You’ve Been ButtFinessed

This post appeared in the August 8, 2016 issue of the Crypto Trader Digest. The full digest goes into more detail about BitMEX security practices & quantifying Bitfinex counterparty risk.

It was the hack heard ’round the world and the second largest in Bitcoin history.  On August 2nd, 119,756 Bitcoin was stolen from Bitfinex.

How did this happen? Negligence. This event laid bare Bitfinex’s many operational and technological deficiencies.

Didn’t Bitfinex Have Cold Multi-Signature Wallets?

Believe it or not: no! If you asked them last week, they would give you a carefully-worded statement: they “store users’ bitcoin in individual, multi-sig protected segregated wallets.”

Notice the missing word. These are hot wallets!

Some history:

In the spring of 2015, approximately 1,500 Bitcoin were stolen from Bitfinex’s hot wallet. As a result they implemented a multi-signature wallet solution: BitGo(ne With The Wind). Each user had their own segregated and supposedly secure wallet.

Bitfinex held two keys, one hot, one cold backup. BitGo held another as a way to enforce spending limits. 2 of 3 keys were needed to sign any transaction. Bitfinex management was very confident this would eliminate the possibility of a large scale theft of customer’s Bitcoin.

However in the aftermath of the incident, it has become clear that rather than making the exchange more secure, the Bitfinex and BitGo partnership turned Bitfinex into one giant hot wallet.

BitGo blindly signed any transaction emitting from Bitfinex. That’s right: rather than making a secure, audited wallet with spending limits and failsafes, Bitfinex paid BitGo a bunch of money to make its exchange the most insecure Bitcoin operation on the planet. The only innovation was using two hot keys instead of one.

As any educated Bitcoin user could tell you: if the keys are hot, they are at risk. Simply adding another hot key doesn’t help.

Now suddenly concerned about proper security, Bitfinex has moved their remaining Bitcoin to their cold wallet.

How Were They Hacked?

To this day, Bitfinex still hasn’t released an explanation as to how they were hacked. If Bitfinex intends to attract new deposits, it is vital to know how Bitfinex plans to remove this attack vector.

Instead, it appears Bitfinex has no idea how they were compromised. In fact, they are simply engaging in security theatre. Their relaunch announcement announces a full reset of all passwords, 2FA, and API Keys. This makes sense if Bitfinex’s database was compromised, but that’s not the same as stolen private keys.

Was their whole network compromised, or just a single server? Do they not even segregate signing machines and their main database? Have they fixed the issue? How do they know for sure that their servers are secure? Did they rebuild them from scratch? Has anybody audited this? Without disclosure, we can only speculate.

The community needs to know how they were hacked and how they will prevent it in the future if they want to have any chance of regaining confidence.

36% Haircut

Bitfinex did not have enough retained earnings or new invested capital to plug the 120,000 Bitcoin hole. Instead they chose to socialise losses across all depositors. The tax is 36.067%.

That’s an awfully specific number. Anecdotally, it doesn’t appear to even have been properly applied, with some users claiming larger haircuts, and USA users taking the fast 0% route out via Synapse Pay.

So how was it calculated?

Well, it appears that Bitfinex isn’t helping out. Zane Tackett, Bitfinex’s community manager and spokesperson, insinuated that Bitfinex itself will not contribute one Satoshi or USD to helping to reduce the tax.

Click here for a recording of the interview with Zane on TeamSpeak.

Bitfinex now refutes this, but refuses to provide details. Without a third-party audit, any of these words are meaningless.

How much could they reasonably contribute? Bitfinex was one of the most profitable Bitcoin companies. They charge between 0.10% to 0.20% per transaction on the platform for both buyer and seller, a total of 0.30% in the best case.

In the last 6 months, 4.28 million Bitcoin were traded on Bitfinex (Bitcoinity). Assuming they net 0.20% per transaction (since they offer affiliate programs and some market makers trade for free) then we can estimate a top-line revenue of 8,560 XBT per 6mo. At an average of roughly $400 per Bitcoin for the year, that’s $6.82 million.

That of course doesn’t count significant ETH, ETC, and LTC revenues, margin funding, or larger historical revenues.

Bitfinex has about 25 employees. Bitfinex wants the community to believe that they earn no profit, or that their average employees make nearly $300,000/yr. That’s better average employee compensation than Goldman Sachs.

Edit: The above section has been amended given new information. BFX appears to have nearly 25 employees. The previous calculations were very rough and did not include overhead, which would reduce salary amounts, but also did not include altcoin or margin funding revenue, which would increase them. Our point – that salaries & overhead are very high or money is being intentionally withheld – still stands.

Wait, 36%? The Math Doesn’t Add Up

35emx395afKAKAr72VoePVbu3FJvxLPVny

39coweGgC8CPZ6hYL1BBEfc1zqbSfHsprW

The two Bitcoin addresses above are believed to be Bitfinex’s cold storage. They now have at least 125,424 XBT under their control. Pre-hack they had a total of 245,180 XBT. They lost 119,756 XBT; that amounts to a 48.84% loss.

The claimed haircut was 36.067% on all assets, which would mean that they had 332,038 XBT (119,756 XBT / 0.36067) total assets, worth $200.92 million at $604 XBT/USD. Total assets are all XBT, USD, LTC, ETH, and ETC customer deposits.

Let’s subtract the current cold storage holdings and the lost Bitcoin from 332,655 XBT.

332,038 XBT - 119,756 XBT (the hack) - 125,424 XBT (cold storage) = 86,857 XBT or $52.46 million @ $604 XBT/USD

At the time of the hack, $38 million was loaned out with $4 million of unused loans. Subtract $42 million from $52.46 million: $10.46 million. They have more in ETH alone. Bitfinex wants the community to believe that they essentially had zero customer USD, LTC, and ETC. That is obviously pure fiction.

So how did they calculate it? Firstly, Bitfinex did not finesse themselves. Company funds used for lending in the USD, XBT, LTC, ETH, and ETC markets were not taxed. Secondly, some USD-holding US customers were not taxed: those using Synapse Pay were allowed to withdraw 100%.

Bitfinex is afraid of US-pound-me-in-the-ass prison, or a company-ending-fine from one of the many alphabet letter agencies in the US. The most likely scenario that a large amount of US customer funds were not taxed so that the fiction of segregated accounts could be preserved.

If Bitfinex believes that my math and accounting are incorrect, I challenge them to post financial statements and a detailed walk through of how the 36% tax rate was calculated.

Didn’t BitGo Offer Insurance?

Repeat after me, Bitcoin insurance does not exist. When we started BitMEX, we attempted to obtain it. Nobody offers terms that any exchange could reasonably agree to.

BitGo was very proud to announce they were insuring deposits. But that insurance apparently lapsed in January 2016, without any notice to Bitfinex users. When it was active, it apparently didn’t even apply to Bitfinex users themselves (despite “segregated” wallets), just the exchange! It was a “Watershed” moment for Bitcoin, but like Bitfinex deposits, it just didn’t last.

This didn’t just happen to Bitfinex users. Bitpay thought they had insurance. But they found that any Bitcoin insurance policy is worth less than toilet paper. I hope you can find some soft printer paper so you can wipe your sore ass with it.

If any custodian of Bitcoin claims to have insurance, demand to see the actual signed policy. If the company won’t produce the policy and directly state it applies to you, you know it’s worthless.

What’s a BFX Token Worth?

Zero. Let me repeat, zip.

Bitfinex collateralised the 120,000 Bitcoin loss in the form of a BFX token. In lieu of their USD, XBT, LTC, ETH, or ETC that was taxed, users received BFX tokens. The token will be tradable in the future to all, except to US citizens, because the US has laws preventing this kind of insanity.

BFX tokens have a par value of $1. At some point in the future, Bitfinex will pay back token holders par using exchange revenue.

If Bitfinex will not contribute meaningfully to lower the tax rate, why should anyone believe the BFX token will ever have any value?

Bitfinex also floated the idea that BFX tokens might convert into Bitfinex equity. That assumes Bitfinex will exist in a few years. If they can’t even tell us how they were hacked, do you have confidence they won’t be hacked again?

Make no mistake: this is the easiest option for Bitfinex, not for you. If they are very, very lucky, they may just get away scot-free for the egregious act of losing someone else’s $70M. Let me repeat this: if they have their way, they will take zero personal responsibility or loss. They’ll just turn the money-printing exchange back on; that is, if users keep trading.

Should You Trade There Again?

Given what you know and don’t know, will you trade on Bitfinex once more?

Would you trade on Mt. Gox again if it reopened?

We won’t. Immediately after Bitfinex halted trading, Bitfinex was removed from the BitMEX Index. We have no plans to re-add them to the index even if they restart trading.

This means the index needs to be adjusted. In conjunction with Kaiko, we are polling BitMEX traders about Bitfinex’s replacement. As of writing, the current index constituents are 50% Bitstamp and 50% OKCoin USD. Feel free to reach out to let us know your preference and opinion.

Update (Mar 31, 2017): Bitfinex appears to have stabilized. By popular customer demand, we have re-added Bitfinex, along with GDAX, to the index backing Bitcoin products.

Update (Apr 17, 2017): Bitfinex has now halted all USD withdrawals due to banking issues and is trading with significant premium over other markets. We have removed Bitfinex from the index.