On Potential Post-Fork Contract Settlement

Traders,

Recently, we published A Statement on the Possible Bitcoin Unlimited Hard Fork, a statement of our views on the potential fork to Bitcoin Unlimited, its consequences, and further requirements we consider necessary for adoption.

Many have asked us about the settlement of our existing Bitcoin futures: the Bitcoin/USD series (XBT), the Bitcoin/CNY series (XBC), and the Bitcoin/JPY series (XBJ).

In the event of a fork in which both chains remain viable into the future and maintain double-digit percentages of the original Bitcoin hash rate (a “Contentious Fork“), we will take the following actions:

Contracts

  • As we predict the value of Bitcoin to then be split between BTC and BTU, currently-listed futures at the time of the fork will settle on the sum of BTC and BTU.
    • It may not be possible to predict or plan to get reliable pricing data from our current Index exchanges, or they may not list the minor coin at all. In the event of a Contentious Fork BitMEX reserves the right to move all Bitcoin derivatives to Last Price Protected Marking, until a stable index can be composed.
    • We will compose two indices representing the majority and minority chain, and the sum will be taken to compose the Mark and Settlement Prices. The indices will be separated in case not all component exchanges list the minority chain.
  • Contracts listed after the fork will settle on the BTC or the BTU price, but not both. Only contracts listed pre-fork will settle on the sum.
  • Perpetual swap contracts will be timed to switch underlying indices in tandem with a futures contract. Ample notice will be given. Like futures, the new index will reference only one chain.

Wallets

  • During the time immediately after the fork, BitMEX reserves the right to suspend withdrawals to avoid replay attacks and double-spending and account for the development effort required to accommodate a hard fork.
  • Users will be able to withdraw the minor currency, but not deposit it. We have no plans to support multiple margin currencies. Balances of the minor currency will be calculated via a snapshot at the time of the fork and maintained separately to major currency’s margin balance, as further mixing of the currencies thereafter could lead to improper attribution.

A Statement on the Possible Bitcoin Unlimited Hard Fork

As proposed in the multi-exchange hard-fork contingency plan, there is significant doubt that a Bitcoin Unlimited (BU) hard fork could be done safely without additional development work.

In the case of a fork, we support the plan as proposed by Bitfinex, Bitstamp, BTCC et al.

It will not be possible for any exchange, including BitMEX, to support both chains separately. For these reasons, BU will not be listed or used as a deposit/withdrawal currency until replay protection is implemented and BU is not at risk of a blockchain reorganization if the Core chain becomes longer.

If the BU fork does succeed, we intend to take every possible step to ensure the safety and integrity of customer deposits on both chains. As BitMEX does not offer margin lending, there is no concern about Bitcoin in active positions at the time of the fork.

Notice Regarding Bitcoin/USD Products (Index, Tick Size)

Bitcoin / USD 30 June 2017 Futures Contract

The BitMEX Bitcoin / USD 30 June 2017 Futures Contract (XBTM17) listed today, 17 March 2017 at 12:00 UTC. This contract is similar to XBTH17, but uses a new index, described below.

.BXBT: The New BitMEX Bitcoin / USD Index

.BXBT is an equally weighted index using the Bitcoin / USD spot price from the following exchanges:

  • Bitfinex
  • Bitstamp
  • GDAX
  • OKCoin International

XBTM17 uses the .BXBT index. Any exchange that is down or displays stale pricing data for 15 minutes or more will be removed temporarily from the index. Once the price feed is operational at least 5 minutes, we will reinstate the exchange.

A page detailing each constituents’ individual price and history will be live soon.

The BitMEX Bitcoin / USD 31 March 2017 Futures Contract, XBTH17, will continue to use the existing Bitcoin / USD Index (Symbol: .XBT; Weights: 50% Bitstamp, 50% OKCoin International) until it expires.

The BitMEX Bitcoin / USD Swap, XBTUSD, will continue to use the existing Bitcoin / USD Index (.XBT) until 31 March 2017 12:00 UTC. It will then switch to the new index. This is the same moment that XBTH17 expires.

Increase to Bitcoin / USD Products’ Tick Size

Also effective 31 March 2017 12:00 UTC, the tick size for Bitcoin/USD products (XBTUSD, XBTM17) will change from 0.01 USD to 0.1 USD.

Use Two-Factor Authentication and Don’t Reuse Passwords

Important Security Advisory

Tl;dr: A botnet is attempting known email/password combinations from a large data leak on Bitcoin sites. Use Two-Factor Auth (2FA) and don’t reuse passwords. BitMEX services have not been compromised.

About four weeks ago, I was rudely awakened in the early morning by our uptime alarms clanging that the website was going up and down. Dozens of emails flooded my inbox: page loads were sometimes taking 5s+, or not loading at all.

Nobody likes this; I jumped out of bed and logged in. The rest of the team informed me that the site had been underperforming for a few minutes, but it had just gotten worse. Dramatically worse.

I opened up the logfiles to see tens of thousands of lines of this:

Jun 07 20:30:57 113.xxx.xxx.xxx - "POST /login {"email":"xxx@vp.pl"}" 401 79b
Jun 07 20:30:57 113.xxx.xxx.xxx - "POST /login {"email":"xxx@ntlworld.com"}" 401 79b
Jun 07 20:30:57 113.xxx.xxx.xxx - "POST /login {"email":"xxx@126.com"}" 401 79b
Jun 07 20:30:57 112.xxx.xxx.xxx - "POST /login {"email":"xxx@o2.pl"}" 401 79b
Jun 07 20:30:57 112.xxx.xxx.xxx - "POST /login {"email":"xxx@ntlworld.com"}" 401 79b
Jun 07 20:30:57 112.xxx.xxx.xxx - "POST /login {"email":"xxx@gmx.co.uk"}" 401 79b
Jun 07 20:30:57 39.xxx.xxx.xxx - "POST /login {"email":"xxx@btinternet.com"}" 401 79b
Jun 07 20:30:57 46.xxx.xxx.xxx - "POST /login {"email":"xxx@ntlworld.com"}" 401 79b
Jun 07 20:30:57 180.xxx.xxx.xxx - "POST /login {"email":"xxx@onet.eu"}" 401 79b
Jun 07 20:30:57 124.xxx.xxx.xxx - "POST /login {"email":"xxx@yahoo.fr"}" 401 79b
Jun 07 20:30:57 14.xxx.xxx.xxx - "POST /login {"email":"xxx@wanadoo.fr"}" 401 79b
Jun 07 20:30:57 180.xxx.xxx.xxx - "POST /login {"email":"xxx@uwclub.net"}" 401 79b 
Jun 07 20:30:57 49.xxx.xxx.xxx - "POST /login {"email":"xxx@o2.pl"}" 401 79b
Jun 07 20:30:57 39.xxx.xxx.xxx - "POST /login {"email":"xxx@op.pl"}" 401 79b

A botnet.

They were hitting us hard, but these didn’t correspond to any of our registered accounts. It was spray & pray. We were seeing tens of thousands of these requests every minute, coming from all over the world. There was little common pattern between them, aside from a common Chrome User-Agent (which was too common to block outright) and a propensity to just log in, over and over and over again.

Staying Online

The first order of business was to get the site stable again. While trading was continuing unhampered, and users who were already in were fine, the login page and initial dashboard were up and down. Thankfully, we built for this situation and could simply scale out more instances. I spun up a few large instances and added them to the rotation, and within 5 minutes we were rock-solid again.

While we were prepared for some types of abuse, others were unfortunately still vulnerable. I spent the better part of that day building and deploying a strategy to control this traffic. By just after lunchtime a process was in place. Watching our cluster’s CPU load, I scaled down the extra instances and felt good about that day’s work.

Origins

Where was this list coming from? I emailed a few other exchanges we’re friendly with. Not everyone I asked was seeing it, but the general rumor was that this could have been from the recent LinkedIn hack, which had a number of unsalted hashes. Lots of motivated parties have the resources to crack the lion’s share of those passwords. There are likely to have been other sources as well. We looked up a few dozen emails on HaveIBeenPwned, which aggregates identities compromised by many recent hacks.

It is human nature to reuse credentials, and attackers take advantage of this. Once an email/password combination is stolen, it is tried on as many sites as possible. A Bitcoin exchange is an obvious target, as are email providers.

With the traffic under control, the attempts slowed down to a trickle, essentially indistinguishable from legitimate traffic.

Users Hit

I received a reply email to one of our login notifications. The user claimed he hadn’t logged into the account in months.

Looking at the logs it was evident: they actually hit one. The account didn’t have any funds, but I immediately reset the password. The login was successful, but the attacker behind the botnet didn’t do anything with it. Maybe there wasn’t really anyone on the other side.

I started typing this blog post when another user piped up. He had received a login notification, then his positions closed. He then received an email asking for withdrawal confirmation… then an email stating his withdrawal had been confirmed. There was someone on the other end waiting this time.

They had control of the user’s email, and they knew our site well enough to execute these steps quickly. There is a real threat: and if they’re hitting BitMEX, they are likely hitting dozens of other Bitcoin-accepting sites.

A Sidenote: Manual Review

This is a prime example of why it is A Good Thing to involve manual review in Bitcoin withdrawals. We were able to lock the account and cancel the withdrawal well before it had any chance of going out and the funds being lost forever. The user quickly changed his email password, reset his BitMEX password, and set up 2FA.

Thwarting this particular attack was a combination of caution and luck, but don’t rely on services you use being able to catch this kind of thing every time.


Protecting Your Accounts

Take your account security seriously. If you have Bitcoin on any website, use a unique password and use 2FA. 

Email notifications of account actions are unreliable. On many sites, they can be turned off. Even if they can’t, if an attacker gains access to your email account, it is trivial to set up an automatic filter that will mark new messages from a service as read or delete them automatically.

If you reuse passwords, your accounts could be drained without any notice.

Use Two-Factor Auth. We are continuing to monitor for this behavior and have sent out an email to all active users without 2FA. As time goes on, it is all but guaranteed we will see more of these attacks.

BitMEX supports Two-Factor Auth via the following providers:

Support for U2F and BitID is in the works.


As always, if you see any unusual activity on your account, email us immediately by replying to any BitMEX email or at support@bitmex.com.

The New BitMEX Custom UI

This has been a long time coming!

Back in the winter of 2014/2015 (14mo ago), I had a vision for a better BitMEX dashboard that worked more like a desktop windowing system, to help close the gap between the web and full-featured desktop trading software like MetaTrader4.

To that end, I built React-Grid-Layout, my most popular open source project to date. I had the intention of integrating it into BitMEX in early 2015 but we ended up prioritizing other features, and it fell by the wayside.

In the meantime, other companies have picked up the project, including Amazon, who uses my code for their CloudWatch Dashboards.

Well, today, I’m happy to say that we’ve ironed out the bugs and finally launched the Custom UI, better, faster, and more stable than it would have been in 2015.


customUI

The Custom UI is now live in the “Advanced” trade layout, which you can select in the main options dropdown (click your username).

All dashboard widgets can now be rearranged and resized. Your layout is saved to your browser and restored when you next visit BitMEX. Individual layouts are created for each major screen size, so they can be customized individually. This is really helpful for creating different layouts for e.g. half and full-screen sizes, or for tablet and phone layouts.

I hope you all enjoy – go trade some 25x ETH, and I’ll see you in the Trollbox.

 

Scheduled Downtime: 15:00 UTC Sunday, Jan 17

Traders,

BitMEX will be doing routine maintenance this Sunday at 15 UTC. Because we have to reboot some core systems in order to finish this maintenance, we will be pausing the trading engine from 15:00 to 15:30 UTC.

During this time, BitMEX systems will be unavailable.

We will send notice on Twitter before and after the maintenance.

Transferable Margin on Isolated Positions

BitMEX is happy to announce a new capability: transference of margin in and out of an isolated position. Use this feature to dial leverage up and down as desired.

Using the feature is simple. Simply click the icon next to the margin line-item on an isolated position:

margin11

Then choose an amount to transfer:

margin dialog

After confirmation, note the new margin value, liquidation price, and leverage.

margin2

This feature allows users to choose any leverage between the max (which may be as much as 100x) and their total account balance.

All .XBT Indices Temporarily Moved to Bitstamp

Due to instability, extended downtime, and bad data from Bitfinex, all .XBT indices have been temporarily moved to Bitstamp, where they will remain until Friday. After Friday’s settlement, we will switch to TradeBlock’s .XBX Index.

This switch affects the XBU, XBT, and BVOL-series contracts. ETH is still being settled on Kraken, and XLT (Litecoin) is still being settled on Bitfinex for the time being. We are investigating alternatives.

Site Update: BVOL24H, PGP, and Indices

BitMEX is proud to announce the release of another major upgrade to the BitMEX platform!

We have three major updates this week: the new BVOL24H contract, PGP email support, and UI support for backing indices.

BVOL24H – Daily Volatility

BVOL24H is now live. BVOL24H is a futures contract that allows traders to speculate on the Bitcoin daily historical volatility. The Bitfinex last price is snapped every 5 minutes, and then the standard deviation of the logarithmic change between snaps is calculated. That number is multiplied by the square root of 288 to arrive at a daily volatility. The increased sensitivity to short term price movements makes BVOL24H a great tool in a trader’s arsenal in the quest for alpha in these choppy and sideways markets.

PGP Support

Many of our traders are very serious about security, as they should be. But automatic updates from BitMEX regarding your deposits, withdrawals, and margin status may leak information to your email provider and other parties. While your email server should be using encryption, it is still very possible for emails to be read in transit.

If you are nodding your head in agreement, then you probably already know about PGP. If you have a PGP key, paste your public key into the box in the My Account page. You will be sent a test email immediately so you can check your configuration. From then on, all automated emails will be sent to in encrypted form.

BitMEX Indices

BitMEX contracts have always settled on indices that were generally only published via the API and viewable in limited fashion in the References section. For example, this is the page for .XBT30M, the settlement index for XBU24H.

We have moved the indices to the front page, where index prices are now viewable as a tab in the Instruments panel. Additionally, you can now view the Bitfinex spot price, updated minutely, right in the ticker bar on the top of the page! See the new section on the left side near the series selector.

That’s all for this week. Thanks to all of our traders for being here. Please contract us in the chat or find us on the Whaleclub Teamspeak if you have questions about BVOL24H or any of the new updates.

BitMEX in the News

The following is a gallery of articles about BitMEX in popular media.