On 27December 2019 12:00:05 UTC, BitMEX will update its index weights.
From today, the hypothetical values of the indices with the new weights will be published as the “NEXT” index family (Eg .BXBT_NEXT).
As of 27 December 2019 at 12:00:05 UTC, assuming no constituent exchanges have been excluded due to Index Protection Rules, BitMEX index weights will be:
Abstract: We test the performance of Bitcoin Core by successfully conducting 35 initial block downloads (IBDs) and recording the amount of time the node takes to synchronize with the network. We used software releases in the period spanning from 2012 to 2019. The results show a considerable and consistent improvement in the performance of the software, but also a high degree of variance. Even with the latest computer hardware, older versions of Bitcoin struggled to get past the pickup in transaction volume which occured in the 2015 to 2016 period. Therefore we conclude that without the software enhancements, an initial synchronization today could be almost impossible.
Figure 1 – Bitcoin Initial Block Download Time (Days) – Average Of 3 Attempts
(Source: BitMEX Research) (Notes: Synchronization up to block 602,707. Further details in the notes below)
Overview
To test the performance of Bitcoin Core during the initial synchronization, we successfully conducted 35 initial block downloads (IBDs) and recorded the amount of time each attempt took. The results are shown in Figure 1 above and illustrate that there was a significant improvement in speed when Bitcoin Core 0.12.0 was released in February 2016, due to the upgrade from OpenSSL to libsecp256k1 for signature verification. Libsecp256k1 was built specifically for Bitcoin. Since then, the improvements in speed were much slower and due to the high variance in IBD times, the improvements are only clearly visible after multiple attempts. However, even after Bitcoin Core 0.12.0 was released in February 2016, a small gradual improvement in performance is still visible after each software release from Bitcoin Core 0.13.0 to Bitcoin Core 0.19.0.1.
Of course, IBD time is only one metric, and there are plenty of other angles and considerations that one can use to evaluate the performance and capabilities of Bitcoin Core. While the IBD time may not be the perfect or complete measure of overall software performance, it is highly resource-intensive and therefore potentially a good metric to benchmark.
This report follows on from two previous experiments:
In November 2018 Jameson Lopp conducted a similar exercise, however that analysis focused on independent implementations, while this analysis focuses on older versions of Bitcoin Core (or just “Bitcoin”, as some of the older software pre-dates the name “Bitcoin Core”).
Sjors Provoost also conducted this experiment in July 2017, although Sjors provided data for fewer synchronization attempts.
Full Results and Raw Data
Figure 2 – Bitcoin Initial Block Download Time (Days)
(Source: BitMEX Research) (Notes: Synchronization up to block 602,707, further details in the notes below)
System Specification & Other Notes
MacBook Pro (64 bit)
Linux VPS (64 bit)
OS
macOS Mojave (10.14)
Ubuntu 18.04.3
Processor
6 Core Intel i9 2.9GHz
8 Core Intel Xeon
Memory
32GB
32GB
Storage
1 TB Flash Storage
640GB Flash Storage
Internet Downstream Bandwidth
62Mb/s
2,000Mb/s
Internet Upstream Bandwidth
20Mb/s
400Mb/s
IBD ended at height
602,707
602,707
Bitcoin.conf settings
assumevalid=0
dbcache=24000
maxmempool=500
Full Table of Results
Client
Client release date
Sync Time (Hours)
Machine
Bitcoin Core 0.19.0.1
24/11/2019
11.4
MacBook Pro
Bitcoin Core 0.18.1
20/07/2019
10.4
MacBook Pro
Bitcoin Core 0.17.0
03/10/2018
17.7
MacBook Pro
Bitcoin Core 0.16.0
28/02/2018
18.5
MacBook Pro
Bitcoin Core 0.15.0
14/07/2017
21.1
MacBook Pro
Bitcoin Core 0.14.0
08/03/2017
16.4
MacBook Pro
Bitcoin Core 0.13.0
17/08/2016
24.7
MacBook Pro
Bitcoin Core 0.12.0
17/02/2016
15.8
MacBook Pro
Bitcoin Core 0.11.2
10/11/2015
53.3
MacBook Pro
Bitcoin Core 0.10.0
12/02/2015
81.2
MacBook Pro
Bitcoin Core 0.9.0
18/03/2014
85.1
MacBook Pro
Bitcoin Core 0.8.6
09/12/2013
Abandoned
MacBook Pro
Bitcoin Core 0.19.0.1
24/11/2019
13.6
Linux
Bitcoin Core 0.18.1
20/07/2019
15.9
Linux
Bitcoin Core 0.17.0
03/10/2018
13.3
Linux
Bitcoin Core 0.16.0
28/02/2018
18.8
Linux
Bitcoin Core 0.15.0
14/07/2017
17.9
Linux
Bitcoin Core 0.14.0
08/03/2017
25.1
Linux
Bitcoin Core 0.13.0
17/08/2016
15.8
Linux
Bitcoin Core 0.12.0
17/02/2016
14.8
Linux
Bitcoin Core 0.11.2
10/11/2015
46.0
Linux
Bitcoin Core 0.10.0
12/02/2015
77.2
Linux
Bitcoin Core 0.9.0
18/03/2014
78.9
Linux
Bitcoin Core 0.8.6
09/12/2013
98.5
Linux
Bitcoin Core 0.19.0.1
24/11/2019
14.0
Linux
Bitcoin Core 0.18.1
20/07/2019
13.7
Linux
Bitcoin Core 0.17.0
03/10/2018
16.0
Linux
Bitcoin Core 0.16.0
28/02/2018
18.2
Linux
Bitcoin Core 0.15.0
14/07/2017
17.9
Linux
Bitcoin Core 0.14.0
08/03/2017
17.0
Linux
Bitcoin Core 0.13.0
17/08/2016
21.9
Linux
Bitcoin Core 0.12.0
17/02/2016
17.1
Linux
Bitcoin Core 0.11.2
10/11/2015
44.1
Linux
Bitcoin Core 0.10.0
12/02/2015
82.2
Linux
Bitcoin Core 0.9.0
18/03/2014
82.1
Linux
Bitcoin Core 0.8.6
09/12/2013
72.6
Linux
(Source: BitMEX Research)
Analysis of the Results
As Figure 2 above illustrates, even when conducting the IBD with the same software and with a machine with the same specification, there is considerable variance in the reported times.
Figure 3 – IBD time vs Client Release Date (Days) – Average Time of 3 Attempts
(Source: BitMEX Research) (Note: For the Bitcoin 0.8.6 client, the results above are an average of only 2 attempts)
Figure 3 above indicates that the performance of the software improved incrementally with each software release, with the exception of the strong performance of Bitcoin Core 0.12.0. However, despite the apparent clear trend in the above chart, the large variance and in IBD times on each attempt could indicate there is considerable uncertainty. One may need more sample data before drawing strong conclusions about improvements in performance since 2016. It is possible the variation is primarily caused by issues in the Bitcoin P2P network or the internet connection and therefore a good area of further study may be to compare the re-scan speed, the time taken to fully verify the blockchain once it has already been downloaded.
Bitcoin Core 0.12.0 performs well in the above analysis. This may be because Bitcoin Core 0.12.0 has libsecp256k enabled, but does not validate signatures for transaction inputs where the witness is segregated (Segregated Witness). Therefore Bitcoin Core 0.12.0 does not validate all the signatures in the blockchain post August 2017, giving the client somewhat of an “unfair advantage”. However this advantage may also apply to Bitcoin Core 0.13.0, despite this node not appearing to be an outlier. Of course all the versions prior to Bitcoin Core 0.12.0 have that same “unfair” advantage, but this is dwarfed by the disadvantages of using OpenSSL.
Syncing The Client Up To Its Release Date
The below chart (Figure 4) illustrates the time it takes to synchronize a client, up until the block height on the date the software was released.
Figure 4 – IBD Time Up To Client Release Date (Days)
(Source: BitMEX Research) (Note: Data for the nodes running on Linux only. Bitcoin Core 0.19.0.1 only synced up to height 602,707)
The chart shows that the trend was reasonably flat from Bitcoin Core 0.8.6 to Bitcoin Core 0.14.0, at that point the scalability improvements could not match the impact of time progressing and the blockchain increasing in height, and the chart shows an upward trend. Unfortunately the rate of software improvement has been reduced in recent years, perhaps as the low-hanging fruit improvements have already been made. Higher transaction volume may have also contributed to this. Future scalability improvements may be a lot more challenging, and even if the 4 million unit blockweight limit is maintained, IBD times may continue to increase going forwards, despite further software upgrades and moderate increases in hardware performance.
The Failed IBD Attempts
We did successfully compile and run versions of Bitcoin prior to 0.8.6, however, the synchronization became slow when the node reached the 2015 to 2016 period. The pre-0.8.6 nodes, such as 0.7.0, did successfully get past the apparent hardfork in 2013, by manually changing the lock limit, however 2015 proved too challenging due to the increased transaction volume, and the node stopped processing blocks. We tried restarting the node, which did help push it forwards, but then it only got stuck again. We then even tried running Bitcoin Core 0.7.0 on our brand new local machine, with 64 GB of RAM and 8 Intel i9 processors, however the node was still unable to get past 2016. With many of the scaling parameters involved being non-linear, one cannot simply throw more hardware at the problem.
On occasions when the nodes got stuck on a block and we re-started, we abandoned the synchronization after 4 restart attempts. For Bitcoin Core 0.8.6 on the MacBook Pro, the synchronization was abandoned when the leading block was in 2016. Although this is slightly disappointing, no restarts were required for the remaining 35 successful synchronizations.
Conclusion
Other than the fact that the BitMEX IT department should be more cautious when issuing BitMEX Research with MacBook Pros, the data illustrates the significant scalability enhancements which have been delivered over the last seven years. The transition to libsecp256k being the most significant improvement. The large reductions in IBD times and the inability of old nodes to fully synchronize indicates that if it were not for these scalability enhancements, by now Bitcoin would be essentially dead, even if users had the highest specification hardware available. The data also shows that technological innovation is unlikely to keep up with the growing blockchain going forward and that IBD times will increase.
Effective 28 November 2019 at 02:00 UTC, BitMEX will temporarily remove Binance from its .BBCHXBT index in response to Binance’s scheduled symbol change. This Binance symbol change is expected to take 8 hours and will affect the BitMEX .BBCHXBT index only. Binance will be reintroduced as a constituent of .BBCHXBT once trading on Binance has resumed.
If you have any further questions, please contact Support via our contact form.
Between 21:30 UTC 25 November 2019 and 07:05 UTC 26 November 2019 the Websocket API was running with degraded capacity. This resulted in slightly more latent feeds during this time and some isolated occurrences of substantial lag during traffic spikes correlated with large market moves.
The issue was identified when latency thresholds were breached in our automated monitoring systems around 06:55 UTC. From 07:05 the issue was resolved and full capacity was restored. We continue to monitor the impacted services closely.
The issue was caused by incorrect CPU pinning following a release of a market data distribution component at 21:30 UTC 25 November 2019. The impact of this was only observed during large traffic spikes which occurred several hours later and so was not identified during the post release checks at the time. The configuration of this service has been corrected and the deployment tested to prevent this from happening again.
We apologise for any inconvenience this may have caused. If you have any further questions, please contact Support via our contact form.
We are rolling out reduced fees and rebates on ETHZ19 between 29 November 2019 12:00:05 UTC and 27 December 2019 12:00 UTC.
During this period, maker fees will be -0.025% and taker fees will be 0.075% for all trades on ETHZ19 only.
When the ETHH20 contract is listed, it will have a maker fee of -0.05% and a taker fee of 0.25%. For more information you can visit our updated Fees page here.
Thanks for your continued support!
If you have any further questions, please contact Support via our contact form.
Abstract: In this report we examine Benford’s law, a mathematical rule which describes the frequency of the leading digit in various real world sequences of numbers. We look at various datasets from the cryptocurrency ecosystem, such as coin prices and trading volume data. We explain that this mathematical concept should not be looked at in isolation and that a strong understanding of the underlying economics is necessary to draw strong conclusions. We note that for a minority of trading platforms, notably OKEX and HitBTC, the reported trading volume figures appear to result in a distribution which does not follow Benford’s law. However, this pattern does not imply inappropriate manipulation of the data and there are many potential legitimate explanations for the unexpected distributions.
(Ben Affleck explaining to Anna Kendrick the abnormally high occurrence of the digit 3, potentially indicating financial fraud, in the 2016 Hollywood movie “The Accountant”. Screen captured 41 minutes and 40 seconds into the film)
Overview of Benford’s law
Benford’s law concerns the frequency distribution of the first digit from various real world sequences of numbers. One might think that the frequency distribution of the first digit in most scenarios would be 11.1% (i.e. 11.1% for 1, 11.1% for 2, 11.1% for 3, ect ) and this is indeed the case in many scenarios, for instance a random number generator should result in such a frequency distribution. However, there are some real world scenarios in physics, geology, biology, chemistry, architecture, demographics, finance, business or other fields, where a different frequency distribution is observed, one matching the chart below, where 1 is the most common (occurring 30.1% of the time), followed by 2, etc.
Frequency distribution of the first digit in an exponentially growing geometric series
(Source: BitMEX Research) (Note: The geometric series starts at the number 1, grows by 2% each interaction and contains 5,000 numbers)
Justifying exactly why the above phenomenon is observed can be challenging and there does not appear to be a concise explanation applicable in all scenarios. The major characteristic necessary in order to observe Benford’s law appears to be that the data must span across several orders of magnitude.
In our view, good way of explaining the phenomenon is by considering a basic geometric series. For instance, consider a geometric series of numbers, growing by 10% each iteration. When the series has reached the level of 24 (40% of the way through the twenties), the next number in the series is 26.4, still well within the twenties, with 2 as the leading digit. If the geometric series is at 84 (40% of the way through the eighties), the next number in the sequence is 92.4 and the leading digit has changed from 8 to 9. This shows how some series, which could occur for instance in finance or nature, result in the observation where lower value leading digits are more common than higher value digits.
Applying Benford’s Law to Business and Finance
Before joining BitMEX Research, many of the team used to work as investment analysts or portfolio managers covering equities. Back in 2015, inspired by a paper from the Association of Certified Fraud Examiners, a colleague proposed that we could use Benford’s law as a tool to look for financial fraud in reported financial statements. The theory was that if corporate financials accurately reflected the real world, the numbers should follow Benford’s law, however if they had been nefariously manipulated or generated randomly, the numbers should deviate significantly from Benford’s law, which could be a flag for financial fraud. However, as the below scenarios illustrate, it may not be as simple as that.
Consider the following two somewhat contrived examples:
Example 1 – Analysing the sales of a high-growth American technology company – Google
The Amercian internet conglomerate Google [GOOGL US] generated sales of only around $200,000 in 1999. The company grew significantly over the last 20 years and today has sales of over $100 billion. Google’s sales therefore spanned many orders of magnitude and Benford’s law may be appropriate to analyse the group’s financial metrics.
Example 2 – Analysing the sales of a low-growth Japanese utility company – Hokkaido Electric
The Japanese hydroelectric, thermal and nuclear power generating company Hokkaido Electric Power [9509 JP] had sales Y752 billion in financial year ended March 2019. While 25 years ago, the company had sales of Y544 billion and at no point in the last 25 years did sales leave the Y500 billion to Y800 billion range. The leading digit of the company’s annual revenue figure was either 5, 6 or 7 in each of the last 25 years, certainly not following Benford’s law. This is not necessarily an indication of fraud or other financial impropriety, it may merely indicate the company’s conservative nature, low population growth in Japan, a low-growth economic backdrop and Japan’s relatively low inflation rate.
Frequency distribution of the leading digit
Leading Digit
Benford Model
Google Sales (1999 to 2019)
Hokkaido Electric Sales (1995 to 2019)
1
30.1%
33.3%
0.0%
2
17.6%
19.0%
0.0%
3
12.5%
9.5%
0.0%
4
9.7%
9.5%
0.0%
5
7.9%
4.8%
72.0%
6
6.7%
9.5%
12.0%
7
5.8%
4.8%
16.0%
8
5.1%
4.8%
0.0%
9
4.5%
4.8%
0.0%
(Source: BitMEX Research) (Note: Google sales are in US$ while Hokkaido Electric’s sales are in Japanese yen)
The purpose of the above examples is to illustrate that one cannot blindly apply Benford’s Law to financial analysis. In order to conduct this analysis effectively, one may need both a strong understanding of mathematics and the underlying economics of the businesses in question. In our view, infering stong conclusions about the operations of financial markets based on statistical or mathematical analysis, without a strong enough understanding of the assumptions and principles behind the mathematics and how they apply to finance, is a mistake made too often, particularly by macro economists and econometricians. We are keen not to repeat this error in this report.
When we analysed our equity portfolios using Benford’s law, we were able to detect that stocks in certain sectors, such as technology, biotech or commodities often followed Benford’s law, while the picture was more mixed when looking at more stable sectors like food, utilities, retail or construction. When conducting a basic analysis of stocks, its possible Benford’s law is more a measure of volatility or growth than of any nefarious manipulation of the figures.
While Benford’s law may be considered a tool to flag potential fraud, it certainly does not provide proof of it. In this report, we will not to fall into the trap of overestimating the power of Benford’s law as a method of detecting fraud when evaluating the cryptocurrency space.
Cryptocurrency Prices
Below we have applied the Benford analysis to cryptocurrency prices. In general the results show that cryptocurrency price movements do follow Benford’s law.
Frequency Distribution of the Leading Digit of Coin Daily Percentage Price Changes – 12 Months ended November 2019
(Source: BitMEX Research, Coinmarketcap)
When looking at the square root at the sum of the squared differences from the Benford model, Stellar, Bitcoin Cash and Litecoin have the highest deviation, while Ethereum and Ripple have the lowest deviation. It should be considered highly unlikely that this is evidence of price manipulation in Stellar, Bitcoin Cash and Litecoin, for several reasons:
All the coins follow Benford’s model reasonably closely and some deviation is expected given randomness
A lower deviation may simply indicate the coin price is more volatile, therefore the percentage price changes are more likely to move across orders of magnitude,
One year’s worth of price data may be too short to draw appropriate conclusions (for example, the longer the time horizon for the Bitcoin price, the more closely the distribution follows Benford’s law)
Other factors we have not considered could be driving the deviations
Cryptocurrency Trading Platforms
After looking at the coins, we moved our analysis on to cryptocurrency trading platforms, by looking at the daily trading volume of the USD vs BTC trading pair. The results here are more interesting and the deviations are more significant. Most of the platforms in our sample set follow Benford’s distribution reasonably closely, but with a few notable exceptions such as BitForex, HitBTC and OKEX.
Frequency Distribution of the Leading Digit of Cryptocurrency trading platform daily BTC vs USD daily trading volume
(Source: BitMEX Research, Investing.com) (Notes: Daily trading volume since 12 December 2018.)
Results Table – Frequency Distribution of the Leading Digit of Cryptocurrency trading platform daily BTC vs USD daily trading volume
(Source: BitMEX Research, Investing.com) (Notes: Daily trading volume since 12 December 2018.)
Square root of the sum of the square differences from the Benford distribution
(Source: BitMEX Research, Investing.com) (Notes: Daily trading volume since 12 December 2018. BTC vs USD)
While the above deviations from Benford’s law do appear significant and potentially interesting, the same caveats apply as in the coin price section of this report. Namely, the distribution could be a measure of growth or volatility, the time periods may be too short or some other factors could be driving the deviations.
Conclusion
The conclusion to this piece is certainly not that Benford’s law proves that OKEX and HitBTC fake their trading volume numbers, or even that the analysis proves that Kraken and Bittrex don’t fake their numbers. As we explained above, there are many factors which could influence how closely the numbers follow the Benford distribution, many of which can be wholly legitimate, such as whether the platform was going through a period of strong growth or was in a more stable period. CryptoCompare’s exchange review takes a more holistic approach to evaluating exchanges, far more robust than merely applying one idiosyncratic mathematical concept. However, if one is already familiar with some of the economics and trends of the cryptocurrency trading platform space, this analysis may provide useful additional information.
BitMEX Research and Coin Metrics are happy to announce the release of txstats.com, the successor to P2SH.info, an independent project created by Coin Metrics’ Lead Data Engineer, Antoine Le Calvez.
Bitcoin stored by P2SH address type
(Screenshot from txstats.com)
Txstats.com is a collaboration between BitMEX Research and Coin Metrics with the aim of providing in-depth, high quality and timely information about how the Bitcoin network is used.
Txstats.com provides a series of dashboards centered around a specific element of Bitcoin transactions such as:
P2SH transaction statistics,
Multi-signature usage data,
SegWit transaction statistics,
Lightning Network channel data,
OP_Return statistics,
Bech32 adoption,
Replace by Fee usage,
Data related to the Block Size Debate,
Fee Estimation.
BitMEX Research and Coin Metrics intend for txstats.com to be dynamic and will add more statistics to the website based on community feedback. If you would like to see a new feature added to the site please feel free to let us know by emailing us at info@coinmetrics.io or by Tweeting @BitMEXResearch
We understand many of you are concerned about the email disclosure which happened over this weekend and no doubt have many questions.
Our teams across the world have been working around the clock to protect your account security and make sure we are back on course. Our support team has already assisted many of our users and we are continuing to establish contact with everyone. This is a staggered process, to ensure that the proper processes are all followed, the delivery is logistically smooth and that all underlying security concerns are appropriately covered. If you have not yet heard from us already, you will do very soon.
We would like to apologise unreservedly for the concern this has caused. Below contains further information about what happened, how we can assist you and some steps that you can take to improve your protection.
What happened?
On Friday, November 1 at 06:00 UTC, many of our users received an email which contained the email addresses of other users in the “To:” field. This was a general email update to our users about upcoming changes to the weighting of our indices. As a result, many BitMEX user email addresses, including a large number of inactive addresses, were disclosed to other users in small batches. No other information was disclosed.
BitMEX is a global business that sends emails to many different email providers. Email deliverability itself is a multi-layered problem, involving decades of work in building sender reputation systems and automatic spam filters. Unfortunately, this makes the job of large services such as BitMEX difficult at times: we only send mass emails to all users on rare occasions. We intend to keep a high signal-to-noise ratio, and only send emails when absolutely necessary.
The index change we published on 1 Nov was of sufficient importance – it will impact pricing of all of our products – that we felt it necessary to inform all our users about it. However, bulk mail sends such as this are a difficult and complex undertaking when it’s on a global scale, to all recipients. Some mail servers, especially the global arms of large brands like Yahoo and 163, have very tight controls that are often triggered when we send large amounts of mail. For system notifications such as withdrawals, password resets, and liquidations, it is imperative that the customer receives mail dependably.
To remedy this, we built an in-house system to handle the necessary rendering, translation, staging, and piecemeal (as not to trigger rate limits) sending of important email. BitMEX has not sent an email to every customer at once since 2017, and much has changed since then. When we initiated the send, it became clear that it would take upwards of 10 hours to complete, and there was a desire on the team to ensure users received the same material information on a more reasonable timescale.
To handle this, the tool was quickly rewritten to send single SendGrid API calls in batches of 1,000 addresses. Unfortunately, due to the time constraints, this was not put through our normal QA process. It was not immediately understood that the API call would create a literal concatenated “To:” field, leaking customer email addresses. As soon as we became aware, we immediately prevented further emails from being sent and have addressed the root cause. Since then we have been aiding all who have been affected as best we can and mitigating the damage to contain the leak.
BitMEX is a company that takes engineering seriously, and we are disappointed that this lapse in care has resulted in unwanted disclosure for our customers. We believe that processes, not engineers, are to blame for these failures. Our processes failed here. We are working around-the-clock to revamp them and to ensure that even the simplest-looking code changes are put under strict review.
Additionally, and unrelated to this action, the BitMEX Twitter account was accessed by an external individual. The account was back under BitMEX control within 6 minutes and re-secured, and the event is under security review.
Beyond email addresses, no personal or account information has been disclosed. At no point were any of our core systems at risk.
Who was affected?
Most BitMEX users were affected by this action. You can self-diagnose your exposure with the following steps:
If you received an email about the index change, and your email was the only one listed in the “To:” field, you were not affected.
If you received the index change email, and you saw multiple addresses in the To: field, you were affected.
If you did not receive an index change email, you may have been affected and we still recommend that you follow steps below to improve your protection online. While the system was cut-off before it completed entirely, many recipients began marking BitMEX emails as spam, understandably out of hope that it would stop further emails. This caused deliverability issues at some hosts, causing mail not to be delivered. Unfortunately, someone else in your batch may have received the email, exposing your email address.
The deliverability issues caused by the spam reporting caused some follow-up password resets to be delayed for several hours. Our operation teams remedied this by 06:00 UTC on Nov 2.
What are we doing to help?
After the discovery of the disclosure, BitMEX employees have since worked through the nights and days to reduce risk for users. We are aware that many users reuse email addresses across services. This, combined with a very human tendency to reuse passwords, meant that many of our users may have been at risk due to password hash dumps on other platforms, even ones unrelated to crypto.
For this reason, we took the following steps after we notified our users of the disclosure:
Our Security and Support teams began enhanced monitoring of access patterns to flag accounts with suspicious activity after the disclosure. This led to several account password resets and human review with Support.
At 13:00 UTC on the day of the email, we conducted additional checks during our usual human review of withdrawals. We identified criteria that could be indicative of a compromise given the circumstances. We cancelled requests from accounts that (i) did not have two-factor authentication, (ii) were withdrawing to a previously unseen Bitcoin address, (iii) were submitted with previously unseen new IP address, and (iv) were made after the email address disclosure had occurred. All other withdrawal requests were unaffected. These actions were taken in the interest of protecting our users and those affected have already been contacted.
As it became clear that several groups were working to collate BitMEX email addresses in order to attempt to compromise them, BitMEX engineers forced a password reset for all users with balances and without Two-Factor devices. Affected users were notified via email (after a thorough QA review and retrospective on the original bug).
BitMEX Support (contact here) is working shifts with extra agents, continuing to handle customer requests to change email addresses, answer questions, and provide security assessment and advice.
If you are concerned about your personal exposure, on BitMEX or on any other platform, the best thing you can do is to enable Two-Factor Authentication on all critical services. Start with your email address first. We have published advice on this topic, as have others, including this very helpful guide by Paul Stamatiou.
BitMEX engineering teams are working on new features to increase the number of security keys supported by the platform, to improve the signal of account notifications, and to give users more tools to avoid and contain account takeovers.
Do I need to do anything?
Although no-one’s personal information or account details beyond their email address were disclosed, as best practice, we recommend that you:
Please be vigilant against phishing attempts. Emails from BitMEX are sent from “support@bitmex.com” and “noreply@bitmex.com”. We recommend adding these addresses to your contacts list. We will never ask for your password.
Note that BitMEX will never ask you to transfer any funds. The only way to fund your BitMEX account is to send Bitcoin to your unique BitMEX deposit address. Your unique BitMEX deposit address will begin with “3BMEX” or “3BitMEX” and can be found on the deposit page of your BitMEX account.
Protect your account by using strong and unique passwords; enabling Two-Factor Authentication (2FA) for all of your accounts (both BitMEX and personal); and to use a password manager.
We want to reassure you that beyond email addresses, no personal or account information has been disclosed. At no point during this issue were any of our systems at risk, and they remain secure, as we continue to take measures to enhance our security. Your privacy and security remain our top priority.
In the meantime, if you need any immediate assistance, please contact Support via our contact form.
Earlier today, some of our users received an email which contained the email addresses of other users in the ‘to’ field. We apologise for the concern this communication may have caused. This was the result of a software error which has now been addressed.
BitMEX takes the privacy and security of our users very seriously. Rest assured that in this instance, beyond email addresses, no other personal data or account information have been disclosed and no further emails have been sent. The error which has caused this has been identified and fixed, ensuring our usual high standards of privacy are upheld.
We are continuing work to ensure this will not occur again in future, and will be introducing additional features to further protect our users. Further communications on this matter will be issued in due course.
In the meantime, please find below some immediate guidance which should be observed in order to ensure the continued safety of your account:
Please be aware of phishing attempts. Emails from BitMEX are sent from “support@bitmex.com” and “noreply@bitmex.com”. Please add these email addresses to your contacts list to ensure that these emails do not land in your spam folder. BitMEX will never ask for your password.
BitMEX will never ask you to transfer funds. The only way to fund your BitMEX account is to send bitcoin to your unique BitMEX deposit address. Your unique BitMEX deposit address will begin with “3BMEX” or “3BitMEX” and can be found on the deposit page of your BitMEX account.
Please take note our official BitMEX communications channels. These are our primary, official social media communications channels and only instructions provided via these avenues should be observed.
We would like to remind all of our users to please protect their accounts by using strong and unique passwords; enabling Two-Factor Authentication (2FA) for all of your accounts (both BitMEX and personal); and to use a password manager. Further advice can be found here.
We will continue to communicate updates on our blog. We take the security and privacy of our users very seriously and will take steps to ensure this does not occur again in future.
We are aware that some of our users have received a general user update email earlier today, which contained the email addresses of other users.
Our team have acted immediately to contain the issue and we are taking steps to understand the extent of the impact. Rest assured that we are doing everything we can to identify the root cause of the fault and we will be in touch with any users affected by the issue.
The privacy of our users is a top priority and we are very sorry for the concern this has caused to our users.
On 22 November 2019 at 12:00:05 UTC, BitMEX will update its indices across all products to ensure that the reference prices our users trade against more closely reflect the market consensus price of underlying assets. This will allow you to trade against data which is better optimised for fairness, robustness and accuracy.
We will achieve this by calculating index weights based on observed trading volumes across a broader set of index constituent exchanges. Volume data is obtained directly from each such exchange via API connection. This change could reduce the impact that movements on a single exchange that are contrary to the market consensus might have on your trading positions. Index calculations will continue to be transparent and easy to replicate.
The affected indices are .BXBT, .BETH, .BETHXBT, .BXRPXBT, .BBCHXBT, .BLTCXBT, .BEOSXBT, .BADAXBT and .BTRXXBT.
When the constituent of an index is updated, the related index price may change. This is why over the coming days we will be publishing BitMEX “NEXT”, a new family of indices that will run in parallel and reflect anticipated changes. BitMEX “NEXT” indices will not be used for valuation or settlement but by publishing them in advance, we hope to help our users better understand any differences before changes are applied to our indices during the 22 November 2019 switchover.
Please see below some Q&As on the upcoming changes.
How will the updated indices be more representative?
More exchanges: BitMEX is adding three new exchanges to its constituent universe to make a total of nine exchanges. This expanded set of exchanges will be reviewed periodically and updated in line with market developments. Through these additions, more data will be available to assist HDR Global Trading Limited (“HDR”), as the operator of BitMEX trading platform, in its determination of the true price of each relevant underlying asset, creating a more accurate and robust reference price for our users.
More constituents per index: Every constituent exchange is considered for inclusion in every index. This may lead to data from more constituent exchanges being used in an index resulting in increased price accuracy in relation to its underlying asset.
Weights based on observed trading volumes: Updated indices will reflect higher weights for exchanges with higher volumes. This approach will ensure that BitMEX index prices are more representative of the trade price per trade than per exchange.
How are the index prices calculated?
Each BitMEX index price is calculated as a weighted average of the Last Price for each constituent exchange. Index prices are calculated and published every 5 seconds.
How are the weights calculated?
For each index, BitMEX observes the traded volumes of the underlying asset, obtained directly via API connection, across each exchange in the constituent universe. Proprietary mechanisms are used to identify malformed and anomalous data, which is discarded. The BitMEX index weights are computed using this volume data with the calculation removing constituents with insufficient trade volume.
For the avoidance of doubt, and in accordance with BitMEX Terms of Service, HDR accepts no responsibility for the accuracy of any volume (or other) data received from any exchange and used to calculate the price of any BitMEX index and excludes all liability for any claimed losses arising in connection with its calculation and publication of any such index.
When are the weights updated?
Index weights will be updated on a quarterly basis. The initial index weights are shown in the table below. After this initial update, future index weights will be updated immediately after quarterly future expiries at 12:00:05 UTC. The updates to the weights will be announced three weeks in advance.
As of 22 November 2019 at 12:00:05 UTC, assuming no constituent exchanges have been excluded due to Index Protection Rules, BitMEX index weights will be:
Binance
Bitstamp
Bittrex
Coinbase
Gemini
Huobi
Itbit
Kraken
Poloniex
.BXBT
–
26.81%
–
44.44%
6.19%
–
4.20%
18.36%
–
.BETH
–
18.12%
–
47.83%
8.15%
–
5.41%
20.49%
–
.BETHXBT
60.62%
2.76%
–
7.23%
–
24.53%
–
4.86%
–
.BXRPXBT
60.89%
2.72%
5.61%
9.63%
–
12.94%
–
3.31%
4.90%
.BBCHXBT
43.66%
2.93%
3.08%
10.21%
–
37.20%
–
2.92%
–
.BLTCXBT
57.08%
–
2.71%
16.67%
–
20.23%
–
–
3.31%
.BEOSXBT
57.55%
–
–
–
–
42.45%
–
–
–
.BADAXBT
80.84%
–
9.20%
–
–
6.84%
–
3.12%
–
.BTRXXBT
67.75%
–
–
–
–
32.25%
–
–
–
How can I track the prices of the new indices?
BitMEX will introduce a new family of indices, the BitMEX “NEXT” indices. The purpose of BitMEX “NEXT” indices is to display, in advance, the hypothetical prices of BitMEX indices which include any new weights, allowing our traders to experience and better understand the potential impact of forthcoming index changes. BitMEX “NEXT” indices will be published on the BitMEX website and API.
The weights for BitMEX “NEXT” indices will be updated as soon as new BitMEX index weights are announced. On 22 November, once the weights are updated for BitMEX indices, the BitMEX indices prices will be the same as the BitMEX “NEXT” indices.
Please note thatBitMEX “NEXT” indices are not used for valuation or settlement.
What can I expect when the index updates are switched on?
When the index weights are updated, index prices may experience small shifts. Experienced users will know that BitMEX is well equipped to handle large shifts thanks to our exchange protection mechanisms. We encourage you to monitor the differences between the current and future index prices using the BitMEX “NEXT” indices and factor possible shifts into your risk assessment.
