Do you know where your bitcoins are right now? Hopefully they’re still in your wallet where you left them, but the history of bitcoin is littered with human error, poorly implemented software and heists that would make even the most hardened of Wild West outlaws tip their hat in respect.
Bitcoin is a man-made, open-source technology – not a gift handed down from the heavens. Just to drive that point home, here are the nine biggest screwups in bitcoin history.
On 8th August 2010 bitcoin developer Jeff Garzik wrote what could be mildly described as the biggest understatement since Apollo 13 told Houston: “We’ve had a problem here.”
“The ‘value out’ in this block is quite strange,” he wrote on bitcointalk.org, referring to a block that had somehow contained 92 billion BTC, which is precisely 91,979,000,000 more bitcoin than is ever supposed to exist.
CVE-2010-5139 (CVE meaning ‘common vulnerability and exposures’) was frighteningly simple and exploited to the point of farce by an unknown attacker. In technical language, the bug is known as a number overflow error.
So instead of the system counting up 98, 99, 100, 101, for example, it broke at 99 and went to zero (or -100) instead of 100. In layman’s terms, someone found a way to flood the code and create a ridiculously large amount of bitcoin in the process.
The fix was the bitcoin equivalent of dying in a video game and restarting from the last save point. The community simply hit ‘undo’, jumping back to the point in the blockchain before the hack occurred and starting anew from there; all of the transactions made after the bug was exploited – but before the fix was implemented – were effectively cancelled.
How serious was it? Bitcoin’s lead developer Wladimir Van Der Laan is pretty blunt about it, telling me: “It was the worst problem ever.”
Perhaps, but bitcoiners have seemingly been trying to trump it ever since.
Think about the amount of money being ploughed into bitcoin: $240m of venture capital funding to date. Now think about the number of people who work full-time on the core protocol (it’s two, by the way). The outcome of this disparity is rather predictable – software problems that would otherwise be ironed out and spotted by a team of well-resourced developers inevitably sneak through.
The most recent major issue occurred when Bitcoin Core version 0.8 was released in March 2013. Put simply, it wasn’t compatible with previous versions.
Remember the terror that accompanied upgrading your old Windows PC because none of the software would work afterwards? That happened with bitcoin.
Version 0.8 allowed for larger blocksizes than older versions could handle. With half the network upgraded and the other half still sitting on version 0.7 or older, the danger was that two versions of the bitcoin ledger would emerge.
As with the 92 billion bitcoin problem, the community sounded the alarm and forced a hard fork back to version 0.7 while the issue was resolved.
Disaster avoided, narrowly. But this wasn’t deep in bitcoin’s early history – this was just over 12 months ago. It’s not for nothing that people are calling for more resources to be devoted to bitcoin’s development.
Ok, that’s probably enough piling on to bitcoin’s core developers – on to everyone else.
I’m going to keep this one short, because we all kind of know the score on this one. Originally founded as a trading card site, Mt. Gox grew to become bitcoin’s largest bitcoin exchange, helmed by French-born Mark Karpeles who unadvisedly wrote all of the site’s code by himself without oversight or review by others.
The outcome of this foolhardy approach to development? In 2011 Mt. Gox was hacked, with the attacker driving the price down to just fractions of a dollar from highs of $30 by mass selling on the platform. Then this year the big one – $340m vanished and Mt. Gox toppled.
In a recent interview with the Wall Street Journal, Karpeles was apologetic, saying that “the weakest point of my company was management” – which is code, for “me”.
It’s not hard to find people who don’t believe Mt. Gox was hacked and instead think that Karpeles ran off with the cash, but with a police investigation ongoing the truth will hopefully come out and we’ll know for certain just what went on at Mt. Gox.
The US government’s recent auction of bitcoin seized from Silk Road was a landmark in bitcoin’s story – as many have pointed out, it gives some small sense of legitimacy to the currency in the sense that the government wouldn’t auction off seized cocaine, for example. The US government is willing to deal in bitcoin to some extent, a small but important signal.
But it was also accompanied by its fair share of farce. Before the auction the government accidentally emailed the potential participants but forgot to bcc them, so everyone who received the email could see who else had been emailed, meaning their names were eventually leaked.
Of course this kind of mistake is common – so common that even acclaimed bitcoin developer Amir Taaki made the mistake back in 2012 when he ran Intersango, a UK-based bitcoin exchange that eventually closed down in late 2012 after its banking relationship with Metro Banks turned sour.
The upshot of the US government leak is that the people whose emails were leaked were targeted by scammers, one of whom succeeded in dramatic style. Sam Lee of of bitcoin fund Bitcoins Reserve received an email claiming to be from a media company. The attached document was supposedly a list of interview questions but actually linked to a website prompting Lee to enter his password. When he did, the attacker took over his email and sent a message to the CTO, requesting a transfer of 100 bitcoin. Bye bye bitcoin.
But sometimes, attacks are far, far simpler than this.
This isn’t going to be a list of bitcoin heists – oh boy are they fun – but an honourable mention has to be given to Canadian Bitcoins, who were the victim of an old-fashioned social engineering attack that has to go down as one of the easiest ever executed.
Canadian Bitcoins’ servers were being run by a company called Rogers Data Centre (who were technically in the process of taking the data centre over from its previous operator, Granite Networks). A hacker was allegedly able to steal 149 bitcoin, or around $100,000 at the time, from Canadian Bitcoins by messaging Rogers Data Centre and just asking for access to the servers.
That’s it. The hacker pretended to be Canadian Bitcoins CEO James Grant over instant message – just by saying “I am James Grant”, there wasn’t any fancy trickery going on – and was given access. “It’s ridiculous,” the real James Grant was reported as saying in the Ottawa Citizen, who broke the story.
Yes. Yes it is ridiculous. But not nearly as ridiculous as this next issue.
Iceland is famous for aggressively prosecuting its bankers for their role in the financial meltdown of 2007/2008. So when auroracoin was announced in February, a cryptocurrency designed to be a national currency for Iceland, the stars seemed to have aligned perfectly.
Just months later, auroracoin is dead and all the hype dead with it.
The currency was ‘airdropped’ to Iceland’s citizens in late March, with 31.8 auroracoin allocated to each citizen who had registered. The few that claimed their coins are thought to have immediately sold them off and the price of the coin never recovered after plummeting on its first day in circulation.
Auroracoin’s fatal blow came from the insecurity of the network – there was little incentive for miners to maintain the network and process the few transactions made with the coin. As a result it was vulnerable to attack from anyone with a modest amount of computing power at their disposal.
Here are two good post-mortems of the entire fiasco, which go some way to casting doubt on the viability of alternative cryptocurrencies. Speaking of which…
For the last eight years, a bunch of Scottish developers have been quietly beavering away up in Fyfe creating what they see as the future of the Internet – totally decentralized, encrypted and anonymised.
Eight years is a long time to be working on any software project, but this year Maidsafe finally had their big coming out party – a crowdsale to fund the next stage of the project’s development.
But what were they selling, I hear you ask? A temporary cryptocurrency, which will one day be exchangeable for the permament cryptocurrency running on the Maidsafe network. Confused yet? You could only participate in this cryptocurrency crowdsale with bitcoin or another cryptocurrency, mastercoin.
Why risk your crowdsale by allowing people to buy in with a practically worthless cryptocurrency like mastercoin? Nobody has a freaking clue – Kashmir Hill at Forbes has a wonderfully detailed account of this whole situation: “I forgive you if you find it all confusing; so did most of the investment experts I spoke with.”
In the end, Maidsafe still successfully raised millions of dollars, but mostly in mastercoin, which isn’t really very helpful when bills need to be paid in fiat, or bitcoin (at a stretch).
What would you say is a reasonable fee to pay to transfer £100? If it was within the UK, you would say there shouldn’t be a fee. If it was an international transfer, you would probably be fine paying a significant percentage, maybe 9% with WesternUnion or much less with new bitcoin remittances companies like BitPesa.
You would probably be bummed if you had paid 8000%, like the owner of this bitcoin address did in September 2013. It’s unclear what caused the faulty transaction fees, but over the course of a few days one bitcoin address added huge fees to its transactions, essentially donating ridiculous sums of bitcoin to miners. One transaction, totalling only 0.01 bitcoin, had an extra 80 bitcoin attached as a transaction fee (for reference, transaction fees are usually around 0.0001 bitcoin).
Something similar happened to this hapless Redditor, who made a simple typing error back in July 2013, attaching 30 bitcoin to a 38 bitcoin transaction.
In a world where the fact that transactions can’t be reversed is considered by some to be a virtue, accidental transactions are stupidly common. As bitcoin wallet software develops, incorrect transactions might get caught in the same way Gmail catches your email if it has the words “I have attached” when there aren’t any attachments.
But until then, people will continue to accidentally add incorrect transaction fees or even transfer 800 bitcoin to defunct Mt. Gox addresses.
Of course the award for all time greatest bitcoin fail has to go to James Howells from Wales, who sent £4.2 million to the landfill when he chucked out a hard drive containing the private keys for 7,500 bitcoin.
Coming just a month after the news that Norwegian PhD student Kristoffer Koch had bought himself a house after discovering an old hard drive with 5,000 bitcoin on it (which he paid only $27 for in 2009), James Howells’ landfill story felt especially painful.
There are many many more stories like these. Too many to include in one piece, but let us know your favourite stories of bitcoin woe in the comments below. Let the schadenfreude flow through you.