I am sweating as I write this.
Christmas brought grave news. I cannot adequately express how deeply honored I was by your unconditional support of my staff.
I do not expect the same reaction to today’s revelations. This movement is built on integrity, and I feel obligated to be forthright with you.
I held myself to a high standard as your leader, yet now I must utter words all too familiar to this scarred community:
We have been hacked.
Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker.
Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty.
Despite our hardening and pentesting procedures, this attack vector was outside of penetration testing scope due to being rooted in the Bitcoin protocol itself.
This attack hit us at the worst possible time. We were planning on re-launching the new auto-finalize and Dispute Center this past weekend, and our projections of order finalization volume indicated that we would need the community’s full balance in hot storage.
In retrospect this was incredibly foolish, and I take full responsibility for this decision.
I have failed you as a leader, and am completely devastated by today’s discoveries. I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand.
It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.
