BitGo, the security provider of Bitfinex, denies being hacked. Coinfox has gathered different opinions on how the attack on the bitcoin exchange could be carried out.
Bitfinex has reported a massive hack which led to the loss of 119,756 BTC worth of more than $73 mln at the time of the attack. The exchange says the incident has been reported to law enforcement authorities, while all trading operations are halted.
It is remarkable that the Hong Kong exchange held 2/3 of the keys to multiple individual users' accounts, except for verified US customers who could keep the third key to themselves after CFTC ruling. In case if only BitFinex' keys were compromised, verified US customers would not suffer. However, one of the clients in the States has already acknowledged being robbed of their coins.
According to the company, "there were limits in place to restrict the amount of bitcoin that could be signed for a withdrawal," and now Bitfinex is trying to investigate how these limits were bypassed.
The most popular explanation of the hack right now is that the exchange's keys were stolen. Bitfinex used the multisignature technology, with security provider BitGo as the third party. According to this scheme, two user keys are held by Bitfinex, while the third one stays with BitGo (except the case with verified US clients). When a user initiates a withdrawal, Bitfinex signs the transaction and sends it over to BitGo for them to put their signature. If someone gets access to Bitfinex's servers, they can sign a transaction with Bitfinex keys and then verify it at BitGo, which is unable to see if it is the original owner of the funds or a hacker.
Therefore, it is likely that the intruder obtained the signing key of the exchange and started sending withdrawal signing requests to BitGo, which were processed without further checks. The BitFinex representative Zane Tackett admitted that on Reddit.
“Yes, they were”, he wrote, answering the question if theft transactions were signed with Bitgo's key.
Some Redditors think that BitGo keys were stolen or somehow abused remotely via BitFinex API (thus undermining the whole point of 2/3 multisig system and gaining access to thousands of hot wallets). There is also a possibility that BitGo was leaking user keys, they say.
According to one more version, Bitfinex could use a hardware tool (YubiKey or RSA SecurID) to authenticate signing requests with BitGo. But this would require human participation, and Bitfinex employees would not allow such large withdrawals, unless the attackers were aided by an insider.
Bitcoin community moderator Theymos gave his opinion on the incident found it inconsiderate of Bitfinex to rely so much on BitGo, whose security model proved not up to the mark.
“BitGo is selling a false sense of security. BitFinex apparently had a perfectly good cold storage setup, but then they were somehow convinced that BitGo would be more secure, even though they were actually trading in cold storage for 100% hot storage. On the other hand, I'm told that BitFinex was previously warned about this security issue, BitFinex should've known anyway, and they're the ones who lost the keys. So I'd say that it's still 90% BitFinex's fault, even though BitGo also deserves a lot of blame for pushing a service that is totally insecure in practice.”
Zane Tackett denies BitGo's responsibility. He affirms that the hot key was somehow compromised, but not the cold one.
“I said that it looks like the compromise was on our end and not bitgo, I also said it doesn't appear that our key kept in cold storage was compromised,” he wrote.
Some users, such as bitbody2, disapprove the multisignature technology as highly vulnerable.
“Why in the world would one party have two keys? What's the point of multisig use? If customer had one, wouldn't this clearly prevent unauthorized movement of funds? What was the decision process here that made a majority key holder present in the equation to begin with? [...] Am I missing something that makes a majority key holder a good idea?”
They note that "BitStamp and ShapeShift are also using BitGo. However BitStams uses it only for hot wallet and keeps the rest in cold one"; another example is the well-known Kraken exchange.
Bitfinex promised to keep people as well informed as possible. The company's representative Zane Tackett has shared some details on the hack in a Reddit trend. He also confirmed the previous statement that only bitcoin funds were targeted, while litecoin, ETH and ETC assets are intact.
“As we account for individualized customer losses, we may need to settle open margin positions, associated financing, and/or collateral affected by the breach. Any settlements will be at the current market prices as of 18:00 UTC. We are taking this necessary accounting step to normalize account balances with the objective of resuming operations,” the official announcement said.
The coin has lost 11% over the news of the security breach, its price falling to the lowest point since May. The market players rushed to dump their bitcoin assets expecting that the Bitfinex hack may be the first in a series of attacks on large cryptocurrency exchanges. The daily trading volume reached 601,000 BTC ($331.3 mln) overnight, which is twice as high as a day before.
As of today, Bitfinex is the third most popular bitcoin exchange with a day trading volume at nearly 16,000 BTC (about $3.7 mln).