With another high profile exchange hack, bitcoin's rebellious teenage years continue
The bitcoin ecosystem is like that teenager you desperately want to see get its act together but that can’t help but to screw up and get in trouble at every turn.
The latest news out of the rebellious, anti-authoritarian wing of the financial community is that BitStamp, a Slovenian bitcoin exchange that until recently was the largest in the world by volume, has been hacked to the tune of approximately 19,000 BTC (valued at approximately $5 million).
The exchange operators are aware of the breach, which allegedly has only affected their “hot wallet” and thus a small fraction of the company’s total reserves, and have asked users to halt deposits and await updates to its infrastructure and security measures. Not surprisingly, doubts and Mt. Gox-related Deja Vu are permeating the bitcoin ecosystem today as users alternate between downplaying the significance of this incident – “to the moon!” – and throwing blame and I-told-you-sos back and forth across the Web.
To be sure, there have been serious concerns raised about BitStamp in the past. In its early days, the Slovenian exchange’s founders did not release their identities publicly, citing an uncertain regulatory environment as explanation. (This has since changed.) Then, when Mt. Gox’s collapse led the digital currency community to question the solvency of all other bitcoin exchanges in March 2014, BitStamp produced a months-old audit from November, rather than undergo any real-time assessment. More recently, the exchange was caught rounding its fees to the nearest cent rather than charging fractional cents using bitcoin’s fractional satoshi units – something no other exchange in the market does.
To be fair, we are extremely early in the process of understanding what caused the current BitStamp service interruption and who is to blame. But, as AltMarket co-founder and blockchain forensics expert Bryce Weiner tweeted this morning, none of the options are great:
To steal #bitcoin, the private key of the owning wallet must sign the transaction. #BitStamp is: a) software flaw b) internal theft c) a lie
— Bryce Weiner (@BryceWeiner) January 6, 2015
Until there are more facts, right now I'm going with Option C.
— Bryce Weiner (@BryceWeiner) January 6, 2015 Assuming BitStamp’s corporate statements are to be believed, the attack has only affected those bitcoins in its hot wallet on or around January 5th. Most exchanges hold between 2 to 5 percent of all assets in their hot wallet, with the balance kept in offline cold storage, a system BitStamp claims to follow. Many concerned observers have demanded that BitStamp sign messages using their cold storage addresses to prove control over those accounts, and subsequently produce an audit of remaining assets by a trusted third-party.
BitStamp is in the process of assessing the damage and taking the necessary steps to shore up its infrastructure and security measures, or so the company’s public statements have claimed. But the damage from this incident continues to trickle in. While the company advised its users not to make deposits to existing wallet accounts – even shutting down its Web interface – many businesses like Bitcoin ATMs and mining operations are setup to make automated deposits and thus continue (or at least continued for some time) to send money, seemingly into the abyss.
The location of the stolen bitcoins is known, with amateur sleuths quickly posting the hacker’s destination wallet address to Reddit and other forums shortly after the attack was discovered. As of this time, there are more than 18,870 BTC on deposit, with the latest transaction occurring earlier this morning – hours after BitStamp’s first public warning. But due to the pseudo-anonymous nature of the bitcoin protocol, the fact that these funds are sitting in plain sight has no impact on anyone’s ability to reclaim them or to identify the perpetrator of these attacks.
The dust from New Years celebrations has hardly begun to settle and the bitcoin ecosystem is already dealing with a significant, negative news story. Making matters worse, the BitStamp hack comes on the heels of what would charitably be called a less-than-great year for bitcoin’s public image.
While price is an imperfect indicator of bitcoin’s health, it is headline fodder, and a more than 50 percent decline in 2014, and a subsequent 15 percent decline to begin the new year have not helped the broader sentiment. Somewhat shockingly, prices are actually up a few percent in the roughly 36 hours since news of the BitStamp hack leaked – this after the above-mentioned precipitous fall in the first four days of the year.
It’s easy to mistake correlation for causation, but plenty of message-board-detectives – myself included – have asked whether company insiders or certain large traders had advanced warning and began to sell-off their positions ahead of the announcement. Adding fuel to this conspiracy theory, a message was posted to the CoinMarkets message board warning that “an exchange is getting goxxed” and “that’s why prices are falling.”
Bitcoin has proven itself nothing if not resilient. And as industry leaders like Marc Andreessen and Fred Wilson have said publicly in recent days, its use as a currency and its speculative value are non-essential to the Bitcoin protocol’s long-term success and impact. Rather, it’s only important insofar as it incentivizes developers to build other blockchain-related, distributed trust products.
This is an extreme view, no doubt, and one that will have only limited impact on those bitcoin bulls who are seeing prices plummet and one of the largest exchanges on the platform teeter on the brink (again).
The coming days and weeks will be filled with questions such as “How did this happen?,” “What does it mean for BitStamp going forward?,” “Is it possible to create a truly secure bitcoin exchange?,” and “Can Bitcoin service these continued repetitional assaults?”
The reality is that computer systems, particularly those dealing with money, will forever be the target of hacks. What matters is whether there was any negligence or fraud involved in this case and how BitStamp responds going forward. Those questions remain answered.
Like a teen who bounces in and out of trouble, the Bitcoin ecosystem is young, naive, and blessed with the gift of a short memory. As was the case with Mt. Gox before it, BitStamp's hacking doesn’t have to be a death sentence. But it absolutely must be a wakeup call.
The Bitcoin community needs to answer some tough questions about what it wants to be when it grows up. Then it needs to start acting like an adult, with the realization that there are billions of dollars, not to mention the future of the financial system at stake. (Easier said than done when squaring off against the world's best hackers and fraudsters.) Oh yeah, and clean your room!