Stamped might get the antonym to Goxed afterall.
I agree. I am not sure if they have enough capital to swallow the 5.2 million $ value of the loss.
It's all speculation anyway, but keep in mind: 10-12% of their total BTC holdings represents only about half of that percentage of their /total/ holdings, probably less if the last orderbook sums are to be taken as representative.
Assuming the 19k btc loss is really the end of it, I'd be surprised if they lost more than 5% of their total assets. Pretty bad for a company, but not necessarily catastrophic.
First of all: 19k cannot be 5% of "their assets" - customers deposits ARE NOT Bitstamp's assets, they cannot use customers money to cover the hole (Gox anyone?).
Taking into account Bitstamp's average commission and volume, 19k is the income they would generate in 8/12 months - the commissions are basically the money with which they can operate, those are "their assets" and NOT customers money.
For a company to lose one full year of income is indeed catastrophic in my book. I know by heart my company would have to file for bankruptcy almost immediately . Unless they were very wise with their money management (I really hope they were), saving a lot of BTC back in the day, etc. they will have a very rough year ahead.
Let's hope that they are a healthy company and that Pantera and/or other investors are willing to help them out.
Yes, I realized this after I posted: 'asset' isn't the right word. My bad. But I'm sure you got the point though:
It does make a substantial difference whether they lost 80%, 40% or, as I claim, at most 5% of their total customers' funds, because:
- their ability to cover the loss is based on their revenue (and their company assets)
- their own revenue is based on their trading volume (and the market price, of course)
- which in turn is related to total customers' funds
So, the higher the share of customers' funds lost, the less likely is that a company will be able to refund it. That was the basic idea.
I'm not defending them, by the way: No idea why they had 19k coins in a hot wallet. Seems absolutely excessive. And unless they provide some very good information explaining the hack, how it came to it, and how they're improving their internal security from now on, I will leave Bitstamp behind as a customer.
That is, of course, assuming that I get my funds back. For all I know, this could still turn out to be another gox. I had a pretty high opinion of Bitstamp so far, and the fact that they have large outside investors is reassuring, but until I can log in again and trade or withdraw my funds, I remain extremely skeptic.
They just had 3.100BTC in the hot wallet at the moment of the hack. But they did not realize they were hacked until 24 hours after the hack. Check the transactions. During that 24 hours the hacker kept stealing all the money that was deposited on bitstamp.
This is what the transaction history tells us:
- the first transaction is the bigger one: 3.100 BTC. Probably all that was on Bitstamp's hot wallet at that time.
- after that, the hacker sweeps every coin that is deposited on Bitstamp during 24 hours.
- after a full day, he managed to steal almost 19k.
- after Bitstamp realizes is hacked, transactions slow down, but we still see some transactions going in to the hacker address. This is probably people that did not realize Bitstamp was hacked, so they are still depositing BTC from their clients address book. It could also be some ATM or automated service - anyhow after the announcement only peanuts coming in.
An alternative theory to the above:
I am not sure what bistamp realised and when but regular withdrawals were blocked quite soon after things started. I.e. I submitted a withdrawal request only a couple of hours after the first hack transaction. It was about 4-5am UTC on 4 Jan. That withdrawal remained pending until that evening and was never processed. Usually it's quite quick to process.
So something stopped allowing withdrawals soon after the hack started. Unfortunately the thief was able to continue taking funds because he was presumably using some other vector that did not need the regular withdrawal. E.g. he had control of the private keys. He was (and is?) able to continue taking funds if he had private keys.
My theory is that some automated control system picked up mismatch with what balances should be vs what they actually had and stopped withdrawals. Bitstamp management then at some point figured out what was happening. The hacker is however not blocked by this as he is using another vector (e.g. control of the keys).
My suggestion to improve this would be that the automated control system that picked up the error should on mismatch of balances automatically transfer all at risk funds to cold storage (and continue to do so). Not sure if this occured, but this might be what the thief was trying to prevent with his high fees. Was their any attempted double spends on the affected addresses?