Let’s say your bank was just robbed, and the bank responds by taking money out of each of its customers’ accounts to reimburse the coffers. Sounds crazy, doesn’t it? But that’s pretty much what happened earlier this month when bitcoin exchange Bitfinex Technology was hit with a massive cyberattack. More than $60 million worth of bitcoin was stolen from the exchange — the second-largest loss of bitcoins ever.
The Hong Kong-based firm’s solution, to distribute losses among all of its customers, was categorized by Bitfinex as a “socialized loss scenario.” Many of its customers are understandably miffed, especially after the company had touted the safety of its multisignature security architecture. In the words of CFO Giancarlo Devasini in 2015, “With our BitGo wallet solution, it becomes impossible for our users to lose their bitcoins due to us being hacked or stealing them.” Impossible? Well then, what happened?
With multisignature (or “multisig”) wallets, account keys are divided among multiple owners to manage risk. Along with multisig provider BitGo, Bitfinex provided each of its customers with these wallets in 2015, declaring that “the era of commingling customer bitcoin and all of the associated security exposures is over.” The multisig system has been called the future of bitcoin exchanges, but where did it fall apart, and who is to blame? Was it BigGo’s automated service? Was it Bitfinex, which kept two keys itself, making the multisig scheme moot? And why are the exchange’s customers paying for the failure?
This was just the latest security breach of several that have hit the industry. The biggest bitcoin heist took place when leading exchange Mt. Gox was hit, losing somewhere between $450 million and $600 million. (It isn’t entirely clear yet what happened or even exactly how much was lost.) In that case, all Mt. Gox users lost 100% of their funds, and the exchange shut down operations in 2014.
James Lynn, managing director of blockchain payment firm Billon Group, recently told CNBC that more bitcoin hacks are likely to happen: “I fear we’re only seeing the start of this trend, which could rock the very foundations of bitcoin value.” If multisig wallets are indeed the future of bitcoin, what can be done to enhance the security of transactions going forward?
Bitfinex will issue BFX tokens to its customers in exchange for the 36% shaved from their accounts. The tokens will eventually be good for full repayment or for shares in Bitfinex’s holding company. Additionally, the tokens will be traded on the Bitfinex platform, allowing customers to set their value based on the odds that Bitfinex will actually repay the token holders.
As for Bitfinex, it temporarily shut down to read-only mode, where users could check their accounts but not trade, withdraw, or deposit coins. According to the company’s Twitter page, trading and withdrawal capabilities were restored on the afternoon of August 10, 2016.
The question now is, how will the bitcoin community respond? (Immediately post-hack, bitcoin had a noticeable drop in price, but things seem to be moving forward again.) Who should ultimately be held responsible for the hack, and who really should bear the brunt of the loss?
Diane Ramirez has been a member of the D&B editorial department for more than a decade. She currently covers the health care and insurance industries for Hoover’s.