BitMex is the premier crypto derivatives exchange, and Arthur Hayes writes a great newsletter. This one that came out today discusses BFX' hack, and is so spot on. I didn't ask for permission to post this, but Imma post this anyways, and just say Bitmex is an awesome platform, run by some very sharp guys, who take security seriously:
*If Arthur/Bitmex wants this taken down, I will take it down - this was e-mailed to Bitmex customers. I'm just thinking reposting here does the community a service, and maybe prompts a few to give Bitmex a gander.
"
August 8, 2016
Arthur Hayes
Co-Founder & CEO
BitMEX Security
Before I tar and feather Bitfinex and BitGo in the next section, I want to reiterate that we are serious about security. Here are the ways in which BitMEX secures customer funds:
Hot Wallet
We don’t have one. We never have since our start in 2014. It is the biggest attack vector for Bitcoin exchanges. Removing this vector greatly reduces the likelihood of losing customer funds.
Hot wallets are convenient but have major pitfalls. Because there is no human intervention involved in the signing of transactions, it is the preferred place by which hackers steal Bitcoin. By the time exchange operators discover a breach in their hot wallet, the Bitcoin is long gone and cannot be recovered.
SatoshiLabs claims that over 1 million Bitcoin have been stolen in hot wallet thefts, the largest being BFX & Mt. Gox. We will not take this risk and users should shun exchanges that hold significant user funds in hot wallets.
Hot wallets can be used smartly, with daily limits & manual refill review. Such rigor is rare but BitMEX plans to implement such a hybrid system by the end of the year. It will not be quickly done - we do not take such a buildout lightly.
End To End Multi-Signature Wallets
All BitMEX customer funds are held in multi-signature wallets. We were the first-ever exchange to hold 100% of customer funds in multisig wallets. We do not use or trust any third-party solutions.
At BitMEX, 2 of 3 partners must sign each withdrawal. If that condition isn’t met, then funds cannot be spent. All signing happens on offline machines.
All transactions are manually reviewed and signed by the partners. Because our withdrawal process is manual, we only do it once per day at 13:00 UTC.
Continuous Audit
The BitMEX trading engine is written in KDB+/q, the premier number crunching platform used by major banks & trading desks. It is extremely fast - and rather than use that headroom for vanity numbers like "1,000,000 executions per second", we use it for safety. The BitMEX trading engine continuously audits itself at every execution. All user balances always sum zero.
This is a big deal - it means that if a single Satoshi goes missing, is transferred improperly, or a hacker simply spoofs a balance by editing the database (as may have been used in the Mt. Gox hack), the trading engine immediately shuts down.
We don't just audit our internal database for consistency. We use both internal and external Blockchain services to ensure all balances have a source that we control.
From source to destination, all balances on BitMEX are traced on every execution. If a single satoshi goes missing, trading automatically halts.
Does that sound inconvenient if there's a bug or rounding error? Yes, it is. Because of this continuous audit, BitMEX doesn't have rounding errors, balances are always accurate, and the math always adds up. We believe all companies handling other people's money should have the same rigor.
You've Been ButtFinessed
It was the hack heard 'round the world and the second largest in Bitcoin history. On August 2nd, 119,756 Bitcoin was stolen from Bitfinex.
How did this happen? Negligence. This event laid bare Bitfinex's many operational and technological deficiencies.
Didn’t Bitfinex Have Cold Multi-Signature Wallets?
Believe it or not: no! If you asked them last week, they would give you a carefully-worded statement: they "store users' bitcoin in individual, multi-sig protected segregated wallets."
Notice the missing word. These are hot wallets!
Some history:
In the spring of 2015, approximately 1,500 Bitcoin were stolen from Bitfinex’s hot wallet. As a result they implemented a multi-signature wallet solution: BitGo(ne With The Wind). Each user had their own segregated and supposedly secure wallet.
Bitfinex held two keys, one hot, one cold backup. BitGo held another as a way to enforce spending limits. 2 of 3 keys were needed to sign any transaction. Bitfinex management was very confident this would eliminate the possibility of a large scale theft of customer's Bitcoin.
However in the aftermath of the incident, it has become clear that rather than making the exchange more secure, the Bitfinex and BitGo partnership turned Bitfinex into one giant hot wallet.
BitGo blindly signed any transaction emitting from Bitfinex. That's right: rather than making a secure, audited wallet with spending limits and failsafes, Bitfinex paid BitGo a bunch of money to make its exchange the most insecure Bitcoin operation on the planet. The only innovation was using two hot keys instead of one.
As any educated Bitcoin user could tell you: if the keys are hot, they are at risk. Simply adding another hot key doesn't help.
Now suddenly concerned about proper security, Bitfinex has moved their remaining Bitcoin to their cold wallet.
How Were They Hacked?
To this day, Bitfinex still hasn’t released an explanation as to how they were hacked. If Bitfinex intends to attract new deposits, it is vital to know how Bitfinex plans to remove this attack vector.
Instead, it appears Bitfinex has no idea how they were compromised. In fact, they are simply engaging in security theatre. Their relaunch announcement announces a full reset of all passwords, 2FA, and API Keys. This makes sense if Bitfinex's database was compromised, but that's not the same as stolen private keys.
Was their whole network compromised, or just a single server? Do they not even segregate signing machines and their main database? Have they fixed the issue? How do they know for sure that their servers are secure? Did they rebuild them from scratch? Without disclosure, we can only speculate.
The community needs to know how they were hacked and how they will prevent it in the future if they want to have any chance of regaining confidence.
36% Haircut
Bitfinex did not have enough retained earnings or new invested capital to plug the 120,000 Bitcoin hole. Instead they chose to socialise losses across all depositors. The tax is 36.067%.
That's an awfully specific number. Anecdotally, it doesn't appear to even have been properly applied, with some users claiming larger haircuts, and USA users taking the fast 0% route out via Synapse Pay.
So how was it calculated?
Well, we know Bitfinex isn't helping out. Zane Tackett, Bitfinex’s community manager and spokesperson, confirmed that Bitfinex itself will not contribute one Satoshi or USD to helping to reduce the tax. Scandalous.
Click here for a recording of the interview with Zane on TeamSpeak.
Bitfinex now refutes this, but refuses to provide details. Without a third-party audit, any of these words are meaningless.
How much could they reasonably contribute? Bitfinex was one of the most profitable Bitcoin companies. They charge between 0.10% to 0.20% per transaction on the platform for both buyer and seller, a total of 0.30% in the best case.
In the last 6 months, 4.28 million Bitcoin were traded on Bitfinex (Bitcoinity). Assuming they net 0.20% per transaction (since they offer affiliate programs and some market makers trade for free) then we can estimate a top-line revenue of 8,560 XBT. At $400 per Bitcoin, that’s $3.42 million.
Bitfinex has between 10 to 20 staff. Bitfinex wants the community to believe that they earn no profit. Or that on average employees make $342,000 per year (assuming 20 employees). That’s a better average employee compensation than Goldman Sachs.
Wait, 36%? The Math Doesn't Add Up
35emx395afKAKAr72VoePVbu3FJvxLPVny
39coweGgC8CPZ6hYL1BBEfc1zqbSfHsprW
The two Bitcoin addresses above are believed to be Bitfinex's cold storage. They now have at least 125,424 XBT under their control. Pre-hack they had a total of 245,180 XBT. They lost 119,756 XBT; that amounts to a 48.84% loss.
The claimed haircut was 36.067% on all assets, which would mean that they had 332,038 XBT (119,756 XBT / 0.36067) total assets, worth $200.92 million at $604 XBT/USD. Total assets are all XBT, USD, LTC, ETH, and ETC customer deposits.
Let's subtract the current cold storage holdings and the lost Bitcoin from 332,655 XBT.
332,038 XBT - 119,756 XBT (the hack) - 125,424 XBT (cold storage) = 86,857 XBT or $52.46 million @ $604 XBT/USD
At the time of the hack, $38 million was loaned out with $4 million of unused loans. Subtract $42 million from $52.46 million: $10.46 million. They have more in ETH alone. Bitfinex wants the community to believe that they essentially had zero customer USD, LTC, and ETC. That is obviously pure fiction.
So how did they calculate it? There are two reasons I believe this number is so low. Firstly, Bitfinex did not ButtFinesse themselves. Company funds used for lending in the USD, XBT, LTC, ETH, and ETC markets were not taxed. Secondly, some USD-holding US customers were not taxed: those using Synapse Pay were allowed to withdraw 100%.
Bitfinex is afraid of US-pound-me-in-the-ass prison, or a company-ending-fine from one of the many alphabet letter agencies in the US. The most likely scenario that a large amount of US customer funds were not taxed so that the fiction of segregated accounts could be preserved.
If Bitfinex believes that my math and accounting are incorrect, I challenge them to post financial statements and a detailed walk through of how the 36% tax rate was calculated.
Didn't BitGo Offer Insurance?
Repeat after me, Bitcoin insurance does not exist. When we started BitMEX, we attempted to obtain it. Nobody offers terms that any exchange could reasonably agree to.
BitGo was very proud to announce they were insuring deposits. But that insurance apparently lapsed in January 2016, without any notice to Bitfinex users. When it was active, it apparently didn't even apply to Bitfinex users themselves (despite "segregated" wallets), just the exchange! It was a "Watershed" moment for Bitcoin, but like Bitfinex deposits, it just didn't last.
This didn't just happen to Bitfinex users. Bitpay thought they had insurance. But they found that any Bitcoin insurance policy is worth less than toilet paper. I hope you can find some soft printer paper so you can wipe your sore ass with it.
If any custodian of Bitcoin claims to have insurance, demand to see the actual signed policy. If the company won't produce the policy and directly state it applies to you, you know it's worthless.
What’s a BFX Token Worth?
Zero. Let me repeat, zip.
Bitfinex collateralised the 120,000 Bitcoin loss in the form of a BFX token. In lieu of their USD, XBT, LTC, ETH, or ETC that was taxed, users received BFX tokens. The token will be tradable in the future to all, except to US citizens, because the US has laws preventing this kind of insanity.
BFX tokens have a par value of $1. At some point in the future, Bitfinex will pay back token holders par using exchange revenue.
If Bitfinex will not contribute meaningfully to lower the tax rate, why should anyone believe the BFX token will ever have any value?
Bitfinex also floated the idea that BFX tokens might convert into Bitfinex equity. That assumes Bitfinex will exist in a few years. If they can’t even tell us how they were hacked, do you have confidence they won’t be hacked again?
Make no mistake: this is the easiest option for Bitfinex, not for you. If they are very, very lucky, they may just get away scot-free for the egregious act of losing someone else's $70M. Let me repeat this: if they have their way, they will take zero personal responsibility or loss. They'll just turn the money-printing exchange back on; that is, if users keep trading.
Should You Trade There Again?
Given what you know and don’t know, will you trade on Bitfinex once more?
Would you trade on Mt. Gox again if it reopened?
We won't. Immediately after Bitfinex halted trading, Bitfinex was removed from the Kaiko BitMEX Index. We have no plans to re-add them to the index even if they restart trading.
This means the index needs to be adjusted. In conjunction with Kaiko, we are polling BitMEX traders about Bitfinex's replacement. As of writing, the current index constituents are 50% Bitstamp and 50% OKCoin USD. Feel free to reach out to let us know your preference and opinion.
Pricing Bitfinex Default Risk
Bitfinex's secret sauce was their P2P margin lending platform. Users could borrow and lend USD, XBT, LTC, ETH and recently ETC. The ability to support leveraged trading with a liquid borrow market is what vaulted Bitfinex to the top spot.
The USD lending book was the largest. Approximately $38 million was lent out with an additional $4 million of unused cash. The interest rates were very high when compared to USD sitting in a bank account earning 0% interest.
Many users deposited USD at Bitfinex and lent it out to earn 30% to 40% per annum (pa) returns. This was not a risk free trade. USD lenders now acutely understand the meaning of counterparty risk.
With bank deposit rates at 0%, the 30% pa return could be seen to represent the default risk of Bitfinex plus the rate of unsecured USD funding.
It is scary how closely the average pa funding rate was to the final 36% haircut number.
If Bitfinex is to resurrect itself, it will need a healthy and liquid USD loan book. Given the haircut lenders just received, what is the minimum interest rate they should accept going forward?
We can calculate Bitfinex's new default risk this with some confidence.
If their self-reported numbers are to be believed, Bitfinex now has 125,424 XBT ($75.75 million) and $52.83 million of all other assets. That brings their total deposit base to $128.58 million. Bitfinex's cold storage amounts to 58.91% of all assets. That is the capital at risk of being hacked, and will now serve as the proxy for the default severity if Bitfinex was hacked once more.
Without a plan to secure the existing funds in daily use, the probability of another hack is high. Going forward, USD lenders should not accept less than 58.91% interest pa, or 0.16% per day.
Another measure of Bitfinex default risk is the premium at which digital currencies trade vs. competing exchanges. Given that Bitcoin is their marquee product, traders should watch the Bitfinex Bitcoin premium closely.
Bitcoin will trade at a premium on Bitfinex, because traders are afraid that their USD withdrawals will not get processed, or by the time they do (it takes 5 to 7 days to withdraw USD) the exchange has experienced another credit event, or their Taiwanese bank has received a court injunction to freeze all assets.
If Bitcoin withdrawals are functioning properly, traders can withdraw their money immediately. The time preference will result in a premium.
In the lead up to the collapse of MtGox, Bitcoin traded at a 10% to 20% premium. Traders who believe USD withdrawals will function correctly (and those who have a special relationship with Bitfinex) will buy Bitcoin cheap on a competing exchange. They can then sell it for more on Bitfinex, then wire the USD out of Bitfinex. Wash, rinse, repeat.
The premium represents the five to seven day default risk of Bitfinex. For USD lenders to arrive at a minimum lending rate, they should divide the Bitfinex Bitcoin premium by 5 to 7 to arrive at a minimum daily rate.
Using Derivatives To Reduce Counterparty Risk
Why did Bitfinex hold over 200,000 XBT prior to being hacked? For people who want to buy and hold Bitcoin, they should never leave their funds on an exchange.
Ideally, the duration of counterparty risk exposure for simple buy and hold trades should be a few hours. Once a fiat deposit has been credited, buying Bitcoin or another digital asset takes minutes. After you receive Bitcoin, you should withdraw it.
Bitfinex and other spot exchanges hold so much Bitcoin because most of their users are casual or heavy speculators.
If you want to speculate in Bitcoin or other digital assets without exposing 100% of your capital to counterparty risk, using derivatives is prudent. Derivatives do not require physical settlement of any asset, rather they are bilateral contracts enforced by the exchange.
Because there is no physical settlement like margin trading, the leverage offered can be much higher. BitMEX offers leverage of up to 100x.
Assume you have 100 XBT of capital. You wish to speculate on the future price of Bitcoin. The BitMEX Bitcoin / USD swap product, XBTUSD, features 50x leverage. This means that with only 2 XBT deposited on BitMEX you can trade the full amount of your 100 XBT capital. If you're willing to trade with such leverage, 98 XBT can be held safely in cold storage. More realistically, given price swings, we would recommend holding at least 10% (10 XBT) equity. Contrast that with Bitfinex where 33 XBT would be required to trade a 100 XBT position.
BitMEX allows you to keep the majority of your personal Bitcoin in cold storage, but still trade large positions. And, of course, the Bitcoins on BitMEX are also kept in cold storage ..."