Go to the profile of Matthew Mills
Matthew Mills
Drop in price of Bitcoin due to the Bitfinex hack — Source: CoinDesk

The Bitfinex Attack

The biggest loss of Bitcoin due to a malicious attack since Mt. Gox

Note that this is an extract from the background of a paper I am currently writing on the need for more decentralised exchanges — I thought it would be good to break it out into a separate article for readers of Liberté & Co.

The Bitfinex hack

On the evening of the 2nd of August, 2016, more than USD$60m equivalent of Bitcoin was stolen from Hong Kong based Bitfinex, one of the largest cryptocurrency exchanges. Such a theft was the largest single loss of Bitcoin due to a malicious attack since the shutdown of Mt. Gox in 2014 due to its losing of USD$350m worth of Bitcoin. The size of the loss demonstrates the difficulty in securing a centralised exchange against malicious attacks. More importantly it demonstrates that the current model of exchange is inadequate to protect investors due to the fallibility of its human operators. This is especially true when it comes to the irreversible and unregulated nature of digital currencies such as Bitcoin that can be very quickly shifted before any action can be taken.

How it happened

Whilst the exact attack vector has not been confirmed by Bitfinex as of writing, it is suspected that the attacker took advantage of Bitfinex’s security policies regarding customer deposits. It seems the flaw lay in the security configuration of customer wallets held by Bitfinex, where instead of being in cold storage, funds were held in wallets connected to the internet and protected only via 2-of-3 multi-signature security measures. 2-of-3 means that in order to access and withdraw from a wallet, only two of three signatures are required. Such a configuration was done so as to be able to comply with a settlement with the U.S. Commodity Futures Trading Commission (CFTC) whereby Bitfinex had to make explicit the separation between user accounts so as to guarantee “actual delivery of the bitcoins results within 28 days” or else register as an exchange. Delivery in this case means Bitfinex would complete a trade, withdraw coins from a seller’s account, and deposit to a seller’s account with the accounts being defined as separate due to having different private keys. Bitfinex could do this process automatically as it had one private key and BitGo had another private key for a user’s account, thereby allowing access to a wallet without the user having to sign the transaction with their own private key (the 2-of-3 model). Such a setup was designed to satisfy the CFTC’s requirements regarding delivery whilst providing user security due to the multi-signature setup and allowing for the transaction automation

Bitfinex’s setup was vulnerable due to this automation of withdrawals. Whilst at this point it is unknown how, somehow the attacker was able to gain access to Bitfinex’s private key. With this key, the attacker could sign withdrawals with BitFinex’s key. Due to a specific arrangement between the two companies, BitGo would automatically sign off on all transactions signed by BitFinex’s key. Therefore all the attacker had to do was to initiate a large number of withdrawals, sign off with the Bitfinex private key, and BitGo would fulfill the 2-of-3 multi-signature requirement by automatically signing off on those transactions. By the time the breach was detected, some 36.067% of holdings had been lost.

Impact of Bitfinex attack

The impact of such an a security breach was immediate. On the market, the price of Bitcoin fell close to 20%, to as low as USD$480 in reaction to the announcement of a security breach. Bitfinex had to go down for a number of days in order to determine the extent of the loss, coming back online a week after the attack itself had occurred. Deposits and withdrawals were also disabled, preventing users from being able to access their funds stored on Bitfinex, regardless of whether those funds were denominated in Bitcoin, USD, or some other cryptocurrency. The most potentially large reaching consequence though of the attack is the decision by Bitfinex management to give all users, and not just those users who had lost their Bitcoin, a haircut (a reduction in assets) equivalent to the amount lost, 36.067%. This loss would be given in the form of a new coin called BFX, representing monies owed by Bitfinex to users and would be tradable on exchanges. What the consequences are of such a decision remain to be seen. However, it is clear that despite bearing the brunt of the losses, users have had little to no say in how Bitfinex management have decided to manage the situation.

Concluding thoughts

It is clear that the centralisation of trading cryptocurrencies has created a significant point of weakness. Whilst centralisation brings with it ease-of-use and technical support, it also provides a target-rich environment for those with malicious intent. That these exchanges are privately run and are often with little to no governmental oversight means a significant conflict-of-interest situation can occur during incidents such as these as management grapples with the need to balance shareholder and creditor interests with that of users. Whilst decentralised exchanges in a peer-to-peer format such as Shapeshift and Bitsquare are still being developed, this event proves how much the world of cryptocurrency needs them.

Matthew Mills researches cryptocurrencies and blockchain based applications at the University of Sydney. He is also a director at Liberté & Co and holds investments in Bitcoin and Ethereum. If you have any questions, or would like to get in touch, email him at mm@theliberte.co