic.



Erroneous Transactions and Fatal Consequences

----------------------------------------------

Suppose there's something that is inconsistent with MtGox client software with the rest of the bitcoin network. What would be the outcome of that? MtGox would broadcast the transaction to the bitcoin network and miners would reject it, so the transaction becomes stuck. After a couple of days, MtGox gives up because it can't get the transaction published in the blockchain so it returns the balance to the customer. This turns out to be VERY dangerous. BTC should not be returned to a customer without proper investigation.

You may ask why? A hacker can exploit the erroneous transactions broadcasted by MtGox by modifying them manually (so they become consistent with the official bitcoin software) and then rebroadcast them manually her/him-self. If this happens, then the stuck transaction (at MtGox) gets actually through and at the same time the balance is returned to the customer's account. Therefore, the customer has doubled her/his BTC withdrawal attempt. If you repeat this process a couple of times then you can empty MtGox BTC vault without having to hack into their computers.

So what about all those erroneous transactions with "double spending", surely this has nothing to do with the erroneous transactions mentioned recently? At the time the hacker broadcasts the modified (correct) transaction based on MtGox erroneous one, the transaction gets through, but MtGox still thinks the coins are still unspent. After all, it is only MtGox that has the private keys, so it is impossible (in general) that someone else can spend them. Therefore, MtGox still thinks those coins are unspent and trying to reuse them as fresh coins for other transactions. This explains why we had so many transactions that tried to double spend coins.



What is MtGox Doing Now?

-------------------------

First, the hackers that tried to modify the erroneous transactions and rebroadcast them manually are likely identified (MtGox surely knows the name of every customer). Their accounts will likely to be frozen.

Second, MtGox has an accounting mess to clean up. There are many transactions registered as unsuccessful at MtGox that need to be checked whether they actually went through or not. Then MtGox needs to update all the BTC balances. This will likely take a couple of days and this is the main reason why all BTC withdrawals are blocked at this time. Once this is done MtGox will open for BTC withdrawals again.



Lessons Learned and Countermeasures

-------------------------------------

What happened at MtGox can happen at other exchanges as well. So how do we prevent these disasters from happening again in future? I have some proposals,

1) Try to stay close to the official bitcoin client and merge in new changes as soon as possible. Stay updated.

2) Bitcoin Foundation could setup some public servers that always run the latest official version of the bitcoin client. Exchanges should then be able to verify that the transaction is legitimate to the latest bitcoin client before broadcasting them.

3) At an exchange, when a transaction becomes stuck for whatever reason, always check if some other transaction with the same inputs and outputs has already been accepted by the network before returning the customers' balance.



Currently, there's too much Fear Uncertainty and Doubt.TL;DR version:1) The withdrawal problems at MtGox are technical.2) It is likely that a hacker exploit has taken place.3) Any damage is likely to be limited.4) Other exchanges need a heads up and could also be vulnerable.5) MtGox is going through all erroneous transactions and will update all balances. This is the reason why BTC withdrawals are frozen.6) Countermeasures need to be taken (for all exchanges)BTC Withdrawal Problems------------------------A couple of weeks ago (around January 26-28) I noticed that things at MtGox were not the way it supposed to be. Normally, withdrawing BTC is an instant process. This time my withdrawals went stuck. MtGox provides an API so that transactions that didn't get through were available for public scrutiny: https://data.mtgox.com/api/0/bitcoin_tx.php I took my stuck transactions which were available in raw format and try to rebroadcast them manually. (MtGox no longer publishes the raw format; they are now redacted for a very good reason.) To my surprise it complained that some of the transaction inputs were already spent. Furthermore, this happened to many of my friends as well. I investigated their transactions as well and tried to rebroadcast them manually, but without luck due to complaints of double spending.My immediate (now wrong) conclusion was that MtGox F-d up big time and couldn't handle a simple concurrency problem. If several people are withdrawing BTC at the same time it is important to ensure that this is counted as an atomic operation so that coins from the wallet pool are not double spent. It turns out that it was much more interesting than I've first anticipated. Another (wrong) conspiracy theory of mine that MtGox did this intentionally to cover up the fact that they were running low on BTC as they use "fractional reserve bitcoin".Exchanges and Custom Wallet Software--------------------------------------Most exchanges have completely custom bitcoin software. Either they are heavily modified source code of the official client, or everything is written from scratch. To my best knowledge MtGox has written their client completely from scratch. Some people critize them for that, but the standard client is not scalable to an exchange with a million of customers. You must modify the original source so at least the wallet part is going through a more suitable database, and also the built-in security only works for a single customer.The cons with writing your own custom bitcoin client are of course that you would from time to time become out of sync with the official client. It turns out that this is very problematic.Erroneous Transactions and Fatal Consequences----------------------------------------------Suppose there's something that is inconsistent with MtGox client software with the rest of the bitcoin network. What would be the outcome of that? MtGox would broadcast the transaction to the bitcoin network and miners would reject it, so the transaction becomes stuck. After a couple of days, MtGox gives up because it can't get the transaction published in the blockchain so it returns the balance to the customer. This turns out to be VERY dangerous. BTC should not be returned to a customer without proper investigation.You may ask why? A hacker can exploit the erroneous transactions broadcasted by MtGox by modifying them manually (so they become consistent with the official bitcoin software) and then rebroadcast them manually her/him-self. If this happens, then the stuck transaction (at MtGox) gets actually through and at the same time the balance is returned to the customer's account. Therefore, the customer has doubled her/his BTC withdrawal attempt. If you repeat this process a couple of times then you can empty MtGox BTC vault without having to hack into their computers.So what about all those erroneous transactions with "double spending", surely this has nothing to do with the erroneous transactions mentioned recently? At the time the hacker broadcasts the modified (correct) transaction based on MtGox erroneous one, the transaction gets through, but MtGox still thinks the coins are still unspent. After all, it is only MtGox that has the private keys, so it is impossible (in general) that someone else can spend them. Therefore, MtGox still thinks those coins are unspent and trying to reuse them as fresh coins for other transactions. This explains why we had so many transactions that tried to double spend coins.What is MtGox Doing Now?-------------------------First, the hackers that tried to modify the erroneous transactions and rebroadcast them manually are likely identified (MtGox surely knows the name of every customer). Their accounts will likely to be frozen.Second, MtGox has an accounting mess to clean up. There are many transactions registered as unsuccessful at MtGox that need to be checked whether they actually went through or not. Then MtGox needs to update all the BTC balances. This will likely take a couple of days and this is the main reason why all BTC withdrawals are blocked at this time. Once this is done MtGox will open for BTC withdrawals again.Lessons Learned and Countermeasures-------------------------------------What happened at MtGox can happen at other exchanges as well. So how do we prevent these disasters from happening again in future? I have some proposals,1) Try to stay close to the official bitcoin client and merge in new changes as soon as possible. Stay updated.2) Bitcoin Foundation could setup some public servers that always run the latest official version of the bitcoin client. Exchanges should then be able to verify that the transaction is legitimate to the latest bitcoin client before broadcasting them.3) At an exchange, when a transaction becomes stuck for whatever reason, always check if some other transaction with the same inputs and outputs has already been accepted by the network before returning the customers' balance.

Interesting. Lets see how long it takes them to fix it all.

Interesting. Lets see how long it takes them to fix it all.

superduh



Offline



Activity: 602

Merit: 500







Hero MemberActivity: 602Merit: 500 Re: The MtGox Debacle Explained February 10, 2014, 02:26:21 AM #30 who cares as long as people know the coins are 100% and fraudulent account utilizing this exploit have been locked down. if so take as long as necessary to make sure it works CORRECTLY ok

jl2012



Offline



Activity: 1792

Merit: 1010







LegendaryActivity: 1792Merit: 1010 Re: The MtGox Debacle Explained February 10, 2014, 04:19:09 AM #31 Quote from: thecomputerscientist on February 09, 2014, 06:56:19 PM

2) Bitcoin Foundation could setup some public servers that always run the latest official version of the bitcoin client. Exchanges should then be able to verify that the transaction is legitimate to the latest bitcoin client before broadcasting them.





Do we really need a centralized service like this? Exchanges could setup their own dedicated bitcoind servers by using the code on github.



After all, it is a good idea to use a standard bitcoind server as a firewall between the in-house custom implementation and the real bitcoin network. Do we really need a centralized service like this? Exchanges could setup their own dedicated bitcoind servers by using the code on github.After all, it is a good idea to use a standard bitcoind server as a firewall between the in-house custom implementation and the real bitcoin network. Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)

LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)

PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517

Nagle



Offline



Activity: 1204

Merit: 1000







LegendaryActivity: 1204Merit: 1000 Re: The MtGox Debacle Explained February 10, 2014, 04:41:49 AM #32 This claim of a bug is checkable. Someone should check the block chain for transactions with junk pad bytes at the end of signatures, and note the ones from a Mt. Gox address.

krtek.net



Offline



Activity: 16

Merit: 0







NewbieActivity: 16Merit: 0 Re: The MtGox Debacle Explained February 10, 2014, 06:08:54 AM #33 Question is, why are not internal transfers frozen also? I've asked this on #mtgox, because this could leads to more negative balance account and was given "if you think so" answer.

I can think of tree reasons (four actually, they weren't aware of this route and they will freeze internal transactions also):

1. The whole teory is wrong and there's something else going on.

2. The number of coins stolen is just to small and they don't care.

3. The number of coins stolen is just to big and they don't care.

thecomputerscientist



Offline



Activity: 48

Merit: 0







NewbieActivity: 48Merit: 0 Re: The MtGox Debacle Explained February 10, 2014, 11:45:50 AM

Last edit: February 10, 2014, 12:04:05 PM by thecomputerscientist #35 UPDATE:



So MtGox has finally gone public with this information which is good, but I need to say a few words because people are totally panicking on all exchanges.



First, MtGox is exaggerating the problem. It is not as bad as it seems really. This exploit, of modifying transactions but keeping the signatures intact, is quite difficult to begin with. MtGox made it worse by publishing their transactions through an accessible API (but now the signatures have been redacted).



The worst thing that can happen is that the exchange may get stuck with transactions and what all the exchanges need to do is not automatically return the user's balance without doing some investigations first. For example, if some of the inputs (of the transaction) have already been spent, then further investigations are required. That is all.



You cannot steal someones else's coins, and there's nothing wrong with the bitcoin protocol per se.



What the Bitcoin core development team is trying to do, long-term, is to ensure that the byte encoding is unique for a given transaction. If you look at ASN.1 DER encodings, the whole point is to ensure that there's only one way to encode something so there's no ambiguity when to compute digital signatures. Otherwise we have this problem of two chunks of data that are equivalent but syntactically different.



Anyway, all this is just unnecessary panic. And if you have access to fiat I would consider this as an enormous buying opportunity.



thecomputerscientist



Offline



Activity: 48

Merit: 0







NewbieActivity: 48Merit: 0 Re: The MtGox Debacle Explained February 10, 2014, 06:59:24 PM #36



Given the current turmoil I felt I needed to write something more. MtGox is being bashed, and rightly so, but there's one thing that nobody has been talking about. If this issue has been known since 2011, why does suddenly all this happen to MtGox _now_? Isn't that a legitimate question to ask? Because, that will reveal something else that MtGox hasn't mentioned in their press release (blaming the Bitcoin protocol).



So here comes the answer:



1) The Bitcoin core dev team has been addressing this malleability by gradually tightening what counts as a valid signature. For example, this is one of those changes:

(look at IsCanonicalSignature())



2) MtGox hasn't bothered to keep themselves up to date with the latest Bitcoin client software, so suddenly some transactions will get stuck because they are not complying with these harsher rules in Bitcoin 0.8+.



3) MtGox publishes all failed transactions (used to be with the raw transaction data; now redacted) at

https://data.mtgox.com/api/0/bitcoin_tx.php



4) Someone looking at this tx list will spot some of the failed transactions and modify them so they become bitcoin-0.8+ compliant. This gives a new tx and the transactions get through. MtGox fails to spot its own tx in the blockchain; gives up and returns funds to the customer.



It is correct that MtGox is right that you can never be 100% sure for malleability because the hacker can listen to the Bitcoin network and forward modified tx directly to miners (and out compete MtGox), and although this window has been open since 2011, this is a much harder problem with race conditions. It is because of the steps 1-4 above that made it much easier to apply a malleability attack on MtGox.



MtGox is now claiming that it has to wait until the malleability problem is fixed by the Bitcoin core dev _before_ it will allow BTC withdrawals. That's how I interpret their statement in their press release:



"We have discussed this solution with the Bitcoin core developers and will allow Bitcoin withdrawals again once it has been approved and standardized. "



But this is utterly absurd. It's most likely never going to happen, or it will take a very long time. And this is a very strange statement because it isn't that hard for MtGox to fix this problem. To check whether a transaction has got through or not is not using the transaction id, but instead compute a hash of:



inputs (lexicographically sorted) + outputs (lexicographically sorted)



This will uniquely identify a transaction regardless of the transaction id and it is fast to compute.



So what are they waiting for?

UPDATE 2:Given the current turmoil I felt I needed to write something more. MtGox is being bashed, and rightly so, but there's one thing that nobody has been talking about. If this issue has been known since 2011, why does suddenly all this happen to MtGox _now_? Isn't that a legitimate question to ask? Because, that will reveal something else that MtGox hasn't mentioned in their press release (blaming the Bitcoin protocol).So here comes the answer:1) The Bitcoin core dev team has been addressing this malleability by gradually tightening what counts as a valid signature. For example, this is one of those changes: https://github.com/bitcoin/bitcoin/commit/58bc86e37fda1aec270bccb3df6c20fbd2a6591c (look at IsCanonicalSignature())2) MtGox hasn't bothered to keep themselves up to date with the latest Bitcoin client software, so suddenly some transactions will get stuck because they are not complying with these harsher rules in Bitcoin 0.8+.3) MtGox publishes all failed transactions (used to be with the raw transaction data; now redacted) at4) Someone looking at this tx list will spot some of the failed transactions and modify them so they become bitcoin-0.8+ compliant. This gives a new tx and the transactions get through. MtGox fails to spot its own tx in the blockchain; gives up and returns funds to the customer.It is correct that MtGox is right that you can never be 100% sure for malleability because the hacker can listen to the Bitcoin network and forward modified tx directly to miners (and out compete MtGox), and although this window has been open since 2011, this is a much harder problem with race conditions. It is because of the steps 1-4 above that made it much easier to apply a malleability attack on MtGox.MtGox is now claiming that it has to wait until the malleability problem is fixed by the Bitcoin core dev _before_ it will allow BTC withdrawals. That's how I interpret their statement in their press release:"We have discussed this solution with the Bitcoin core developers and will allow Bitcoin withdrawals again once it has been approved and standardized. "But this is utterly absurd. It's most likely never going to happen, or it will take a very long time. And this is a very strange statement because it isn't that hard for MtGox to fix this problem. To check whether a transaction has got through or not is not using the transaction id, but instead compute a hash of:inputs (lexicographically sorted) + outputs (lexicographically sorted)This will uniquely identify a transaction regardless of the transaction id and it is fast to compute.So what are they waiting for?