Additional Withdrawal Time at 10:00 UTC

We have received several support tickets asking about a special early withdrawal period, so that users may claim entry in the Byteball Fair Initial Distribution, which takes place at 13:10 UTC.

To support this, we will be initiating early withdrawals at 10:00 UTC tomorrow. No opt-in is necessary; all withdrawals will be processed if confirmed before that time. The usual time at 13:00 UTC will be honored as well. If you wish to participate in this distribution, we recommend hitting the 10:00 UTC cutoff so you have sufficient time for the transaction to confirm.

QTUM Futures Now Live

BitMEX is proud to announce the launch of QTUM Futures contracts, expiry 29 September 12:00 UTC with symbol QTUMU17. Each contract is worth 1 QTUM and the contract offers 2x leverage.

Since the QTUM platform is still under development, the following rules will apply:

  • QTUMU17 will have 25% Up and Down Limit against the previous session close price to prevent price manipulation. Each session is 2 hours long, and session closes occur every even numbered hour.
  • Settlement will occur either at the ICO price (if QTUM/XBT trading has not begun) or at the .QTUMXBT30M Index Price if QTUM/XBT has begun trading prior to 28 September 12:00 UTC.

Further details about this contract can be read in the QTUM Series Guide.

Update on OKCoin Market Disruption Event – Removal Expedited

Traders,

Due to a quicker than expected price divergence on OKCoin International, we are moving the timetable forward for the removal of OKCoin International and the incorporation of GDAX into the index.

The new timetable is:

  • At 21:45 UTC, GDAX will be added to the index. At this time, the index will have three constituents.
  • At 22:00 UTC, OKCoin International will be removed.

For more information, please see our previous post on the removal of OKCoin International.

Market Disruption Event: OKCoin International

Yesterday, OKCoin International announced USD deposits have been blocked:

Starting from today (April 18th, 2017), OKCoin would temporarily suspend USD deposit because of the issues with intermediary banks. Please do not make further deposit as your wires may be rejected by intermediary banks. We are now actively looking for alternatives to resume deposit as soon as possible. Your current account balance remains unaffected. We are sorry for any inconvenience caused.

For this reason, we are weighting OKCoin Intl to 0 in the .BXBT Index, effective 20 April at 08:00 UTC. To re-distribute the index, GDAX will be reinstated as an equal member.

The new distribution will be equally weighted between GDAX and Bitstamp. For reference, this change is live on Testnet and can be used for intermediate pricing data.

Additionally, we will be announcing new price protection mechanisms for BitMEX indices to prevent further bad pricing issues.

Update: Due to rapid price divergence, the timetable has been moved forward to 19 Apr at 22:00 UTC.

Market Disruption Event: Bitfinex

Just recently, Bitfinex announced that USD deposits will be rejected until further notice. In combination with their previous notice blocking USD withdrawals, this means that Bitfinex is no longer a viable USD/Bitcoin exchange, and we expect the pricing discrepancy between Bitfinex and other exchanges to increase as traders attempt to withdraw via cryptocurrencies.

For this reason, we are weighting Bitfinex to 0 in the .BXBT Index, effective at 16:00 UTC today (30 minutes from the time of this post). In combination with the prior temporary suspension of GDAX from the index due to pricing discrepancies, this means that for the time being, the old .XBT index and the new .BXBT index will print the same prices.

Market Disruption Event: GDAX

At 23:02 UTC on 15 April 2017, one constituent of our .BXBT Index, GDAX, reported a trade print of $0.06 / XBT. This fed into the .BXBT Index and caused the price to temporarily move down to $888.48 / XBT which led to a number of users having their positions liquidated.

This was not a BitMEX engine or pricing issue. However, we strive to create a fair platform where users are not unfairly disadvantaged due to an error on another exchange, even if this error was an official price. As such, BitMEX will be refunding those users who were unfairly liquidated due to the pricing discrepancy from GDAX out of our own company funds.

Those users who had their positions liquidated will see the loss between $1183.00 / XBT and their liquidation price transferred back to their BitMEX Bitcoin wallet. Positions lost due to liquidation will not be reinstated.

For the time being, GDAX will be weighted at 0 in the .BXBT index until we have built in sufficient outlier protections.

On Potential Post-Fork Contract Settlement

Traders,

Recently, we published A Statement on the Possible Bitcoin Unlimited Hard Fork, a statement of our views on the potential fork to Bitcoin Unlimited, its consequences, and further requirements we consider necessary for adoption.

Many have asked us about the settlement of our existing Bitcoin futures: the Bitcoin/USD series (XBT), the Bitcoin/CNY series (XBC), and the Bitcoin/JPY series (XBJ).

In the event of a fork in which both chains remain viable into the future and maintain double-digit percentages of the original Bitcoin hash rate (a “Contentious Fork“), we will take the following actions:

Contracts

  • As we predict the value of Bitcoin to then be split between BTC and BTU, currently-listed futures at the time of the fork will settle on the sum of BTC and BTU.
    • It may not be possible to predict or plan to get reliable pricing data from our current Index exchanges, or they may not list the minor coin at all. In the event of a Contentious Fork BitMEX reserves the right to move all Bitcoin derivatives to Last Price Protected Marking, until a stable index can be composed.
    • We will compose two indices representing the majority and minority chain, and the sum will be taken to compose the Mark and Settlement Prices. The indices will be separated in case not all component exchanges list the minority chain.
  • Contracts listed after the fork will settle on the BTC or the BTU price, but not both. Only contracts listed pre-fork will settle on the sum.
  • Perpetual swap contracts will be timed to switch underlying indices in tandem with a futures contract. Ample notice will be given. Like futures, the new index will reference only one chain.

Wallets

  • During the time immediately after the fork, BitMEX reserves the right to suspend withdrawals to avoid replay attacks and double-spending and account for the development effort required to accommodate a hard fork.
  • Users will be able to withdraw the minor currency, but not deposit it. We have no plans to support multiple margin currencies. Balances of the minor currency will be calculated via a snapshot at the time of the fork and maintained separately to major currency’s margin balance, as further mixing of the currencies thereafter could lead to improper attribution.

A Statement on the Possible Bitcoin Unlimited Hard Fork

As proposed in the multi-exchange hard-fork contingency plan, there is significant doubt that a Bitcoin Unlimited (BU) hard fork could be done safely without additional development work.

In the case of a fork, we support the plan as proposed by Bitfinex, Bitstamp, BTCC et al.

It will not be possible for any exchange, including BitMEX, to support both chains separately. For these reasons, BU will not be listed or used as a deposit/withdrawal currency until replay protection is implemented and BU is not at risk of a blockchain reorganization if the Core chain becomes longer.

If the BU fork does succeed, we intend to take every possible step to ensure the safety and integrity of customer deposits on both chains. As BitMEX does not offer margin lending, there is no concern about Bitcoin in active positions at the time of the fork.

Notice Regarding Bitcoin/USD Products (Index, Tick Size)

Bitcoin / USD 30 June 2017 Futures Contract

The BitMEX Bitcoin / USD 30 June 2017 Futures Contract (XBTM17) listed today, 17 March 2017 at 12:00 UTC. This contract is similar to XBTH17, but uses a new index, described below.

.BXBT: The New BitMEX Bitcoin / USD Index

.BXBT is an equally weighted index using the Bitcoin / USD spot price from the following exchanges:

  • Bitfinex
  • Bitstamp
  • GDAX
  • OKCoin International

XBTM17 uses the .BXBT index. Any exchange that is down or displays stale pricing data for 15 minutes or more will be removed temporarily from the index. Once the price feed is operational at least 5 minutes, we will reinstate the exchange.

A page detailing each constituents’ individual price and history will be live soon.

The BitMEX Bitcoin / USD 31 March 2017 Futures Contract, XBTH17, will continue to use the existing Bitcoin / USD Index (Symbol: .XBT; Weights: 50% Bitstamp, 50% OKCoin International) until it expires.

The BitMEX Bitcoin / USD Swap, XBTUSD, will continue to use the existing Bitcoin / USD Index (.XBT) until 31 March 2017 12:00 UTC. It will then switch to the new index. This is the same moment that XBTH17 expires.

Increase to Bitcoin / USD Products’ Tick Size

Also effective 31 March 2017 12:00 UTC, the tick size for Bitcoin/USD products (XBTUSD, XBTM17) will change from 0.01 USD to 0.1 USD.

Use Two-Factor Authentication and Don’t Reuse Passwords

Important Security Advisory

Tl;dr: A botnet is attempting known email/password combinations from a large data leak on Bitcoin sites. Use Two-Factor Auth (2FA) and don’t reuse passwords. BitMEX services have not been compromised.

About four weeks ago, I was rudely awakened in the early morning by our uptime alarms clanging that the website was going up and down. Dozens of emails flooded my inbox: page loads were sometimes taking 5s+, or not loading at all.

Nobody likes this; I jumped out of bed and logged in. The rest of the team informed me that the site had been underperforming for a few minutes, but it had just gotten worse. Dramatically worse.

I opened up the logfiles to see tens of thousands of lines of this:

Jun 07 20:30:57 113.xxx.xxx.xxx - "POST /login {"email":"xxx@vp.pl"}" 401 79b
Jun 07 20:30:57 113.xxx.xxx.xxx - "POST /login {"email":"xxx@ntlworld.com"}" 401 79b
Jun 07 20:30:57 113.xxx.xxx.xxx - "POST /login {"email":"xxx@126.com"}" 401 79b
Jun 07 20:30:57 112.xxx.xxx.xxx - "POST /login {"email":"xxx@o2.pl"}" 401 79b
Jun 07 20:30:57 112.xxx.xxx.xxx - "POST /login {"email":"xxx@ntlworld.com"}" 401 79b
Jun 07 20:30:57 112.xxx.xxx.xxx - "POST /login {"email":"xxx@gmx.co.uk"}" 401 79b
Jun 07 20:30:57 39.xxx.xxx.xxx - "POST /login {"email":"xxx@btinternet.com"}" 401 79b
Jun 07 20:30:57 46.xxx.xxx.xxx - "POST /login {"email":"xxx@ntlworld.com"}" 401 79b
Jun 07 20:30:57 180.xxx.xxx.xxx - "POST /login {"email":"xxx@onet.eu"}" 401 79b
Jun 07 20:30:57 124.xxx.xxx.xxx - "POST /login {"email":"xxx@yahoo.fr"}" 401 79b
Jun 07 20:30:57 14.xxx.xxx.xxx - "POST /login {"email":"xxx@wanadoo.fr"}" 401 79b
Jun 07 20:30:57 180.xxx.xxx.xxx - "POST /login {"email":"xxx@uwclub.net"}" 401 79b 
Jun 07 20:30:57 49.xxx.xxx.xxx - "POST /login {"email":"xxx@o2.pl"}" 401 79b
Jun 07 20:30:57 39.xxx.xxx.xxx - "POST /login {"email":"xxx@op.pl"}" 401 79b

A botnet.

They were hitting us hard, but these didn’t correspond to any of our registered accounts. It was spray & pray. We were seeing tens of thousands of these requests every minute, coming from all over the world. There was little common pattern between them, aside from a common Chrome User-Agent (which was too common to block outright) and a propensity to just log in, over and over and over again.

Staying Online

The first order of business was to get the site stable again. While trading was continuing unhampered, and users who were already in were fine, the login page and initial dashboard were up and down. Thankfully, we built for this situation and could simply scale out more instances. I spun up a few large instances and added them to the rotation, and within 5 minutes we were rock-solid again.

While we were prepared for some types of abuse, others were unfortunately still vulnerable. I spent the better part of that day building and deploying a strategy to control this traffic. By just after lunchtime a process was in place. Watching our cluster’s CPU load, I scaled down the extra instances and felt good about that day’s work.

Origins

Where was this list coming from? I emailed a few other exchanges we’re friendly with. Not everyone I asked was seeing it, but the general rumor was that this could have been from the recent LinkedIn hack, which had a number of unsalted hashes. Lots of motivated parties have the resources to crack the lion’s share of those passwords. There are likely to have been other sources as well. We looked up a few dozen emails on HaveIBeenPwned, which aggregates identities compromised by many recent hacks.

It is human nature to reuse credentials, and attackers take advantage of this. Once an email/password combination is stolen, it is tried on as many sites as possible. A Bitcoin exchange is an obvious target, as are email providers.

With the traffic under control, the attempts slowed down to a trickle, essentially indistinguishable from legitimate traffic.

Users Hit

I received a reply email to one of our login notifications. The user claimed he hadn’t logged into the account in months.

Looking at the logs it was evident: they actually hit one. The account didn’t have any funds, but I immediately reset the password. The login was successful, but the attacker behind the botnet didn’t do anything with it. Maybe there wasn’t really anyone on the other side.

I started typing this blog post when another user piped up. He had received a login notification, then his positions closed. He then received an email asking for withdrawal confirmation… then an email stating his withdrawal had been confirmed. There was someone on the other end waiting this time.

They had control of the user’s email, and they knew our site well enough to execute these steps quickly. There is a real threat: and if they’re hitting BitMEX, they are likely hitting dozens of other Bitcoin-accepting sites.

A Sidenote: Manual Review

This is a prime example of why it is A Good Thing to involve manual review in Bitcoin withdrawals. We were able to lock the account and cancel the withdrawal well before it had any chance of going out and the funds being lost forever. The user quickly changed his email password, reset his BitMEX password, and set up 2FA.

Thwarting this particular attack was a combination of caution and luck, but don’t rely on services you use being able to catch this kind of thing every time.


Protecting Your Accounts

Take your account security seriously. If you have Bitcoin on any website, use a unique password and use 2FA. 

Email notifications of account actions are unreliable. On many sites, they can be turned off. Even if they can’t, if an attacker gains access to your email account, it is trivial to set up an automatic filter that will mark new messages from a service as read or delete them automatically.

If you reuse passwords, your accounts could be drained without any notice.

Use Two-Factor Auth. We are continuing to monitor for this behavior and have sent out an email to all active users without 2FA. As time goes on, it is all but guaranteed we will see more of these attacks.

BitMEX supports Two-Factor Auth via the following providers:

Support for U2F and BitID is in the works.


As always, if you see any unusual activity on your account, email us immediately by replying to any BitMEX email or at support@bitmex.com.