How Bitcoin exchanges can screw up your withdrawals

Since the start of 2013 when I first started trading Bitcoins I've had my fair share of both good and bad experiences with Bitcoin exchanges. A new, global and unrestricted financial system is currently being bootstrapped and the centralized exchanges are still its weakest link. The missteps of exchanges like Mt. Gox have been widely discussed in the media, yet they haven't scared away lots of investors. Still, in this nascent world of crypto currencies staying vigilant is of utmost importance.

There are a few typical signs for an untrustworthy exchange. For example creating all kinds of hurdles to discourage users from withdrawing Bitcoins. They commonly consist of several additional steps that you have to go through for a simple withdrawal, none of which actually increases your security. This includes things like answering to an email which requests additional information (eg. write the withdrawal amount and the last four letters of the target address) or having to reconfirm your identity several times.

On okcoin.cn I've recently witnessed a new scheme whose only intention can be to to discourage withdrawals. I haven't seen any mentioning of this scheme anywhere else and I think all the new crypto currency investors should be made aware of it.

A lesser known part of every Bitcoin transaction is the input script. You can read about it in detail here. The input script is the biggest contributor to the payload size of your transaction. Transactions with bigger payload sizes require more mining / hashing power for a confirmation and therefore also require a bigger mining fee. bitcoinfees.21.co is a great site which gives you the optimal number of satoshis (1 satoshi = 0.00000001 btc) per byte for a transaction. The median transaction size is 226 bytes. If you create a new transaction, you can not only send Bitcoins from one address to another but you can also send Bitcoins from multiple addresses to a single one. However such a transaction requires a larger input script1.

Now, the usual assumption is that an exchange will withdraw Bitcoins from a single address to your destination address - meaning this transaction will have a size of about 226 bytes and require a mining fee of about 101000 satoshis (at the time of this writing). Quite a lot of exchanges allow users to manually set this mining fee. However none of the exchanges I know allows users to control how many input transactions are used - however it is clearly in the interest of the user to use as few as possible.

Now, what an exchange which wants to delay withdrawals can do is the following: Allow users to set the mining fee themselves and then create a transaction with several inputs such that the required mining fee surpasses the amount the user has put in. This way the exchange can broadcast a transaction to the Bitcoin network which will likely take very long to be confirmed.

Now I don't want to prematurely accuse OKCoin of malicious behaviour ("never attribute to malice that which is adequately explained by stupidity") but I believe it's important to make all the new crypto currency investors aware of these caveats of the Bitcoin protocol.

UPDATE: The transaction has now been confirmed. Four days after being broadcast to the network.

  1. Script size grows linearly with the number of input transcations. Ie. sending Bitcoins from two rather than one address roughly doubles the script size.

comments powered by Disqus