BitGo and BitFinex are both very keen to point out that none of the blame lies with BitGo. Finex apparently had a custom setup with BitGo, unlike any other BitGo customer. [...]
Perhaps there is something else going on and I haven't read about it or it isn't public knowledge?
Jeesh, for people who seem to value outside-the-box thinking, you guys are thinking smack-dab inside the box.
BitGo implementation was used so that BFX could continue p2p lending (needed for leverage trading), without having to commingle the customer funds in a wallet it controlled (reason for the CFTC fine they paid).
So BitGo did exactly what was asked of it, allowing BFX to keep doing what it was already doing, without the need to become a licensed futures exchange.
I don't see how separating wallets by individual depositor requires ignoring proven security methods. Are you suggesting that security and appeasing the CFTC are mutually exclusive?
"Leverage is
a loan that is provided to an investor by the broker that is handling his or her forex account. When an investor decides to invest in the forex market,
he or she must first open up a margin account with a broker."
Bitfinex needs to be [a de facto] broker, without having the corresponding license. This is made possible by having p2p lending, but without the central (cold) wallet under BFX control like the good old times (because CFTC). Problem: neither Investor Bob, nor Lenders Alice [through] Zack, are a licensed broker. And yet the full amount of this "p2p loan" must be readily accessible by BFX (to enter and close positions).
Wat do? (This needs to happen in real time, not "in a bit, once we had time to run it past the suits upstairs" because real time trade engine.)
Read more: How does leverage work in the forex market? | Investopedia
http://www.investopedia.com/ask/answers/06/forexleverage.asp#ixzz4Gfag38YPFollow us: Investopedia on Facebook
P.S. " proven security methods" for this sort of thing involve third party security audits (which BFX refused), and a license (so don't have to exploit insecure but technically compliant 2-of-3 implementation).