Bitcoin exchanges can’t stop getting hacked, no matter what security system they use

This could pop at anytime.
This could pop at anytime.
Image: Reuters/Lucas Jackson
We may earn a commission from links on this page.

The history of bitcoin is littered with spectacular digital heists. The $65 million heist at the Bitfinex exchange on Aug. 2 is just the latest in a series of virtual robberies. One thing that sets this episode apart is the fact that the exchange had come under regulatory scrutiny before, and changed some of its systems to keep officials happy. Some in the bitcoin community are saying that it’s these changes that made Bitfinex vulnerable to a security breach, creating the awkward possibility that government scrutiny weakened, rather than strengthened, consumer protections.

In June, Bitfinex was fined $75,000 by the US Commodity Futures Trading Commission (CFTC) for breaking rules about margin financing for commodities. Bitfinex had a system where users could borrow coins from other users to magnify their trades. But in order for that system to stay onside with the CFTC’s rules, Bitfinex would have to prove that it “actually delivered” those borrowed funds to the user. The CFTC found that Bitfinex didn’t do this. Instead, it technically retained control of the coins meant for lending, even while it credited those funds in the users’ margin financing accounts.

Bitfinex’s procedures didn’t cheat any margin-financing customers. It was just a common way of managing the risk of storing bitcoins while still making them available to perform the thousands of transactions required of a high-volume exchange. Bitfinex kept those funds in one pool, or an “omnibus settlement wallet,” in the CFTC’s terms. The exchange would credit and debit the appropriate funds from that wallet, which was under its control. Most of the funds in this big pool were kept offline in “cold storage” to reduce the risk of being hacked, the usual practice among exchanges.

Bitfinex moved away from the omnibus wallet method in August 2015. Under the new system, customer funds were separated and kept in individually labeled wallets for each customer. These wallets were “multi-signature,” which meant they came with more than one private key to access them. Bitfinex held two keys, while the multi-sig security provider, a company called BitGo, held a third. It was more secure, in theory, because both parties had to approve a transaction before it could go through.

Weeks after moving to the new system, Bitfinex heard that the CFTC was investigating its practices, and got in touch with the regulator to offer its cooperation, according to the agency (pdf). Of course, the new system meant that Bitfinex could make a stronger case that it was “actually delivering” funds to its customers. Ultimately, however, the CFTC decided that the new system didn’t put the exchange in the clear, leading to the fine.

Damned if you do…

The bitcoin world has singled out Bitfinex’s attempt to be compliant with financial rules as a move that weakened its defenses. “Cold storage would have been a far more reasonable option,” said Emin Gün Sirer, a Cornell computer scientist who specializes in cryptocurrencies. “Regulators ruled that option out.”

Sirer is not alone in pointing out the deficiencies with Bitfinex’s attempt at compliance. Here’s another example, from noted bitcoin advocate Andreas Antonopoulos:

The system that Bitfinex put in place was also adopted by other popular exchanges, like Kraken and BitStamp. While details of precisely how the Bitfinex hack took place are scarce, BitGo, the firm behind the multi-sig system, has said its servers were not compromised. The other exchanges using BitGo’s system have also remained secure so far.

The possibility exists, then, that the problem was not the multi-sig system, but Bitfinex’s specific implementation of that system. As Sirer points out, multi-sig only works when signers are independent of one another. In the Bitfinex scenario, its vendor, BitGo, was the co-signer. “One of the co-signers is working at the behest of the other, the exchange. So there is a single point of vulnerability,” he said.

Sirer has proposed a security fix that would allow victims of theft to claw their funds back. He calls it a bitcoin “vault,” and he and other researchers at Cornell have built a working prototype. But the bitcoin protocol itself has to be changed in order for it work, which seems like long shot, given that the community of developers is riven by a long-running conflict over how best to increase the digital currency’s transaction capacity.

The history of bitcoin exchanges is Darwinian, marked by abrupt failures triggered by security breaches. If you run a big bitcoin exchange, it’s usually a question of when, not if, your defenses will be breached.

Bitfinex’s suspension in the wake of the heist means that the position of the world’s biggest bitcoin-US dollar exchange is up for grabs once again. Bitfinex came to occupy that position after another exchange, Bitstamp, once the biggest marketplace for this type of trading, was itself hacked in early 2015. And Bitstamp came to prominence in the wake of the failure of Mt. Gox, once a pillar of the crypto economy.

For bitcoin’s traders, it’s just another day in the markets. The digital currency plunged some 14% when the Bitfinex hack was revealed. But it has recovered most of those losses since, rising steadily in the meantime. The price of the cryptocurrency is now trading at just 5% below pre-hack levels, according to the widely used price index from CoinDesk.