Pando

With BitStamp back online, serious questions about its solvency and security remain

By Michael Carney , written on January 12, 2015

From The News Desk

After a four day service outage caused by a hack that saw it lose more than $5 million worth of bitcoin, Slovenian bitcoin exchange BitStamp resumed operation on Friday. But with little in the way of explanation offered as to the identity of the hacker, the attack vector, or the solvency of the company, many members of the bitcoin community remain appropriately concerned.

BitStamp CEO Nejc Kodrič published a tweet and later a blog post on Friday alerting users that the company had rebuilt its systems from a secure backup deployed on 100 percent new hardware, and made the switch to running on Amazon’s AWS cloud infrastructure. The company also deployed BitGo multi-sig technology, a first among major bitcoin exchanges. Finally, BitStamp offered its users commission-free trading through the end of this week’s North American Bitcoin Conference (officially, 17th January at 11:59pm UTC).

Kodrič writes:

We took the decision to rebuild our systems from the ground up from a secure backup for a few reasons. By redeploying our system from a secure backup onto entirely new hardware, we were able to preserve the evidence for a full forensic investigation of the crime. We have also taken this time to implement a number of new security measures and protocols so that customers can resume using Bitstamp with full confidence and trust. While this decision means we have not been able to provide you with services for a number of days, we feel this extra measure of precaution was in the best interest of our customers.
But beyond this surprisingly positive assessment of “the state of BitStamp,” Kodrič offered no new information about how BitStamp was compromised in the first place or about what impact the incident would have on the company financially. Since the hack was first announced on January 5th, the company has simply repeated versions of the statement: 
This breach represents a small fraction of Bitstamp’s total bitcoin reserves, the overwhelming majority of which are held in secure offline cold storage systems. We can assure customers that any bitcoins held with us prior to temporary suspension of services on January 5th at 9am UTC are completely safe and will be fully honored. 
Reassuring as that might sound, it is really a hollow promise that asks users to put a tremendous degree of trust in a Slovenian startup – not that trading millions of dollars worth of crypto-currency on its platform didn’t already require similar trust.

There are several key questions weighing on most people's minds. The first is, how will BitStamp cover the $5 million loss and is it currently running a fractional reserve? Will it be through their own balance sheet? If so, how much cash or bitcoin does the company hold? Will it be through insurance? If so, what kind of coverage does the company have? Will it be through raising a new round of investment from existing or new investors? And has that been accomplished? Worst of all, is the company taking a page out of the Mt. Gox playbook and planning to recover these losses through future revenues or proprietary trading activity? 

Across message boards, forums, and the comment sections of news articles, the bitcoin community has continuously asked BitStamp to prove its solvency, either through a third-party audit of its financials or, at the very least, through signing a proof of solvency message from one or more cold wallet accounts holding significant bitcoin deposits. Not only has the company done neither, to date, but it has largely failed to even acknowledge these requests. 

Users have attempted to estimate BitStamp’s current financial position to assess the likelihood that it remains solvent. Hacker News commenter IkmoIkmo offers a rather bullish back of the envelope scenario, writing: 

So Bitfinex, pretty similar volume to Bitstamp, reports about 200m in volume in the past 30 days. A run rate of 2.4b. 

Their fees are roughly 0.4% on a transaction. But note, the fees are incurred twice per unit of volume. i.e. they pair a buyer and a seller, who both pay a fee, thus you get a 0.8% fee on any unit of volume.

So we end up with a very rough revenue of $20m a year. Of course there will be various costs, but I've seen most exchanges run with teams of 6 core people, with another 6 or so support staff. I wouldn't expect to see much larger teams than 20 at Bitstamp, and given their cost-center for development is in Slovenia, I doubt you'll see them average more than $150k, which would be $3m per year. 

So, together with $10m in funding not so long ago, together with substantial revenues ($10-20m per year), and together with the fact it's quite likely we're talking about early adopters (Company was founded in 2011, the year of 30 cent bitcoins, 1000x cheaper) who likely could pay this out of their own pockets, do they have what it takes to cover $5m? I think so. On that last point, if they had $5k of bitcoin when they founded the company, that'd be worth $5m today, and over $15m a year ago, for perspective. It's not at all unlikely they're sitting on $30m, but rather build a company where they offload their entire risk and give up 30% of equity. Who knows. 

Does that mean an audit isn't necessary, not at all. It should be standard practice. Just speculating here on whether I think an audit would show a positive result or not, I think it would. Not everyone is convinced. Hacker News commenter downandout writes: “Unless a tier 1 accounting firm (Deloitte, PwC, etc) comes in and audits their books, I wouldn't touch them with a 10 foot pole” – a common refrain. Sillysaurus3 adds: 

I appreciate that Bitstamp made a statement, but anyone who trusts this is a complete fool. Trusting Mt. Gox was precisely how I lost money in its demise. I was also called a complete fool by someone on HN just before I lost my money. The comment made me angry. Me, a fool? Yet it was true, and I should have listened. Run away, don't walk. They lost 5 million dollars. Let that sink in before deciding to trust them with any money you care about. 
The other pressing questions that have received little in the way of answers from BitStamp are, who were the hackers and how did they get in? Equally importantly, how confident is BitStamp that their new deployment is safe from a repeat attack? Adding fuel to this fire is a report by CryptoCrumb analyst Danno Ferrin claiming that BitStamp nearly lost an additional $1.75 million and at the height of the attack lost full control of its internal systems, not just the private key(s) to its hot wallet(s).

The company’s switch to AWS is not a silver bullet for removing all security vulnerabilities. It’s far more likely that the breach was due to weaknesses in BitStamp’s software rather than in its infrastructure, meaning AWS would have little impact. Also, unless the company has identified the hacker, there remains the chance that the attack was the work of an insider (a la, Mt. Gox), meaning that all future deployments would remain vulnerable, regardless of where they’re hosted, unless that person is identified and removed.

A Berlin-based Hacker News user named Jeffrey Paul (username “sneak”) claims to be working with BitStamp on the incident response, although this fact has not been confirmed by the company. He writes: 

I'm managing the incident response. 

The investigation continues in parallel. First priority was safety, which meant shutting everything down to prevent any additional issues or destruction of evidence. Second was giving people the ability to access their funds and to trade - a complete redeploy of the infrastructure which took us working 22/7 since Monday until just now. 

An investigation is underway and we have some internal speculation from the first bits of information - the real statements will come after we aren't guessing. This is the first minute we've had to breathe this week. Sneak later adds that he is sure that the hackers can’t get back in and that BitStamp is absorbing the $5 million-plus loss out of its own profits. Of note, BitStamp raised $10 million in December 2013 from Pantera Capital.

The reality is that BitStamp’s handling of this extremely severe incident has been altogether too clandestine and cavalier. If Paul is in fact working for (or with) the company, and authorized to speak on its behalf, BitStamp should state as much publicly. Otherwise, this type of reassurance needs to come directly from the company’s CEO, Kodrič, and better yet come in the form of a credible audit or proof of solvency, not simply unsupported comments.

I say cavalier because Kodrič seems to have made light of this situation since the beginning. For example, while BitStamp remained offline, the company account tweeted (and he retweeted):

— Bitstamp (@Bitstamp) January 7, 2015 Users were understandably frustrated that beautifying a website was where the company was spending its time and resources during this ongoing crisis.

Shortly after BitStamp resumed operations, Kodrič was tweeting in response to a Jimmy Fallon joke about trusting a Slovenian exchange with your deposits:

Reassuring as some might find it that Kodrič isn’t hiding in a corner or crying on the floor of his shower, many have expressed a frustration at the lack of answers and apparent lack of appreciation for the gravity of this incident. Even if the long-term solvency of BitStamp remains sound, the bitcoin community is rightly skittish at any sign of technological vulnerability from exchange and wallet platforms following the still-fresh collapse of Mt. Gox.

With Slovenia being nine hours ahead of PST (GMT +1), we are nearing the end of the first business day since BitStamp came back online. Yet, there's still no sign of additional information forthcoming. Hopefully the company used the weekend to catch its breath and construct a plan for how it will deliver additional transparency and concrete reassurance to the bitcoin community. If losing $5 million truly is no big deal to the company, then its users and industry observers will be reassured to know this, assuming this information amounts to more than just cheerful tweets and blog posts claiming as much.

Surprisingly, the BitStamp incident has had little impact on bitcoin’s already depressed prices or even on its own trading volume. The Coindesk Bitcoin Price Index currently sits at $271.71, up slightly from the $263.88 at which it closed on January 4, the day before the BitStamp breach was announced. Then again, prices are down from a mid-summer high of $665 and an all-time high of $1120 in November 2013.

BitStamp remains the world’s seventh largest exchange by BTC volume with 3.4 percent of global volume (12,079 BTC) over the last 24 hours, according to Bitcoinity. BitStamp’s volume market share has fluctuated between 2 percent and 6 percent over the last six months, indicating that the recent breach has caused neither  a run on the banks nor a trading moratorium. That said, we are only 19-months removed from BitStamp overtaking Mt. Gox as the then world’s largest bitcoin exchange – an honor it won with just 8,294 in trading volume at the time.

With the world’s attention on this small Slovenian startup, BitStamp would do well to open its kimono and reassure users and outside observers of both its solvency and its understanding of the nature of the recent breach. The longer these questions go unanswered -- and worse, unacknowledged -- the worse it will be for the company’s reputation and the overall image of the bitcoin ecosystem. This is not a situation where silence is golden.