This is weird. A transaction isn’t quite identified by its transaction ID, but only by its contents. So somebody can replay your transaction simply by giving it a different number, and then hoping to win the race.
I think it’s reasonable to consider this a protocol flaw, and it’s something I didn’t know about, but how can mt. gox proclaim ignorance when people in the know have been talking about it for 3 years? Shouldn’t mt. gox be in the know, too?
This is also another case where I’m confused how a bitcoin operator can even have the problem they’re having. I’m not the world’s greatest accountant, but I’m also not running a money service. When a bad customer performs the above trick and claims the transaction failed, why doesn’t mt. gox check the account balance (blockchain) and see that the money has in fact been transferred? mt. gox should know how much money is in their wallet, right? They can compare the amount they have now, the amount they had an hour ago, and the total of transfers they believe occurred.
It seems most of the exchanges are fly-by-night operations, by people
who mean well but have no idea what goes into running such an operation.
It seems that the recommendation by the core developers is essentially duck typing the transaction. I imagine that though this would work for low frequency transactions (maybe less than 1 every few days), the lack of a definitive way to identify a transaction will become a serious issue in high frequency transactions between a small number of addresses.