Two more bitcoin exchanges were robbed in the past few days. “Flexcoin” lost all online coins and shut its doors.
Flexcoin admitted it did not have resources to cover 896 stolen bitcoins, worth £365,000 (about $608,200). Bitcoins in Flexcoin’s “cold storage” (offline), for which depositors have to pay a fee, were not affected.
“Poloniex”, the other hacked bitcoin site, admitted that it is missing 12.3% of its assets because of a flaw in its transaction system. Its owner apologized and will keep its exchange running.
The Guardian reports Bitcoin Bank Flexcoin Closes After Hack Attack.
Flexcoin has been forced to close after hackers stole 896 bitcoins, worth £365,000, in an attack on Sunday. The company shut its website and posted a statement on Tuesday morning detailing the loss.
“On March 2nd 2014 Flexcoin was attacked and robbed of all coins in the hot wallet,” the statement read. “As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.”
Not all of the company’s assets were stolen. In line with best practices for running a bitcoin financial service, Flexcoin held some bitcoins in “cold storage”, keeping them on devices not connected to the internet. Those bitcoins are safe, but only users who explicitly requested their bitcoins be held in cold storage (and paid a 0.5% fee) benefit.
“Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity,” the statement continues. “Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker. Flexcoin will attempt to work with law enforcement to trace the source of the hack.”
Just six days ago, the company was boasting that it was unscathed by the closure of MtGox, once the world’s largest bitcoin exchange:
The same day the company came clean about its losses, a second bitcoin firm, Poloniex, also admitted that 12.3% of its reserves had been stolen by hackers. Poloniex is a bitcoin exchange, and the company has committed to operating at a fractional reserve until it can replenish the losses itself.
“Poloniex” Robbed of 12.3% of Assets, Owner Apologizes
The problem at Poloniex stems from a flaw in Poloniex’s system that processed bitcoin transactions simultaneously rather than sequentially, ultimately allowing negative balances.
On the Bitcoin Forum, Poloniex owner Busoni explained how it happened and apologized to the bitcoin holders.
What Did Poloniex Do Wrong?
The major problem here is that the auditing and security features were not explicitly looking for negative balances. Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously.
What Did Poloniex Do Right?
The existing security features noticed unusual withdrawal activity and froze BTC. That is how the activity was discovered.
What Happens Now?
I take full responsibility for this and am committed to repaying the debt of BTC. The exchange funds are 12.3% short. Because there is not enough BTC to cover everyone’s balances, all balances will temporarily be deducted by 12.3%. Please understand that this is an absolute necessity–if I did not make this adjustment, people would most likely withdraw all their BTC as soon as possible in order to make sure they weren’t left in that remaining 12.3%. Aside from the obvious drawback of most of the BTC being taken out of the exchange, this would not be fair–some people would get all of their money right away, and a few would get none right away.
The amount deducted from everyone’s balances will be recorded, and funds raised from exchange fees, as well as donations from my own pocket (which is not very deep, I’m afraid), will be distributed regularly to all users who have had BTC deducted. Exchange fees will be raised to expedite the recovery of the debt. 1.5% has been suggested by many people, but I will take input on this.
If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don’t, and I can’t just pull it out of thin air.
Right now, all markets and withdrawals are still frozen, and they will remain that way until the negative balance watcher is written and in place and balance deductions are calculated. Please do not bother placing withdrawals right now, as they will not be processed and will probably all be cancelled before functionality resumes. ETA on availability of withdrawals is approximately 12 hours. I am afraid it is 3 AM where I am right now, and I think it is wise for me to get some rest before proceeding.
I sincerely apologize for this, and I am very grateful to the many people who have already expressed their support and belief in my character. I take full responsibility; I will be donating some of my own money, and I will not be taking profit before the debt is paid.
I welcome your opinions on how to proceed, but please be constructive. I do not have the money to wave away the debt, so we’ll need to work together.
Given that a log makes a record of every transaction, and given this hack recently occurred, it should be possible to track the missing bitcoins.
Bitcoins.Com explains “All newly mined Bitcoins, along with every transaction, are publicly recorded and verified through the network. This record is known as the Blockchain and is one of the features that helps keep the system secure from fraud and abuse. Bitcoins cannot be duplicated or forged.”
Tracking the stolen bitcoins is easy enough, recovering the stolen money is another matter. The thieves likely traded the bitcoins for cash and now a third party is holding the coins.
Sense some lawsuits regarding ownership of the stolen bitcoins?
Incentive for Fraud
Note the huge incentive for insider fraud at these sites. The owner or owners of these bitcoin exchanges can easily arrange for bitcoins to be stolen.
I do not propose that happened in either case above, I just mention the possibility.
Inside Japan’s Bitcoin Heist
Some do accuse Mt.Gox of fraud but the Daily Beast dismisses that idea. Please consider Inside Japan’s Bitcoin Heist
The Daily Beast was able to speak with a former employee of Mt. Gox, on the condition of anonymity, due to a nondisclosure agreement with the company. According to the former employee’s testimony and other expert analysis, it seems very likely that the collapse of Mt. Gox was not a criminal fraud but the result of poor management, faulty accounting, and system bugs that went unfixed many months after being recognized by the CEO himself. The final nail in the coffin was the unauthorized release of an internal document that was supposed to serve as the groundwork for saving the company. It is unclear who leaked the document—which was an unfinished draft of a plan of action.
“Essentially,” said the former employee, “Mt. Gox was a dysfunctional organization. Nobody was doing accounting reconciliation and there was an exploitable fault in the transaction system that allowed people to get paid twice—or in other words, withdraw more or less the same amount of Bitcoins two times.”
And it does seem true that Bitcoins are very hard to forge or duplicate. Unfortunately, if you know what you’re doing, they may be easy to steal. Or if you’re not careful, they may be very easy to lose.
Karpeles informed the former employee that an estimated 820,000 Bitcoins were unaccounted for—at the time, the equivalent of close to $500 million. The former employee was told the Bitcoins had possibly been siphoned off over several months by users exploiting flaws in the system. In particular, there seemed to be a system glitch that made it possible to get a payment reissued even after it had been already received. He says that because the firm hadn’t hired an accounting firm to keep the books or an auditor, the theft was undetected.
Teikoku Data Bank, Japan’s largest and most respected credit-rating agency, in July of last year reviewed the company and gave it a D4, the worst possible rating a company can receive on their scale. One of the reasons for the low rating was the lack of qualified accounting staff at the company.
Are you holding bitcoins? If so, what kind of auditing is in place at the exchange you hold them? Are they in cold storage? Should they be?
Accounting procedures at Mt.Gox were so bad it did not matter whether or not you had the transactions in cold storage.
Bitcoin Price and Fraud Go Hand in Hand
One final question: Is the runup in price directly related to fraud and theft?
Yes, two ways.
1. Increasing value of bitcoins made them an ideal target
2. Fraudsters who stole bitcoins had an incentive to artificially drive price higher knowing they could take out more than they put in, at more than one bitcoin exchange, and in more than one way.
How high would the price of bitcoin had gotten in the absence of those incentives?
Mike “Mish” Shedlock