# 
# NOT POSTED

If I understand correctly, the following was Mark Karpelès's explanation for the loss of coins from MtGOX. (However, a MIT study concluded that only a few hundred coins could have been stolen this way; and the bug that made the attack possible has been fixed already.)

1) Malicious MtGOX client requests a BTC withdrawal to his wallet address X.  MtGOX debits the amount from the client's internal account, and sends to the bitcoin network a request to transfer those coins form its wallet to the client's wallet.

2) The malicious client monitors the network until MtGOX issues the corresponding transaction request.

3) That client immediately re-issues the same transaction request, with same amount and address, with a slight change that does not invalidate the signature.

4) The network may include either transaction in the blockchain, and then rejects the other request. Either way, the coins are trasferred (once) from MtGOX's wallet to the client's wallet.

5) If the *original* transaction was accepted by the network, the attack failed.  The client then deposits the coins back to MtGOX and tries again.

6) If the *modified* transaction was accepted by the network, MtGOX does not recognize it, but eventually finds out that his transaction request was rejected.  Then it refunds the coins back to the client's account (not realizing that they had been in fact withdrawn from MtGOX's wallet), and tries to send them again.