Bitfinex - could greater regulation have prevented its hack?
17 August 2017
“In response to these constructive discussions with the CFTC's Division of Enforcement, BFXNA has made significant changes to the way in which U.S. customers engage in financed trading with Bitfinex. In response to these constructive discussions with the CFTC's Division of Enforcement, BFXNA has made significant changes to the way in which U.S. customers engage in financed trading with Bitfinex.” - Bitfinex Announcement, June 2, 20161
In their engagement to date with the emerging cryptocurrency sector, the United States Commodity Futures Trading Commission (the CFTC), and many other regulatory bodies, have broadly adopted a “wait and see” approach to adapting their regulatory frameworks, seeking where necessary to apply existing regulations to this nascent space in as coherent a manner as possible.
This approach has so far been largely successful, with enforcement actions by regulators taken against dangerous Ponzi schemes and unlicensed exchanges.2 , 3 However, this approach has come under scrutiny, as just two months prior to the August 2, 2016 hack of Bitfinex the CFTC had issued an order, following the conclusion of an investigation into the Hong Kong-based cryptocurrency exchange.
Bitfinex is a cryptocurrency trading platform that permits the exchange of cryptocurrencies including bitcoin, litecoin and ether. It also provides a margin trading and lending service for users. Through its margin trading and lending service, users are able to lend funds as margin to other traders to enable them to open leveraged positions. Bitfinex permitted a maximum leverage of 3.33 to 1.4 On August 2, 2016 Bitfinex’s security was compromised, leading to a theft of 119, 756 bitcoin, worth approximately USD72 million on August 2.5 The exact details of how the hacker managed to effect the heist is unclear, although there is speculation that the attack may have been a combination of Bitfinex’s private keys being compromised, as well as unauthorized access to the API instructing BitGo to counter sign the transactions.6 , 7 On August 7, 2016 Bitfinex announced that losses arising from the August 2 hack will be socialized, with users accounts being haircut by approximately 36%. In return, users have been issued a new ‘BFX’ token, which represent a debt claim (or potential redemption of iFinex Inc. stock) at some point in the future.8 This represents the first ever issuance of a digital token in place of a company’s debt obligation.9 How this novel insolvency solution will be received by users, regulators, and insolvency officials remains to be seen.
Bitfinex protected its customer funds through a customer segregated wallet system in partnership with BitGo.10 Prior to August 2015, Bitfinex used an omnibus settlement wallet to store funds, with funds being held in a hot/cold wallet system. A hot/cold wallet system allowed Bitfinex to operate an active online wallet to settle trades (the ‘hot’wallet), and separately store a majority of its bitcoins offline (the ‘cold’ wallet). In August 2015 and January 2016 Bitfinex changed its processes to ensure that each customer’s funds were held in their own segregated customer wallet. Bitfinex explained the benefits of this approach in an FAQ following the adoption of the system:
“The use of this model, where each customer has a separate set of keys and wallets, allows for a much greater level of granularity at which multi-institutional security can be provided. Whilst in the past BitGo would have to treat a pooled wallet as a single unit, per-customer policies can now be enforced. Further, since we now enforce multi-institutional second factor authentication (Bitfinex will be the first factor and BitGo the second factor), attackers are required to compromise both institutions before getting funds.” 11
Under this system, BitGo maintained control of one of the private keys, Bitfinex maintained control of another, and the third private key was held by Bitfinex in cold storage “for the off-chance that BitGo was unavailable and BitGo needed to authorize a transaction”. 12 Each customer therefore had a BitGo wallet in which their bitcoin is stored, with the keys held by both Bitfinex and BitGo. In the case of U.S. customers subject to a lien (ie the lien of a Bitfinex margin financing provider), the third key was held by the customer themselves.13 Bitfinex did have withdrawal limits in place to protect against attacks draining wallets, but the attacker circumvented these limits.14
The CFTC's Bitfinex Order
The CFTC is the regulatory body with the power to regulate commodities in the United States. Following the passage of the Dodd-Frank Act, it is tasked with oversight of leveraged, margined or financed retail commodity transactions. The CFTC has previously asserted its jurisdiction over bitcoin by determining that it is a commodity.15 Pursuant to this power, the CFTC began investigating Bitfinex in 2015, and ultimately issued an order on June 2, 2016. The United States Commodity Exchange Act (CEA) provides that any agreement, contract or transaction in any commodity entered into with or offered to a retail customer on a leveraged or margined basis, or financed by an offeror, the counterparty, or a person acting in concert with an offeror or counterparty on a similar basis is to be regulated by the CFTC and subject to the CEA as if it were a contract of sale of a commodity for future delivery.16 There is however an exception to this, which provides that if the agreement, contract or transaction result in actualdelivery within 28 days, it will not be regulated as if it were a transaction of a commodity for future delivery.17 Such transactions ordinarily have numerous requirements, including that they be traded on a recognized board of trade subject to the CFTC’s jurisdiction. Therefore it is of immense importance to cryptocurrency platforms that traded bitcoins are considered to be effectively delivered. As a result, the CFTC’s question became what constituted ‘delivery’ of a bitcoin. Did Bitfinex ‘deliver’ bitcoins to their users effectively within the period in question? Ultimately, the CFTC decided that Bitfinex had not done so because Bitfinex retained the private keys to customers’ wallets. This distinction has been the subject of much debate, and a recent submission has been made to the CFTC seeking clarification and guidance.18 In particular, concern has been expressed at the equation of possession of a private key with delivery/control of a wallet’s contents, and also how such private key analysis should be considered in respect of multi-signature wallets.
Although the CFTC’s Bitfinex Order did not affirmatively compel Bitfinex to alter its custodial structure to the existing structure, it is clear that Bitfinex cooperated and constructively engaged with the CFTC from September 2015 onwards, and made “significant changes to the way in which U.S. customers engage[d]” with the Bitfinex platform. This change involved moving from a hot/cold proprietary wallet system to the existing BitGo multi-signature system.
Although the exact vulnerability of the August 2 hack is currently unclear, reports from Bitfinex indicate that it was a sophisticated and technical exploitation.19 Given the lack of current information, it is therefore difficult to state with certainty whether the changes Bitfinex made following the CFTC’s investigation played a role in this hack. Some have speculated that the hosting of a greater number of segregated, but online, customer funds in wallets may have facilitated the hacker’s ability to steal such a large amount (under the old system, the majority of customers’ bitcoins would have been held in cold storage).
Such a theory remains speculation (it is worth noting that Bitfinex’s withdrawal limits were compromised too), although it is certainly concerning that Bitfinex’s vulnerability was exposed so soon after a direct regulatory investigation. Some questions are likely to be asked of the regulatory investigation. Could the CFTC have interpreted ‘delivery’ more strictly (eg requiring total key control to pass to the customer), compelling Bitfinex to register with the CFTC and therefore become subject to stricter regulatory oversight? Are existing CFTC rules sufficient to address this type of event?20 Should the CEA itself be amended to be more responsive to the unique characteristics of cryptocurrency exchanges, including a greater facilitation of ‘cold storage’ methods?
In any event, the scale of the hack suggests that there was a failure of security, automation and oversight and calls are already being made for the implementation of greater technological security, including the adoption of vault-style custodial systems.21 The hack is also being heralded as an important reminder in the use of effective cold wallet storage.22 These responses underscore that exchanges will ultimately become more secure through technological, rather than legal, solutions.
Regardless of the exact nature of the vulnerability, it is likely that the August 2 hack may prompt renewed regulatory interest in Bitfinex and other similar exchanges. It may spur the CFTC to revisit its interpretation of ‘delivery’ for cryptocurrency exchanges and other service providers using multi-signature wallets. It may also encourage a more universal interest from regulators, coming as it does on the heels of the DAO debacle and Ether replay attacks. Such interest may be unwelcome in a nascent industry that has generally disfavored regulatory oversight, but it is likely to arrive nonetheless.
1 Bitfinex Announcement, June 2, 2016: ‘Bitfinex and CFTC reach settlement’ (archived). Available at: https://webcache.googleusercontent.com/search?q=cache:OtjuVlKsLvsJ:https://www.bitfinex.com/posts/108+&cd=5&hl=en&ct=clnk&gl=us.
2 SEC Press Release, December 1, 2015: ‘SEC Charges Bitcoin Mining Companies’. Available at: https://www.sec.gov/news/pressrelease/2015- 271.html.
3 CFTC Press Release, September 24, 2015: ‘CFTC Settles with TeraExchange LLC, a Swap Execution Facility, for Failing to Enforce Prohibitions on Wash Trading and Prearranged Trading in Bitcoin Swap’. Available at: http://www.cftc.gov/PressRoom/PressReleases/pr7240-15.
4 United States of America Before the Commodity Futures Trading Commission In the Matter of BFXNA Inc. d/b/a BITFINEX, Respondent. Order Instituting Proceedings Pursuant to Sections 6(c) and 6(d) of the Commodity Exchange Act, as amended, Making Findings and Imposing Remedial Sanctions. CFTC Docket No. 16-19, June 2, 2016 (the CFTC Bitfinex Order), p. 3. Available at: http://www.cftc.gov/idc/groups/public/@lrenforcementactions/documents/legalpleading/enfbfxnaorder060216.pdf.
5 Comments of ‘zanetackett’ on Reddit, ‘Bitfinex down due to bitcoin security breach’, August 2, 2016 (the Reddit Thread). Available at: https://www.reddit.com/r/BitcoinMarkets/comments/4vtv1m/bitfinex_down_due_to_bitcoin_security_breach/d61oetn?context=3.
6 The Reddit Thread. Available at: https://www.reddit.com/r/Bitcoin/comments/4vwcek/bitfinex_hacker_used_bitfinex_and_bitgo_keys/
7 Emin Gün Sirer, ‘How the Bitfinex Heist could have been avoided’, August 3, 2016, HackingDistributed.com. Available at: http://hackingdistributed.com/2016/08/03/how-bitfinex-heist-could-have-been-avoided/.
8 iFinex Inc. is the parent company of Bitfinex, based in the British Virgin Islands. ‘Questions Abound as Bitfinex Issues Digital Assets to Customers’, Coindesk.com, August 8, 2016. Available at: http://www.coindesk.com/bitfinex-disperses-unique-token-to-compensate-for-60m-theft/.
9 Bitfinex Update, August 5, 2016. Available at: https://www.bitfinex.com/.
10 @BitGo, Twitter update, August 3, 2016 at 12:54am. Available at: https://twitter.com/bitgo/status/760624908334346240.
11 Bitfinex website ‘support’ section (archived). Available at: http://webcache.googleusercontent.com/search?q=cache:https://www.bitfinex.com/support#section-bitgo
12 Bitfinex website ‘support’ section (archived). Available at: http://webcache.googleusercontent.com/search?q=cache:https://www.bitfinex.com/support#section-bitgo.
13 Bitfinex website ‘how it works’ section (archived).
14 The Reddit Thread. Available at: https://www.reddit.com/r/Bitcoin/comments/4vupa6/p2shinfo_shows_movement_out_of_multisig_wallets/d61tgy3?context=3.
15 United States of America Before the Commodity Futures Trading Commission In the Matter of Coinflip Inc., d/b/a Derivabit, and Francisco Riordan, Respondents. Order Instituting Proceedings Pursuant to Sections 6(c) and 6(d) of the Commodity Exchange Act, Making Findings and Imposing Remedial Sanctions. CFTC Docket No. 15-29, September 17, 2015. Available at: http://www.cftc.gov/idc/groups/public/@lrenforcementactions/documents/legalpleading/enfcoinfliprorder09172015.pdf.
16 Section 2(c)(2)(D) of the CEA. Available at: https://www.law.cornell.edu/uscode/text/7/2.
17 Section 2(c)(2)(D)(ii)(III)(aa) of the CEA. Available at: https://www.law.cornell.edu/uscode/text/7/2.
18 Jerry Brito, ‘A law firm just filed a petition with the CFTC asking for a “ comprehensive rulemaking” on Bitcoin’, July 19, 2016, Coincenter.com. Available at: http://coincenter.org/link/a-law-firm-just-filed-a-petition-with-the-cftc-asking-for-a-comprehensive-rulemaking-on-bitcoin.
19 The Reddit Thread. Available at: https://www.reddit.com/r/Bitcoin/comments/4vupa6/p2shinfo_shows_movement_out_of_multisig_wallets/d61o5tr?context=3.
20 See CFTC System Safeguards Testing Requirements, December 23, 2015. Available at: http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/federalregister121615a.pdf.
21 Emin Gün Sirer, ‘How the Bitfinex Heist could have been avoided’.
22 @aantonop, Twitter update, August 3, 2016 at 3:36pm. Available at: https://twitter.com/aantonop/status/760846832138194946?ref_src=twsrc%5Etfw.