News about Bitcoin theft from Bitfinex exchange

Rage Review : Bitfinex, one of the world's largest digital currency exchanges, was hacked, and the loss of a large amount of Bitcoin was caused. The website was immediately offline, and the price of Bitcoin plummeted. We can easily see these direct impacts, but there is no conclusion yet on the cause of this huge incident and who should be held responsible. Among them, more attention is paid to whether BitGo's technology has loopholes, whether other exchanges will be affected, and why the previous CFTC investigation ended hastily. The specific situation may require further investigation to know.

Translation: Annie_Xu

On August 2, Bitfinex, one of the world’s largest digital currency exchanges, was hacked, losing more than $60 million in Bitcoin; almost 24 hours later, it’s still unclear what happened.

The only certainty is that it has a huge impact.

The theft of Bitcoin from Bitfinex is the largest since the infamous Japanese exchange Mt Gox lost 744,408 Bitcoins worth $350 million in 2014, and the exchange was subsequently temporarily taken offline.

The amount of bitcoins stolen this time is 18% of Mt Gox, totaling 119,756.

This has caused great confusion and frustration among market traders and observers.

The people familiar with the matter declined to say whether the amount disclosed was the total loss, and the exchange did not announce the results of its internal investigation.

The following is a summary of information about this event.

What we already know

Multi-signature accounts are affected.

The source of the breach may be that Bitfinex uses account and bitcoin wallet provider BitGo as an additional layer of customer transaction security.

News in 2015 revealed that BitGo and Bitfinex had jointly developed a system where the keys to a multi-signature wallet were distributed to multiple holders to prevent risk, while each customer held the wallet.

This is what the exchange said at the time:

“The days of associating customer Bitcoin with all the associated security vulnerabilities are over.”

This showed that the company was trying to replace the standard process commonly used by exchanges at the time, and did not want to spread customer funds among large network wallets or connect to hot wallets in order to meet liquidity requirements.

Each Bitfinex user holds a set of keys. The exchange holds two of the three keys (including offline keys), and BitGo uses the remaining one to jointly sign transactions.

To withdraw such a large amount of funds, BitGo had to sign a trading halt.

Bitfinex customers lose a lot

While the full extent of everyone’s losses is unclear, there are signs that the smaller bitcoin trading community has been significantly impacted.

Hours after news of the theft broke, community members took to Twitter and Reddit to report that their accounts had been wiped.

Even though the system is set up with two-factor authentication, using an additional device like a cellphone to provide an extra layer of encryption, some users are angry.

On the other hand, the exchange said that the funds transferred after the hacker attack are safe, but the exchange still did not say how or when withdrawals will be arranged.

Bitcoin price drops sharply

The immediate impact of the Bitfinex hack was seen in the price of Bitcoin, which plunged nearly 20% after the news was released, remaining below $480 before recovering.

Bitfinex remains offline

Bitfinex is still offline and has released a message saying that users can still see the attack.

The company is trying to put a website online so users can check their balances to see if their accounts have been emptied.

What we don't know

Who should be held responsible?

The amount of money stolen this time was so large that the community began looking for scapegoats.

Naturally, Bitfinex has become the most prominent target because it holds the largest number of keys for multi-signature account funds. Some people are also discussing whether this incident exposed BitGo’s vulnerabilities.

The day before, BitGo stated on social media that an internal investigation showed that the company had no server vulnerabilities.

However, observers accused the company of “blindly signing” withdrawal requests for nearly 120,000 bitcoins, wondering why no countermeasures were put in place beforehand.

Based on the trading volume of only 600,000 bitcoins in 30 days, the amount stolen by hackers is only one-sixth of the exchange's monthly trading volume.

When can the authorized capital be withdrawn?

The biggest concern for customers is what happens to non-bitcoin deposits. After news of the hack broke, Bitfinex said only bitcoin funds were affected.

Many customers have taken to social media to discuss when they can withdraw or check the funds.

The answer may be revealed soon. However, Zane Tackett, a representative of the exchange who is responsible for answering questions on the social media platform, said that there will be several more system updates in the future.

Are other exchanges affected?

Some market observers immediately began to speculate whether the incident would affect other exchanges that use Bitfinex's services.

It is well known that Bitfinex offers an API and exchanges have used it before, although the initial end market was mainly traders and brokers.

The 2015 Bitstamp hack also exposed this problem, when interconnected exchanges, merchants and ATM providers all experienced service outages simultaneously.

It is not yet known whether small exchanges are affected.

However, exchanges Bitstamp and Kraken noted that they implemented BitGo’s multi-signature technology differently than Bitfinex.

Vasja Zupan, head of business development at Bitstamp, said:

“Now I can say that the way Bitstamp implements BitGo’s multi-signature technology is different from Bitfinex.”

Kraken CEO Jesse Powell also said in an email that he could not provide details of the exchange's security measures, but even if Bitfinex had a vulnerability, "we are confident in our configuration."

Is BitGo’s business model risky?

Whether or not BitGo has problems, it risks losing the support of public opinion.

It is reported that BitGo's business model is mainly to charge service fees to corporate customers, and Bitcoin exchanges are the company's main target market.

The exchange’s main representative said the incident raised concerns about the security of the multi-signature model and that the vulnerability could delay upgrade plans. However, the exchange’s implementation plan for BitGo’s technology shows that some of the service’s customers currently have no plans to make any changes.

Is it the CFTC’s fault?

Earlier this year, Bitfinex coordinated with the US Commodity Futures Trading Commission (CFTC) on suspected trading violations. In the end, the exchange paid US$75,000 to settle the matter, but did not directly respond to the allegations.

At the time, the CFTC said the exchange controlled the private keys for bitcoins tied to user funds used to finance the trades. The agency’s view is that those bitcoins were not transferred after the trades but were still controlled by Bitfinex.

After the Bitfinex hack, some critics pointed out that the language used in the CFTC’s previous coordination plan created ideal conditions for theft and prevented Bitfinex from keeping customer funds in cold storage.

However, some supporters believe that the CFTC is not to blame, pointing out that multi-signature is just one of a number of security schemes, so it is inevitable that there will be loopholes or failures.

News materials from last year also showed that Bitfinex’s collaboration with BitGo preceded the CFTC investigation.