Since the $61 million bitcoin hack from Bitfinex yesterday, many within the bitcoin community have been looking into the exchange trying to figure out exactly what happened, with new details emerging revealing information about the exchange’s history that were never released until today.
Launched in beta testing in October 2012, Bitfinex had a rocky start. The exchange started off as a spin-off of the exchange code of Bitcoinica. At the time, bitcoin developer Amir Taaki (contributor to Dark Wallet and Open Bazaar) leaked the Bitcoinica source code after being hired as a security consultant.
This caused the loss of thousands of bitcoin, since the source code contained the Bitcoinica-Mt. Gox API key, which was subsequently used to steal funds from the exchange. Bitcoinica was developed by Ryan Zhou (Zhou Tong), a then 16 year old Hong Kong based programmer, who later co-founded CoinJar.
Since the Bitfinex code was primarily based off of Bitcoinica, from the start the exchange was met with people finding old Bitcoinica exploits in the code. As the exchange became more popular, it matured and outgrew it’s early days and a lot of the old Bitcoinica code was left behind. Early on, Bitfinex also included Bitstamp’s orderbook for liquidity purposes, which they eventually did away with.
During this time, it wasn’t known that Bitfinex was continuing to use Mt. Gox nor the extent of their relationship. In 2013, Mt. Gox although experiencing some problems of their own, was dominating the bitcoin exchange ecosystem.
And today we learned a new piece of history in regards to Bitfinex and Mt. Gox.
According to Tuur Demeester, an economist and investor, back in 2013 Bitfinex was holding half of their funds on the Mt. Gox exchange. In a leaked email from Demeester, he shows a conversation with the founder of Bitfinex, Raphael Nicolle.
The email shows an exchange between the two discussing the ratio of Bitfinex funds in cold storage verses online storage (hot wallet). The response from Nicolle is shocking. He wrote,
“We do not have any online storage, we use a read-only wallet, which allows the system to track bitcoin deposit while preventing any hacker to spend the funds in case they access it. We have half of our funds on our Mtgox account, which is secured by OTP authentication.”
From the leaked email today, it clearly shows that Bitfinex was using Mt. Gox as their hot wallet for 50% of their funds. We know now that in February 2014 Mt. Gox imploded and shutdown, taking millions of dollars of funds along with it.
It’s unclear at the time if Bitfinex still had 50% of funds on Mt. Gox at the time of the collapse, but it’s fully plausible that Bitfinex lost a considerable amount of funds when Mt. Gox shutdown. If this is the case, Bitfinex may have began running a fractional exchange as far back as 2014.
Demeester says that he never released this information until now because at the time he felt most bitcoin exchanges were “amateur,” and he must not have felt it would have been harmful; in retrospect he wishes he spoke out about it.
In November 2014, Bitfinex announced that it was overhauling the back-end of its trading exchange through a new partnership with AlphaPoint, a white label exchange services provider. And in May 2015, the exchange suffered it’s first hack, which resulted in the loss of only 0.5% of total funds. The total amount stolen was 1,581 BTC, which at the time was valued at $373,436.
Within just a few weeks, Bitfinex announced its partnership with BitGo, unveiling a new settlement and security architecture which offered complete segregation of all customer bitcoins.
“The era of commingling customer Bitcoin and all of the associated security exposures is over,” said Zane Tackett, Director of Community and Product Development at Bitfinex.
Unfortunately with the news yesterday of the Bitfinex hack, questions have arisen about how Bitfinex was using the BitGo implementation to secure customer funds. It’s quite possible that Bitfinex and BitGo were blindly signing each transaction without any sort of checks or fail-safe, but it’s unclear at this time the exact vulnerability that was exploited in the hack.
Some are stating that ever since the CFTC fined Bitfinex, the exchange had to change the way their configuration of the BitGo multisig setup was, which may have opened them up to a vulnerability.
In the meantime, Bitfinex has issued another update on the status of the exchange post-hack. In the newest update, they stated:
We are currently in an ongoing process of restoring limited functionality in a secure environment, with full functionality coming afterwards in progressive stages. The first step is bringing the site online and allowing users to login and view the state of their accounts. Note that initially trading, deposits, withdrawals, and other core site functionality will be disabled.
To accommodate the relaunch, all withdrawals, open orders, and open funding offers will be canceled. Furthermore, in order to compute losses for relevant parties, settlement must occur in the affected accounts. Margin positions for all pairs will be settled and closed using the following prices, representing the midpoint of the bid and ask on August 2, 2016 at 18:00:00 UTC.