At first glance Mt.Gox seemed to be a great and very beneficial fraudulence scheme. It would be out of law, but still understandable if Mark Karpeles would leave the industry with pockets full of money. After the private investigation of Bitcoin users was determined a surprising reason of the crash of the leading exchanger – the owner and CEO has lost the private keys with no ways to retrieve them.
It seems both crazy and impossible that so much people have trusted their money to such incompetent person. Now the attack from the cryptographic society continues with a more derogatory move.
Yesterday, the global web was shaken by a rumor that has all necessary characteristics to become truth. The IT and crypto enthusiast under the nickname “Nanashi” pretending to be a hacker from Russia has revealed the source code of the service. Its quality is a disgrace for every experienced developer.
The Coder Coded a Code
The obtained code can be found on different Internet resources. At Pastebin was placed the part that performed the processing of transactions. Nanashi also provided a PDF file, some discussion audio file mostly in Japanese and the log from IRC. After his words, the private route of IRC carries even more evidence that still is not populated.
Some proven information source approves that the source code was partly designed by Mark Karpeles in person. The servers of the exchange service Mt.Gox were running on obsolete versions of Gentoo that allowed installing a rootkit via a weak point that is not mentioned.
The hacker Nilzor has looked through the provided material and determined many faults that cannot be tolerated in codes of global financial companies dealing with money of numerous users. He has said:
“Wow. This code is pretty bad. I mean, it's bad for a college project. It's horrible for a company dealing with large sums of money.”
Correction of Mistakes
The analysis made by Nilzor deserves to be published full-text without any alterations:
- There's a class with the name of the application. (Issues: Scope, SRP)
- There's a class with 1708 lines of code. (Scope)
- There's a switch-case statement that runs over 150 LOC (readability, maintainability)
- There's a string parsing function in the same class as transaction processing (Separation of concerns)
- There are segments of code commented out (are they not using source control?)
- There's inlined SQL (maintainability, security)
- There's JSON being generated manually & inline (SoC, DRY)
- There's XML being generated manually & inline (SoC, DRY)
- To sum up function _Route_getStats($path): XML production, JSON production, file writing, business logic, SQL commands, HTTP header fiddling, hard coded paging limits, multiple exit points...
He also concluded:
“The amount of refactoring needed here to bring this code up to acceptable quality is simply staggering.”
Besides the opened data, Nanashi or a group of hackers he is working with has also scans of passports of the users of the service as well as employees – around 20 GB. However this fact requires further prove.